SuSEfirewall2 and opening for http in 11.1

swerdna · December 30, 2008, 12:57am

Hello
I know how to open SuSEfirewall2 for an http server. I know of two ways:

1: I can alter the text configuration file (/etc/sysconfig/SuSEfirewall2) and make sure the value “80” is included into the line FW_SERVICES_EXT_TCP
2: I can activate “http server” in Yast → Security and Users → Firewall → Allowed Services.

In openSUSE 11.1 they both do the job, allowing my http server. But I can’t find any changes in the file /etc/sysconfig/SuSEfirewall2 when I use the second method, the Yast GUI. Does anyone know what changes by the second method?

Thanks
Swerdna

swerdna · December 30, 2008, 1:12am

FFI. The application “diff” says ther’s no change in the file /etc/sysconfig/SuSEfirewall2 if I activate or deactivate “http server” in Yast → Security and Users → Firewall → Allowed Services in 11.1. So that’s a big puzzle to me how Yast allows or blocks the http server. What can it be?

user · December 30, 2008, 4:21am

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, have you verified it is being allowed or denied as you change the
setting? Second, any other files in /etc/sysconfig or
/etc/sysconfig/network getting timestamped as you go and make changes in
here? We could always review the /etc/init.d/SuSEfirewall2_setup script
to see where it finds its settings. This script, on my SLED 10 SP2
x86_64 laptop, points to /sbin/SuSEfirewall2 which is a script that, at
the top, tells about /etc/sysconfig/SuSEfirewall2 so hopefully if that
has changed the comments in this script changed as well.

Good luck.

swerdna wrote:
> FFI. The application “diff” says ther’s no change in the file
> /etc/sysconfig/SuSEfirewall2 if I activate or deactivate “http server”
> in Yast → Security and Users → Firewall → Allowed Services in
> 11.1. So that’s a big puzzle to me how Yast allows or blocks the http
> server. What can it be?
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJWZPU3s42bA80+9kRAmk1AJ9toUoy6tGeaQVaru8CoyMqW7jVbwCfRuzb
L5ITla+kZ2IfFdQj7+qSnso=
=ut2H
-----END PGP SIGNATURE-----

user · December 30, 2008, 4:34am

On Mon December 29 2008 06:16 pm, swerdna wrote:

>
> FFI. The application “diff” says ther’s no change in the file
> /etc/sysconfig/SuSEfirewall2 if I activate or deactivate “http server”
> in Yast → Security and Users → Firewall → Allowed Services in
> 11.1. So that’s a big puzzle to me how Yast allows or blocks the http
> server. What can it be?
>
>
swerdna
iptables ???

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

swerdna · December 30, 2008, 5:13am

Found the wretched thing hiding in the line:
FW_CONFIGURATIONS_EXT=""
changes to
FW_CONFIGURATIONS_EXT=“apache2”

No wonder my egrep “80|http” got me nowhere. And I mucked up the “diff” command and accidentally compared before with before rather than after with before.

Thanks for the efforts.

ken_yap · December 30, 2008, 5:36am

Yes, this is the new extension config scheme where each major service puts a file in /etc/sysconfig/SuSEfirewall.d/services specifying the ports that it needs. Note that there is also an apache2-ssl config file there if you want https. Hopefully this will make firewall configuration more modular and obviously this is what YaST developers also want.

swerdna · December 30, 2008, 7:14am

I also note that in 11.1 the tool Yast Firewall – Allaowed Services → Samba Server now lodges the phrase “samba server” in that line instead of lodging port assignments in fw_services_ext_tcp and ditto_udp and the line for broadcasts. Only problem is that doesn’t open the firewall. Oh well, can’t have everything working right first time, maybe for 11.2.

ken_yap · December 30, 2008, 7:23am

Yes, you get a lolly, you found a bug. No need to wait until 11.2, I’m sure an update RPM in the new year can fix that.

swerdna · December 30, 2008, 7:39am

Well the bl***y thing was driving me crazy. Now the fix is to change the file samba-server located at /etc/sysconfig/SuSEfirewall2.d/services/samba-server from these erroneous default contents:

Name: Samba Server

Description: Opens ports for Samba Server.

space separated list of allowed TCP ports

TCP=“netbios-ssn microsoft-ds”

space separated list of allowed UDP ports

UDP=""

space separated list of allowed RPC services

RPC=""

space separated list of allowed IP protocols

IP=""

space separated list of allowed UDP broadcast ports

BROADCAST=""

to these correct contents:

Name: Samba Server

Description: Opens ports for Samba Server.

space separated list of allowed TCP ports

TCP=“netbios-ssn microsoft-ds”

space separated list of allowed UDP ports

UDP=“netbios-ns netbios-dgm”

space separated list of allowed RPC services

RPC=""

space separated list of allowed IP protocols

IP=""

space separated list of allowed UDP broadcast ports

BROADCAST=“netbios-ns netbios-dgm”

And it never would have occurred to me to look there until I saw your post.

Thanks

swerdna · December 30, 2008, 7:52am

I’ve been chasing this bug around a pole for about a week. But now the fix is in here:
https://bugzilla.novell.com/show_bug.cgi?id=462307

cygnuslodge · December 30, 2008, 11:22am

Slightly different path on my system,

/etc/sysconfig/SuSEfirewall2.d/services/

Is this a typo?

swerdna · December 30, 2008, 12:09pm

Yes it is, Ken & I were wrong, thanks.