Susefirewall2

Hello ! Please give some help if possible .I use Susefirewall2 interface in Yast .So i want to block all outgoing and incoming connections and then to allow only specific IP addresses.For example on Chrome will work only domains of IP allowed on susefirewall2. I searched but i can not find a solution.Does anyone know of how i can do it ? Thank you !

Do you use SuSEfirewall2 or firewalld

You should know that openSUSE Leap 15.2 is using firewalld by default.

Refer:
https://en.opensuse.org/Firewalld

Hello and thank you for your replies.Sorry i was away for some hours.I use Leap 15.1 and Susefirewall2 .Here is the screen.Before i install the susefirewall2 m there was no any firewall interface on settings.Maybe was available in terminal i dont know but this interface is appears after i install firewall2 .I think it was an option to install something like firewalld but i choose finally firewall2. Is it better to install firewalld or i can find a solution with firewall2 also ?
https://ibb.co/BsYzpYY

I use rule “0/0,0/0” to always drop all packets at FW_FORWARD_DROP but nothing happens .Still i can open all the pages on browser.And already FW_ROUTE is set to YES .I started the firewall2 on terminal with command “start” and says “Firewall rules successfully set” But then still im not able to block any traffic .Then i try command “rpc-update” and the message appears “SuSEfirewall2 is not running, no rpc update possible” .I can not understand why firewall is not running.

Then you’ve selected the wrong prefix (openSUSE version) for this thread. I will correct that for you.

firewalld is now supported as firewall in openSUSE.

zypper se -si firewall
Loading repository data...
Reading installed packages...

S  | Name                     | Type    | Version           | Arch   | Repository
---+--------------------------+---------+-------------------+--------+-----------------------
i+ | firewall-config          | package | 0.5.5-lp152.6.3   | noarch | Main Repository
i  | firewall-macros          | package | 0.5.5-lp152.6.3   | noarch | Main Repository
i+ | firewalld                | package | 0.5.5-lp152.6.3   | noarch | Main Repository
i  | firewalld-lang           | package | 0.5.5-lp152.6.3   | noarch | Main Repository
i+ | firewalld-rpcbind-helper | package | 0.1-lp152.6.1     | noarch | Main Repository
i  | python3-firewall         | package | 0.5.5-lp152.6.3   | noarch | Main Repository
i+ | yast2-firewall           | package | 4.2.5-lp152.2.3.1 | noarch | Main Update Repository

Use the systemd commands to check status…

sudo systemctl status SuSEfirewall2

Examine the journalling…

sudo journalctl -u SuSEfirewall2

While that is true, it was not the default firewall front-end for openSUSE Leap 15.1. Yes, it can be installed and switched to, but some steps need to be undertaken.

oh we are on Leap 15.1?
I missed that.

Thank you it is my mistake to place it to Leap 15.2.So here is the results .
I used command for status “sudo systemctl status SuSEfirewall2” and the reply is the following message but the strange is that terminal frozen there.When i tried to close the terminal , then a warning appears “there is a process running are you sure you want to close the terminal?” .Here is the message :
" SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor prese>
Drop-In: /usr/lib/systemd/system/SuSEfirewall2.service.d
└─fail2ban.conf
Active: inactive (dead)
lines 1-5/5 (END)"
Also i tried the next command “sudo journalctl -u SuSEfirewall2” here is the results
"-- Logs begin at Thu 2020-12-03 22:42:24 EET, end at Thu 2020-12-03 22:59:52 EET. –
– No entries –
"

It’s not clear to me why it is inactive, but restart it and observe the output…

sudo systemctl restart SuSEfirewall2

Please use CODE tags when posting commands and output. Refer to the ‘#’ button in the advanced forum editor.

