Understanding firewall upgrade

Hi,

I have 2 computers Leap 15.0, one is a desktop upgraded from 42.3, the second a laptop new install on blank HDD
My questions are in 2 parts about firewall manager:

• What has been done in Leap 15.0 compared to Leap 42.3
• How to upgrade to the new firewall manager

1 -

I understand that but
[Upgraded from 42.3] Why I have an error message “These packages need to be installed: firewall-config” when I click Firewall in the GUI Yast Control Center? Should not be yet installed ?
[New install 15.0] Same issue: Why I have an error message “These packages need to be installed: firewall-config” when I click Firewall in the GUI Yast Control Center? Should not be yet installed in the new install?

[Upgraded from 42.3] I can see that I have 2 iptables manager installed: SuSEfirewall2 with enabled-active service and firewalld with disable-inactive service. Why I can’t directly use SuSEfirewall2 as previously?
[New install 15.0] I can see that I have only firewalld installed with enabled-active service. Why I can’t directly use firewalld, there is an error message?

2 -
[New install 15.0] Should I install firewall-config to get the new iptable manager firewalld working?
[Upgraded from 42.3] What will happen if I install firewall-config, I’ll use SuSEfirewall2 or firewalld?
How to upgrade to the new firewalld from SuSEfirewall2?
This page explains about Firewalld and migration
https://en.opensuse.org/Firewalld
But why we need a migration tool? I was thinking the iptables was not changed, moreover they say to backup iptables. They say not all rules may be upgraded. Is there different iptables for Firewalld and SuSEfirewall2?

Thank you for your help

On 06/08/2018 06:56 AM, MrNice wrote:
>
> 2 -
> [New install 15.0] Should I install firewall-config to get the new
> iptable manager firewalld working?
> [Upgraded from 42.3] What will happen if I install firewall-config, I’ll
> use SuSEfirewall2 or firewalld?
> How to upgrade to the new firewalld from SuSEfirewall2?
> This page explains about Firewalld and migration
> https://en.opensuse.org/Firewalld
> But why we need a migration tool? I was thinking the iptables was not
> changed, moreover they say to backup iptables. They say not all rules
> may be upgraded. Is there different iptables for Firewalld and
> SuSEfirewall2?

I do not know the answers to your other question, but this one I think I may.

First, SuSEfirewall2 is not a firewall, but is a set of packages with
files that manage the Linux firewall, known as NetFilter, which is part of
the kernel. Another way to manage this, manually, is via iptables
commands. SuSEfirewall2 essentially manages these iptables commands for
you, which is why you can always see, or modify, the firewall with those
commands.

firewalld is the same, I believe; it is a nicer frontend to management of
a firewall than the standard “create a script on your own of iptables
commands” method. As a result, there needs to be some kind of place where
firewalld keeps its configuration which it then converts into iptables
commands (or maybe even direct calls to NetFilter; I do not know that this
is not done).

Why a migration tool? Because SuSEfirewall2 keeps its configuration in a
different file, and almost certainly a different format, than firewalld,
because they were designed in different times by different people. The
conversion may be very easy, and very fast, and very reliable, but having
a backup just in case of what is really setup (via iptables commands) is
always a good idea.

/usr/sbin/iptables -nvL
/usr/sbin/iptables-save > /root/backup-$(date +%s).iptables

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.

I consider that a message, not an error message.

As to why “firewall-config” is not automatically installed – I don’t know the answer to that. Somebody made a decision on that. Personally, I think that it should be set to automatically install, or at least as a recommend.

Ok, I understand now that both firewall managers use an intermediate file. I was thinking they directly read the iptables and show the values in a graphic interface and write the changes to the iptables when save is activated.
Now it’s clear for that.

I did a dry test then a real one. Hard for me to see issue, looks good, no error message
.
Could you tell me if I should change to drop/reject the following in a home network with Linux and Android box only

firewall-cmd --direct --get-all-passthrough
ipv4 -t filter -A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT
ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT
ipv6 -t filter -A INPUT -p udp -m udp --dport 5353 -m pkttype --pkt-type multicast -j ACCEPT

That really depends on whether you want Avahi working for you.

I didn’t find on Internet that Avahi uses port 5353.

I started to read the doc to set up the firewall.

Thanks all of you for your big help.

On my new fresh install of Leap 15.0 I see the following package which may
be useful in the future to you or others:

susefirewall2-to-firewalld | Basic SuSEfirewall2 to FirewallD migration
script | package

–
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.