Useful firewall

Who is using a firewall on a system with OpenSUSE LEAP 15.2 and what software are you using?

I looked at the Yast firewall, with interfaces set to “public”, and default INCOMING and OUTGOING modes are ACCEPT. I find this is a horribly insecure way of doing things. I would expect a simply stateful firewall would be fine for a laptop user like myself.

I tried shorewall ufw and fwbuilder but they just don’t seem to do the trick for me. Especially shorewall and ufw aren’t graphical. (Making a simple graphical stateful firewall using iptables should be very easy and quick in a GUI.)

So I guess I’m relegated to building my own firewall script. But the problem is systemd doesn’t seem (historical complaint) to honor when I install my new service or even script. I followed the documentation and it simply didn’t work, and I couldn’t figure out why.

So I’m probably going to build a script and run it as root every time I boot my machine. Sort of sad, but oh well.

Am I off base? What do you use for your firewall?

See info and documentations links here:

In addition to the above…

I tend not to use YaST (for firewall configuration at least), but rather firewall-cli for configuration and firewall-config (GUI).

Do you have any source for that claim?
As long as I use OpenSuSE and its SuSEFirewall2 as controlled by YaST the default for the public zone always was and still is REJECT for incoming traffic.
If you execute

sudo iptables -nL

you can see the chains:

  1. each packet is checked if it’s an already established connection
  2. it gets filtered through INPUT_ZONES > IN_public > IN_public_allow
  3. only what you have allowed in the chain “IN_public_allow” with “cstate NEW” is accepted as a new incoming, not already established, connection
  4. everything else falls through and finally hits REJECT in the main INPUT chain

Only for outgoing traffic the default is to allow anything, which makes sense if you take a look how a “normal user” access the internet: Do a DNS lookup and then connect to the resolved IP directly. Making the default for outgoing traffic REJECT would require you to allow each and every single IP or range you want to access. I guess if someone smart would at least allow access to Google and this very forum we would get flooded by topics like “Why I can’t access any search result on Google?” - Do you really think THAT would be a good idea?
As for server security: Sure you can “wall off” your server after initial setup, but I would suggest make sure to add at least DNS to your main recursive resolver and the IP of the repo mirror you use - otherwise you would be pretty stuck in a system only able to accept connections but not able to connect to anything else.

Assuming no special rules have been created to open custom ports…

You can display the services which are permitted in your default zone with the following command.
Anything that’s not listed in the following should be blocked… Assuming your firewall is running.

firewall-cmd --list-services


This is factually incorrect.

On 15.2 and Tumbleweed (vanilla virtual machine installations) both default to REJECT to public. Please don’t post FUD because people will search for these using Google and think this is true when in fact it’s not.

I absolutely verified this information. Funny how you rush to the conclusion that everyone whose experience isn’t your own is obviously spreading fear, uncertainty, and doubt.

I am saying in MY installation it very clearly said “REJECT.” I know how to build iptables firewalls and look at options.

Saying it’s not your experience is fine. Saying I’m here to spread FUD is a lie. plonk

You might want to reread your own post. There is no place where YOU wrote REJECT, other than where you slammed Miuku.

Then, of course, there’s the whole thing of “zones.” And don’t forget you can assign various processes to various zones and/or custom rules. I’ve always gone with the default setup following install and only tweaked these things as needed, except for a cluster on its own LAN - then I set the LAN IP to “trusted zone” and it seems to work for OpenMPI.

Please choose your statement wisely and then stand by it. The following two statements are mutually exclusive.

The following statement is therefore a lie.

You bring no fear, but a certain amount of doubt is already here :wink: Be careful and respectful in what you write in this thread.