I note from the output you shared that you’re using fail2ban? I don’t use that, but I did find this 2019 opensuse discussion which describes some issues with using the two together…

On 01/16/2019 09:07 PM, Patrick Shanahan wrote:

  • Marc Chamberlin <marc@xxxxxxxxxxxxxxxxxx> [01-16-19 23:36]:
    [INDENT]I thought I would throw this out for discussion based on my recent
    experience with this particular package. I installed this in my new
    installation of OpenSuSE15.0. I thought initially this package
    SuSEfirewall2-fail2ban was a good idea for integration between these two
    applications. But based on my recent experience with trying to install
    it I got to say either this package needs to be tossed or fixed, as it
    stands it seriously breaks SuSEfirewall2 and it is not an easy thing to
    debug. Some of the problems I had, once it was installed were -
  1. It forces the startup of the fail2ban service each time SuSEfirewall
    service is started, not something you might want sometimes, and not easy
    to figure out how to discover and stop this relationship.
    why would you not want the service running???
    [/INDENT]When I am testing and trying to get things working. Turning on/off one
    or both services allowed me to do A/B comparisons and relax constraints.
    I was getting confusing results when I turned SuSEfirewall2 on and was
    thinking I had turned off fail2ban.

  2. It has/causes dependency errors in the systemd launcher that breaks
    the ability of the SuSEfirewall service from starting properly. (this
    problem is widely talked about in other distros as well with their
    versions of firewalls, bug reports have been submitted, and no fix is
    yet available)
    and you are still running SuSEfirewall2 on Leap 15? change to firewalld,
    SuSEfirewall2 is no longer supported.

SuSEfirewall2.service - SuSEfirewall2 phase 2
   Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled)
   Active: **active (exited)** since Sat 2020-12-05 11:34:25 EET; 3min 35s ago
  Process: 1000 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS)
 Main PID: 1000 (code=exited, status=0/SUCCESS)
    Tasks: 0
   CGroup: /system.slice/SuSEfirewall2.service

Dec 05 11:34:22 linux-0tr7 systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 05 11:34:22 linux-0tr7 SuSEfirewall2[1000]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 05 11:34:22 linux-0tr7 SuSEfirewall2[1000]: using default zone 'ext' for interface eth0
Dec 05 11:34:22 linux-0tr7 SuSEfirewall2[1000]: **Warning: /proc/sys/net/ipv4/ip_forward is not enabled, but required for FW_ROUTE, you should configure this in /etc/sysctl.conf. This option has been implicitly enabled now.**
Dec 05 11:34:22 linux-0tr7 SuSEfirewall2[1000]: <36>Dec  5 11:34:22 SuSEfirewall2[1000]: Warning: /proc/sys/net/ipv4/ip_forward is not enabled, but required for FW_ROUTE, you should configure this in /etc/sysctl.conf. This option has been implicitly enabled now.
Dec 05 11:34:25 linux-0tr7 SuSEfirewall2[1000]: Firewall rules successfully set
Dec 05 11:34:25 linux-0tr7 systemd[1]: Started SuSEfirewall2 phase 2.

Hello.I uninstalled fail2ban, restarted machine and now service seems running when booting.But the result about the rules are same.Firewall is no blocking the traffic of browser.On the other machine i uninstalled firewall2 and installed firewalld but results there is same.Browser is not blocked.I read that if already other rules applied to allow traffic to 80 port, then the new rules has no effect.Need first to remove the old rules and place the new one, on top position in list of rules.So does anyone know how to display the existing rules ? Maybe an existing rule conflicts with the new one that i try to register.Also please take a look to this log of active service.Says something about error but i dont know what is this or if it affects my problem.If you want, i can uninstall firewall2 and install on this machine also firewalld but i didnt make it because this topic is for firewall2 so if we see that there is no solution with firewall2 only then if you want i can transfer to firewalld .But please lets try first to find what are the existing registered rules so i try to remove the conflicts. If this not work, then we can try with firewalld .Thank you !

I tried to flush all tables .Done, but after restart all tables comes back again :frowning:

iptables -L -n -v

Yes thank you.Now the problem is how to delete them all permanently .Anything i tried not worked .I mean i used all the commands to flush and delete.Then i saved and restarted machine.The rules are come back .The only good news is that when i deleted the rules, the browser indeed didnt work in this session.But then after restart, all traffic came back :frowning: .
Even i saved the empty rules with “iptables save” command, comes back again after restart.Maybe there is another command to save them ? Maybe by including path to iptables file ?I dont know what is the path to file.

