Problem with the firewall

I am using openSUSE 13.1 and the Yast Firewall.

I am in the Firewall and click advanced but after I enter the port in TCP and hit OK nothing happens, it doesn’t show up in the external list and at the same time I don’t see a place to enter the name for that port. So I read the help that gives an example of 22, http, and I try that but it won’t accept it saying that I can’t use comas that I have to use spaces, so I try with a space but it say it doesn’t recognize the name. This is crazy!! :frowning:

Your help would be appreciate it!

First, what is your end goal? If it is just to open SSH (TCP 22 by
default) to the rest of your network is there a reason you are not using
the service drop-down menu instead of the Advanced section? Just curious…

You should be able to put in the list of ports, space-delimited, in the
Advanced view within the TCP field. I do this a lot with my 12.x machines
and various SLES machines, but haven’t tried (that I can confirm) on 13.1
yet so maybe there’s a bug in the parsing with the port to Ruby… maybe
(seems unlikely to me based on how much this area is used). Anyway, the
way to know if it worked or not is to use he ‘iptables -nvL’ or
‘iptables-save’ command as ‘root’ (post the output here).


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

I think I expected for the firewall to work like most firewalls do by providing you the ability to add new port entries into so they appear in the drop down list, instead of just adding the port under advanced. The problem I see with the way Yast does it is what happens if you have a million ports to open and a new tech replaces your ass he or she won’t know why you opened those ports as they aren’t listed in the drop down with names associated to them. :slight_smile:

On 01/20/2014 05:56 AM, aenglish wrote:
>
> ab;2617768 Wrote:
>> First, what is your end goal? If it is just to open SSH (TCP 22 by
>> default) to the rest of your network is there a reason you are not using
>> the service drop-down menu instead of the Advanced section? Just
>> curious…
>>
>> You should be able to put in the list of ports, space-delimited, in the
>> Advanced view within the TCP field. I do this a lot with my 12.x
>> machines
>> and various SLES machines, but haven’t tried (that I can confirm) on
>> 13.1
>> yet so maybe there’s a bug in the parsing with the port to Ruby…
>> maybe
>> (seems unlikely to me based on how much this area is used). Anyway, the
>> way to know if it worked or not is to use he ‘iptables -nvL’ or
>> ‘iptables-save’ command as ‘root’ (post the output here).
>>
>> –
>> Good luck.
>>
>> If you find this post helpful and are logged into the web interface,
>> show your appreciation and click on the star below…
>
> I think I expected for the firewall to work like most firewalls do by
> providing you the ability to add new port entries into so they appear in
> the drop down list, instead of just adding the port under advanced. The

You’re in luck; it does, but not from the place where you actually open
those ports, afaik. The way to do this has come up in the forums before,
recently even, and as I recall is done from
/etc/sysconfig/SuSEfirewall2.d/services which then holds a conf file for
the various things you want. This is not even limited to a one-to-one
mapping, so you can create a service called whatever you want and have it
work.

To just put in arbitrary strings in the list of ports does not make any
sense to me; if those happen to be strings that map to the /etc/services
file then maybe those could work as long as they are one-to-one mappings
and the Yast devs were thinking of this situation when creating the UI.

> problem I see with the way Yast does it is what happens if you have a
> million ports to open and a new tech replaces your ass he or she won’t
> know why you opened those ports as they aren’t listed in the drop down
> with names associated to them. :slight_smile:

See above. You can do this in a way that makes deployment quick/simple
and documentation built-in.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Me personally, I don’t see point in yast firewall setup, rather use iptables like

iptables -A SSH -p tcp -s 0/0 -d  your.ssh.server/client.addr --dport 22 -j ACCEPT

to allow cpnnection to ssh from any address -0/0 and I’d also limit those ssh connections

iptables -A SSH -p icmp -m limit --limit 3/min -s 0/0 -d ssh.server --dport -j ACCEPT
iptables -A SSH -j DROP

-default policy for SSH

That’s all well and good, but I would guess that many users would not be comfortable doing firewall configuration from the CLI, (and making them persistent).