Hi I am new to linux and openSUSE and have openSUSE running on an old laptop that I am planning to use as a temporary web server (purely because I believe this will help me with understanding security and learning to use linux). I have created a web server program using express.js that works when I run it on my windows laptop however whenever I run the same program on my openSUSE system, it seems to be blocked by something as the computer responds but just not to the get requests. i believe the issue might be with the firewall but as I am a beginner i have 0 understanding of this. Could someone point me in the right direction or provide me with some info. Thanks.
Have a look at the YaST firewall manager. Youâll need to run it as root (you should be able to use xdg-su -c "/sbin/yast2 firewall" if I remember correctly, regardless of which desktop youâre using - if Iâm wrong, Iâm certain someone will be along with the correct command 
)
From there, you can just open the port you need for your application. Which port you open will depend on what your app is configured for.
Does it work if you stop the firewall?
Yes, I have no issues when turning off the firewall, thanks for reminding me to test this.
Is there any documentation I can read just so I can ensure Iâm doing exactly what i want? Thanks!
The port a http server is listening on is by default: 80.
The port a https server is listening on is by default: 443.
Thus you must allow one or both of them in the firewall. But your server may use other ones. Check itâs configuration.
for testing I am just using port 3000, however I am not quite sure how to configure the firewall. In addition, if I wanted to access the server from the web, would I have to set my router to route requests from port 80/443 to the determined port on my server?
Yes. When your server is on a LAN, you have to do port forwarding on your router. It depends of course on your router how to configure this.
But, when your server is on your LAN, why do you run a firewall on it at all? The router is already the firewall to protect from the Internet. So the only thing is that you are afraid of what originates inside the LAN. Just a question, when your LAN hosts a lot of students, I certainly would not trust them, but when it is only your wife??
I am currently based in China for a couple months and just want to be 100% sure with everything.
Do you think you could point me in the direction of some documentation of the firewall and how to configure it? Thanks!
Sorry, I do not use it. This is in a home LAN with only a few systems (were I am the system manager) and even less users. Also I have only listening ports on the systems that are needed.
But others may point you to the man pages and docs you need.
1 Like
My solution
Step 1 - Isolate problem:
I discovered that the problem was with my firewall by disabling it, testing the GET requests again and discovering that they did infact work, this meant my firewall was blocking the port that I was using.
Step 2 - Check what firewall you are using:
my version of openSUSE uses firewalld, and I believe that this is the standard for openSUSE (please correct me if wrong). If you want to check if firewalld is what is installed on your system, run:
sudo systemctl list-units --type=service | grep -E "firewalld"
This should return:
firewalld.service
If this doesnât appear, your firewall may be disabled or you donât have firewalld installed.
Step 3 - Understanding firewalld
Documentation for firewalld can be found here.
However this explained it much better.
Step 4 - Fixing the problem
The easiest way to fix the problem is just to disable the firewall. This should only be used if you are on a network with only users that you trust and youâre sure that your router has a firewall (and that itâs any good 
).
You can find which zone your LAN is part of and add the correct port using
sudo firewall-cmd --permanent --zone=<zone> --add-port=<port>/<protocol>.
You can remove the port with
sudo firewall-cmd --permanent --zone=<zone> --remove-port=<port>/<protocol>.
After making these changes you must run firewall-cmd --reload to implement them.
The zone your LAN is part of is most likely the default (most likely public)
I believe it is possible for you to change the zone it is part of, but Iâm not sure how.
The only contribution I can make is that the names of the zones (like âpublicâ) do not matter. Zones are only groups of network interfaces (one or more, e.g. on a laptop as well as the cable as the wifi) that should be handles the same. The configuration has some predefined zone names which sound reasonable and which you can use (or not). I assume indeed that using âpublicâ for your connection to your LAN is a good choice.
Remember that the firewall is of course intended to be a real firewall, with internal, external (public) and demilitarized zones. In the âpersonal firewallâ situation, there is only external/public that matters.
This solution should work - but it appears to me this is an LLM-written solution. I would caution about using this as a way of solving problems generally, because LLMs can hallucinate and give you convincing answers that are wrong.
In this case, itâs done a reasonable job. openSUSE uses multiple zones, so I have to disagree that the zone isnât important.
Iâm running Tumbleweed here, but the firewall module is pretty self-explanatory and the same on both Leap and Tumbleweed.
Then you get prompted for the root password. Enter it, and you get:
(I donât run the firewall, as I protect my system in other ways, and I use docker heavily, and it uses iptables rather than the system firewall - the two can conflict with each other, so I disable the system firewall.)
If you look at âzonesâ, youâll see something like this:
That tells you that you have to modify the âpublicâ zone. (Your system will probably indicate that - though the interface name will probably be different - but itâs good to check, because the zone is important. Changing the wrong zone will result in the port not being open.)
Select the zone:
Itâs important to understand that these names are not program names. They are the aliases of services from the /etc/services file, which gives ports specific names. Since youâre using port 3000, you 'll want to select âPortsâ:
Add â3000â to whatever is in the âTCP Portsâ field, and accept the changes.
Since Iâm not changing anything on my system, âAcceptâ doesnât do anything. It should just activate the changes, but you can see in the screenshots thereâs a âHelpâ button that will give you documentation.
1 Like
Nobody said that zone is not important. Zone name is not important.
Thanks for the clarification. I see I read too fast and missed OPâs comment about renaming the zone name. Yes, in that instance, whatever you decide to call it is unimportant. The only important thing is using whatever name you gave the zone when opening the port.
I totally agree that You should be very cautious with advice from LLMs.
For clarification, the only advice I took from an LLM was
Step 2 - Check what firewall you are using:
my version of openSUSE uses firewalld, and I believe that this is the standard for openSUSE (please correct me if wrong). If you want to check if firewalld is what is installed on your system, run:
sudo systemctl list-units --type=service | grep -E "firewalld"
This should return:
firewalld.service
If this doesnât appear, your firewall may be disabled or you donât have firewalld installed.
And before trusting any commands, I first read any documentation on said commands, and in this instance it provided me with the information I needed to solve the issue. The rest of the solution is written from my understanding and from the websites I linked.
Thanks for the extra information! Although I do think the information listed by the âHelpâ button is rather lacklustre and not very explanitory.
1 Like
Glad to hear it on the LLM front - I use them a fair bit (I run a local one myself), and am constantly checking the results I get. 
I see far too many people go down the rabbit hole and end up doing things that are not correct (and even dangerous) because they donât know better, so I find myself warning folks regularly.
The built-in help is admittedly not comprehensive. There is better documentation at https://docs.opensuse.org - and the docs at SLES 15 SP6 | Security and Hardening Guide | Masquerading and firewalls will also apply (the same tools are used in this case).
In any event, glad you got things working.
1 Like
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.