SUSE Firewall: set zone per domain, not interface

I have no doubt that this has been asked (and answered) multiple times, but I couldn’t come up with the search terms needed, so please direct me to that/those discussion(s).

I have been running OpenSUSE on laptops and servers since 10.3 (now 13.2 & LEAP42,1) and one aspect of the SUSE Firewall that is troubling has to do with using it with a machine that’s portable.

I’d like to be able to automatically set the Firewall zone of my wi-fi interface based on the domain to which I’m connecting.

E.g., if I connect to myhome.domain.tld the wlan0 interface is automatically placed in the internal zone. If I connect to a different domain, the interface is automatically placed in the external zone.

Is this possible? if so, how?

Thanks,
ron

On the firewall level, you are talking about IP addresses and networks. Not about domains.

And the problem with that approach for workstations (esp. portable laptops) is that there’s a likelihood of multiple domains having the same network prefix (192.168.x.x, etc.).

This seems to be an area where the Windows tool provides a better solution.:X

ron

Am Wed, 10 Aug 2016 16:56:01 GMT
schrieb r widell <r_widell@no-mx.forums.microfocus.com>:

> Is this possible? if so, how?
>

Yes.

With a Dispatcher script (NetworkManager) or POST_UP_SCRIPT (wicked).

Hint:

SuSEfirewall2 --help | grep FILENAME

file FILENAME same as “start” but load alternate config file FILENAME

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Something else I haven’t looked at for a very long time…

Setting up a network profile at the kernel level.
In other words, instead of a single interface configured for your network device (eg wlan0), you can remove that and substitute with multiple interfaces associated with your network device, each configured differently(eg one for each wireless domain). And then, because at the lower level you’ve defined a specific interface with its own unique name a firewall configuration for that interface name should be configurable.

Most articles on the Internet today reference the RHEL documentation for setting this up, for your purposes substitute your wireless interface name for “eth0” in the documentation
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s1-network-profiles.html

One reason why I haven’t looked at this for a long time is that for most people I don’t know that it provides advantages over using Network Manager.

TSU

Am Wed, 10 Aug 2016 19:06:02 GMT
schrieb tsu2 <tsu2@no-mx.forums.microfocus.com>:

> http://tinyurl.com/z7mdbok

I hope this was not serious or was it?

Documentation for RHEL5? Documentation for another distro which is about 10
years old?

> One reason why I haven’t looked at this for a long time is that for most
> people I don’t know that it provides advantages over using Network
> Manager.

Srsly?

Fun fact, openSUSE once had SCPM for such (and quite a lot more) tasks, but
that is (at least officially) gone.

But be it as it may, using respective standard mechanisms for running custom
commands after $INTERFACE has been brought up can be done with NWM, wicked
(ifup).

There are just with minor differences in WHAT to write into WHICH configuration
file and this still works today no matter what tool you use for configuring
network devices.

For ifup/wicked => POST_UP_SCRIPT (see man ifup / man ifcfg)

For NWM -> Script in /etc/NetworkManager/dispatcher.d (see man NetworkManager,
section “DISPATCHER SCRIPTS”)

  • Write 2 different configuration files for SuSEfirewall2

  • Write respective script (depending on configuration method) being
    called when $INTERFACE has been brought up which is
    a) checking what network it has just been connected to (via ESSID might be an
    idea)

b) calling SuSEfirewall2 start file $FILENAME according to the result of a)

  • Use the standard method (depending on configuration method) to call that
    script when $INTERFACE has been brought up

AK


Never attribute to malice that which can be adequately explained by stupidity.
(R.J. Hanlon)

Thank you to tsu2 and Akoellh.

I hope to use the directions you provided to expand my knowledge and create the appropriate script to meet my needs.

If I have detailed questions about why my script doesn’t work, I’ll start a new thread and refer to this thread for background.

ron

r widell wrote on Mittwoch, 10. August 2016 18:56 in
opensuse.org.help.network-internet :

>
> I have no doubt that this has been asked (and answered) multiple times,
> but I couldn’t come up with the search terms needed, so please direct me
> to that/those discussion(s).
>
> I have been running OpenSUSE on laptops and servers since 10.3 (now 13.2
> & LEAP42,1) and one aspect of the SUSE Firewall that is troubling has to
> do with using it with a machine that’s portable.
>
> I’d like to be able to automatically set the Firewall zone of my wi-fi
> interface based on the domain to which I’m connecting.
>
> E.g., if I connect to myhome.domain.tld the wlan0 interface is
> automatically placed in the internal zone. If I connect to a different
> domain, the interface is automatically placed in the external zone.
>
> Is this possible? if so, how?

In LEAP 42.1 / Networkmanager at the first tab ( … Settings) is a field to
choose the firewall zone.

Actually on my PC there is no zone visible :-\ But maybe this is related to
my firewall settings. In YaST I see no firewall zones, too. Maybe this is a
individual problem on my PC.

Check if you can choose the zone in Networkmanager.

Bye

Bernd