SuSEfirewall2 issues after upgrade from SuSE 11.2 to Leap 15

Hoping someone can point a relative novice in the right direction.

Upgraded from SuSE 11.2 to Leap 15.

Running: Apache2, Ssh and samba

Apache2 web server listening on ports 80 & 443 and websites are SSL certified using Let’s Encrypt
Ssh is used mainly from within the LAN but on a rare occasion remotely too.
Samba is being used so that MS windows Laptops and Desktops within the LAN and via a VPN (VPN configured and maintained by two Draytek Routers) can access files on the server by mapping a network drive.

All’s working well.

Having completed this I now want to get the SuSEfirewall up and running too and this is where I’m having problems.

It’s installed and I can start and stop it etc. I gather that the main configuration file is found at: /etc/sysconfig/SuSEfirewall2 and I’ve used the file at /etc/sysconfig/scripts/SuSEfirewall2-custom for blocking persistent ip addresses from accessing the server on my old box.

When I start the service by default ALL access to the server is blocked.

Having looked at the main config file it’s huge and I’m lost as to what to edit and or add to it.

Can somebody please help me open up access from my LAN and VPN and open up access to my Web Server and SSH from the WAN as i haven’t got a clue where to start.

Googling the problem only confuses the issue further.

SuSEfirewall2 is replcaed by firewalld. AFAIK there is a YaST module for it.

OK thank you.

I’ll explore firewalld and see how i get on.

Had a quick look and again by default all services are blocked and i’m at the mo completely stuck about how to start with this so i’ll try after tea later.

As Henk mentioned, openSUSE has moved to using firewalld as the default firewall, and this is mentioned in the openSUSE Leap 15.0 release notes.
Having said that, for those that have upgraded from earlier versions, there may be a requirement to continue using SuSEfirewall2 for the immediate future, so that is still possible.

The status of either firewall framework can be checked with

sudo systemctl status SuSEfirewall2
sudo systemctl status firewalld

and of course both should not be active at the same time.

Firewalld does not currently have a YaST module for configuration, but there is both a CLI (firewall-cmd) and a GUI interface (firewall-config) available for it, and it is the latter that is called via YaST > Firewall.

Some useful references:

Much more elaborate information from @deano_ferrari then I could provide :).
I do not use the firewall, thus my lack of experience.

BTW, it is not complete clear from what you were upgrading. “SuSE 11.2” is a non existing beast. Either you mean

  • openSUSE 11.2 and then I can only encourage you to read all the release notes between 11.2 and 15.0;
  • or SUSE (Linux Enterpise) 11, service pack 2, in which case there could be even more differences.

Thank you to those that have replied thus far.

Upgraded fron openSuSE 11.2 to LEAP 15.

The only thing i’m struggling on is getting a firewall configured.

I’ll try firewalld as this seems to be the way forward if SuSEfirewall will become obsolete at some point.

As i’ve upgraded eveything ellse i may as well upgrade the firewall too. Makes sense.

I may start a new thread on configuring firewalld if i fail to configure it myself.

Thank you

As you can see on almost every page on these forums and on other openSUSE websites, making an extra camel-hump inside openSUSE is not as it is spelled (already for many, many years, even during 11.2).

This maybe a minor remark (and it is, we will try to help you nevertheless), but it is as irritating as it is for everybody who sees her/his name misspelled. :wink:

Appologies if i’ve upset someone, i’m confused… who’s name have i mis spelled.

Litterally completely mystified… what have i done wrong!

I can even mis spell my own name… honest.

When i sat my GCSE’s 40+yrs ago on one of my exams i had to pass on the first question!

What’s your Name Not kidding, i had to leave it blank and have another go later on.

Managed to get firewalld up and running and unblocked apache2, samba and ssh servers.

worked out how to block and unblock ip addresses too

Question: where are these rules stored? Are they wriiten to file somewhere and if so can someone tell me where please.

It’s been awhile since I’ve upgraded a machine to LEAP15, but IIRC upgrades retain SuSEfirewall2.
For upgraders, you can choose to keep SuSEfirewall2 or modify to use firewalld, I don’t know that choosing either makes much of difference today.

If you’d like to keep using SuSEfirewall2, you might check whether the service is just not running, you can verify its state by running the following (Note the Camerl case)

systemctl status SuSEfirewall2

You may also have problems with your upgrade, I haven’t had too many successes jumping directly from a much older version of openSUSE without going through each intermediate version. You might want to make contingency plans in case you begin to see things don’t work as well as they’re supposed to.


I say that i have upgraded but i actually did was backup all the files and folders i needed inc some config files on an old box.

A new box already built and ready i installed LEAP 15 as a virgin install and started again configuring things, didn’t take too long.

certbot got me baffled for a short while but got there.

Using a firewall (SuSEfirewall2) got me stumped.

Now trying firewalld instead, early days yet but i think i’ve made progress but not there yet.

The name of the product. It is openSUSE, not openSuSE or SuSE any other deviation.

This reads like progress. Let us know if you get stuck. :slight_smile:

Sorted out firewalld as far as i’m happy to go.

I do like to backup config files periodically and firewalld.conf has now been added to my list of files to backup but where are blocked IP addresses stored?

This will allow me to backup this file too, i’m asking because the SUSEfirewall2 stored this data in a custom config file and therefore i’m assuming that this firewall does the same.

The entire configuration resides within /etc/firewalld/ AFAIU. Have you blacklisted specific IP addresses?

Having used the command: firewall-cmd --permanent --zone=trusted --add-rich-rule=“rule family=ipv4 source address= reject” for example and restarted firewalld.

Tthen offered the command: firewalld-cmd --list-all

my rule is listed and is working ok.

No such entries appear in the config file /etc/firewalld/firewalld.conf

Where are these rules entered?

Examine the config files for the pertinent zones. In your case (using ‘trusted’ zone) this would be /etc/firewalld/zones/trusted.xml

Sorted, thank you so much. I can now add this to my ever growing list of files to backup.

Thank you

Glad to have been of assistance. :slight_smile: