This was in “Re: Firewall and IP Tables”, but I’m starting a new thread,
since this isn’t really about the original topic any more.
On Thu, 07 May 2009 19:56:01 +0000, framp wrote:
> ‘That’s what I found’ (http://en.opensuse.org/SuSEfirewall2).
Found and read that. Doesn’t cover FW_CUSTOMRULES at all. Also doesn’t
cover how and why SuSEfirewall2 hooks in with the $network so that it
destroys and rebulds the whole of iptables each time a network interface
goes from down to up (this can be interesting on a laptop with wired and
wireless connections).
I’m specifically interested in the custom rules support, since I want to
nicely and correctly add some customized stuff to the SuSEfirewall2.
(Yes, for the detractors, I know, I could just scrap the whole of Sfw2
and replace it with your favourite iptables script, or develop one of my
own; that’s not the point here.)
> If you need help - just post your questions/problems. A lot of people
> have experiences with SuSEfirewall2 and might be able to help you.
Is this an intentional setup, misfeature, or bug:
If you uncomment the FW_CUSTOMRULES line in
/etc/sysconfig/SuSEfirewall2 you’d expect it to do something useful.
After all, it says:
Type: string
25.)
Do you want to load customary rules from a file?
This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-
custom
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
#FW_CUSTOMRULES=""
and if you go look at the SuSEfirewall2-custom script, it looks like it’s
intended for customized extensions to the Sfw2 iptables stuff. So I tried
that and nothing happens.
So I went hunting around and found the /sbin/SuSEfirewall2 script uses
FW_CUSTOMRULES:
load_customrules()
{
Load custom rules
if -n “$FW_CUSTOMRULES” ]; then
if ! -r “$FW_CUSTOMRULES” ]; then
die 1 “Firewall custom rules file can not be read from
$FW_CUSTOMRULES”
fi
. “$FW_CUSTOMRULES”
message “Firewall custom rules loaded from $FW_CUSTOMRULES”
else
message “No custom rules specified.”
fi
}
and has stubs for the functions defined in the Sfw2-custom script, so
that the whole thing works without errors, whether or not custom rules
are being used. Ok, pretty slick so far, so why doesn’t it work? I can
put stuff in the Sfw2-custom script, but it never gets called.
More hunting eventually found this gem at the top of /sbin/SuSEfirewall2:
FW_CUSTOMRULES=""
Yep. Despite the change to the /etc/sysconfig/SuSEfirewall2 script, where
it looks like this variable should be set, they’re blowing it away here
in /sbin/SuSEfirewall2 so that the entire Sfw2-custom script will never
be called.
Even more entertainingly, if you change FW_CUSTOMRULES here in the /sbin
script, but don’t change it in the /etc/sysconfig one, then the order
that these scripts get called in actually results in the same symptoms,
because /sbin/SuSEfirewall2 calls /etc/sysconfig/SuSEfirewall2.
It’s almost like they are intentionally making it really hard to activate
the FW_CUSTOMRULES script support.
After commenting this line out, the Sfw2-custom script gets called.
And on a minor note, there are several places where the word “custom” has
been replaced by “customary”, like in the comments above. Somebody ought
to get those fixed.
–
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com
Please post questions in the newsgroups. No support provided via email.
–
David Gersic dgersic_@_niu.edu
Novell Knowledge Partner http://forums.novell.com
Please post questions in the newsgroups. No support provided via email.