Who is using a firewall on a system with OpenSUSE LEAP 15.2 and what software are you using?
I looked at the Yast firewall, with interfaces set to “public”, and default INCOMING and OUTGOING modes are ACCEPT. I find this is a horribly insecure way of doing things. I would expect a simply stateful firewall would be fine for a laptop user like myself.
I tried shorewall ufw and fwbuilder but they just don’t seem to do the trick for me. Especially shorewall and ufw aren’t graphical. (Making a simple graphical stateful firewall using iptables should be very easy and quick in a GUI.)
So I guess I’m relegated to building my own firewall script. But the problem is systemd doesn’t seem (historical complaint) to honor when I install my new service or even script. I followed the documentation and it simply didn’t work, and I couldn’t figure out why.
So I’m probably going to build a script and run it as root every time I boot my machine. Sort of sad, but oh well.
Do you have any source for that claim?
As long as I use OpenSuSE and its SuSEFirewall2 as controlled by YaST the default for the public zone always was and still is REJECT for incoming traffic.
If you execute
sudo iptables -nL
you can see the chains:
each packet is checked if it’s an already established connection
it gets filtered through INPUT_ZONES > IN_public > IN_public_allow
only what you have allowed in the chain “IN_public_allow” with “cstate NEW” is accepted as a new incoming, not already established, connection
everything else falls through and finally hits REJECT in the main INPUT chain
Only for outgoing traffic the default is to allow anything, which makes sense if you take a look how a “normal user” access the internet: Do a DNS lookup and then connect to the resolved IP directly. Making the default for outgoing traffic REJECT would require you to allow each and every single IP or range you want to access. I guess if someone smart would at least allow access to Google and this very forum we would get flooded by topics like “Why I can’t access any search result on Google?” - Do you really think THAT would be a good idea?
As for server security: Sure you can “wall off” your server after initial setup, but I would suggest make sure to add at least DNS to your main recursive resolver and the IP of the repo mirror you use - otherwise you would be pretty stuck in a system only able to accept connections but not able to connect to anything else.
On 15.2 and Tumbleweed (vanilla virtual machine installations) both default to REJECT to public. Please don’t post FUD because people will search for these using Google and think this is true when in fact it’s not.
Then, of course, there’s the whole thing of “zones.” And don’t forget you can assign various processes to various zones and/or custom rules. I’ve always gone with the default setup following install and only tweaked these things as needed, except for a cluster on its own LAN - then I set the LAN IP to “trusted zone” and it seems to work for OpenMPI.