Takis@linux:~> sudo iptables --list
[sudo] password for root: 
Takis@linux:~> 



Real mess.Aster flush the tables not shown anything on console while should show empty table (machine restarted) .But firewall is running and allowing traffic with hidden rules which are not shown to console

● SuSEfirewall2.service - SuSEfirewall2 phase 2   Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled)
   Active: active (exited) since Sat 2020-12-05 15:04:18 EET; 6min ago
 Main PID: 1031 (code=exited, status=0/SUCCESS)
    Tasks: 0
   CGroup: /system.slice/SuSEfirewall2.service


Dec 05 15:04:18 linux-0tr7 systemd[1]: Starting SuSEfirewall2 phase 2...
Dec 05 15:04:18 linux-0tr7 SuSEfirewall2[1031]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ...
Dec 05 15:04:18 linux-0tr7 SuSEfirewall2[1031]: using default zone 'ext' for interface eth0
Dec 05 15:04:18 linux-0tr7 SuSEfirewall2[1031]: Warning: /proc/sys/net/ipv4/ip_forward is not enabled, but required for FW_ROUTE, you should configure this in /etc/sysctl.conf. This option has been implicitly enabled now.
Dec 05 15:04:18 linux-0tr7 SuSEfirewall2[1031]: <36>Dec  5 15:04:18 SuSEfirewall2[1031]: Warning: /proc/sys/net/ipv4/ip_forward is not enabled, but required for FW_ROUTE, you should configure this in /etc/sysctl.conf. This >
Dec 05 15:04:18 linux-0tr7 SuSEfirewall2[1031]: Firewall rules successfully set
Dec 05 15:04:18 linux-0tr7 systemd[1]: Started SuSEfirewall2 phase 2.

I am not sure you are walking the most effective path. firewalld is already the default for quite some time (I do not know exactly when, but already before 15.1). Which means that people here are using it and not SuSEfirewall2 and thus will have problems in supporting you. They simply can not re-play your tests to comment on them.

Thus, as long as SuSEfirewall2 is installable, it will probably function (after all it only prepares a bunch of ip-tables that are to be offered to the kernel on boot), but you may be a bit on your own in trying to create what you want and the end of it (when SuSEfirewall2 will be dropped) is forseeable.

takis@linux:~> sudo iptables-restore < /home/takis/iptables-empty.conf
takis@linux-kcjc:~> sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
takis@linux-kcjc:~> 

Thank you for your help.So i switched to Firewalld .Then i flush all iptables.The results shown here (zero bytes to all).So then i need to add rule to block all ports and ip4 (my target is at first step the browser to not work).So i open firewall settings but as i see this rule for block ip4 is not deleted after the flush of tables.It appears on this screen https://ibb.co/J5SqN7b .So i just reload the rules.But after reload, all the old iptables comes back and traffic is allowed.So it seems that flush commands really does nothing.Not resets any tables and not deleting any existing rules from firewall settings application.Somewhere are stored but not on firewall settings application. Any suggestion of how really i can reset all the tables and delete all the rules from firewall settings application ?
Here is the tables after reload firewall (through button on firewall settings application)

takis@linux:~> sudo iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   44  3210 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 INPUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_IN_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES_SOURCE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FORWARD_OUT_ZONES  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 67 packets, 3939 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   67  3939 OUTPUT_direct  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD_IN_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_IN_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_OUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public  all  --  *      +       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain FORWARD_OUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDI_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDI_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDI_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDI_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 FWDO_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 FWDO_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FWDO_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain FWDO_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_ZONES (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public  all  --  +      *       0.0.0.0/0            0.0.0.0/0           [goto] 

Chain INPUT_ZONES_SOURCE (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 IN_public_log  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_public_deny  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 IN_public_allow  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain IN_public_allow (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_deny (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IN_public_log (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT_direct (1 references)
 pkts bytes target     prot opt in     out     source               destination         
takis@linux:~>