Wireless network specific firewall zone

I am struggling to figure out how I can assign different firewall zones to specific wireless networks. I mean I would like to open ports on my home network but not on a public WiFi for instance. I have looked online but I can’t find anything.

As far as I know you can’t. With the default YaST firewall module you can only set the zone per interface so your WiFi interface will be always in the same zone regardless of what wireless network you connect to. Maybe some add-on to NetworkManager would allow that but I know nothing about it.

Should not be difficult.
All physical network cards are utilized using a network interface, which is the fundamental object used when assigning firewall zones.

But,
You need to clarify what your objectives are.
A wireless network by its nature is transmitted over uncontrollable air space
The problem with using different WiFi networks in different zones is that any client still has access to common air space so might connect to any WiFi network. Zones may not make much difference since the connection medium (air) is uncontrolled.

You might consider the WiFi connection is managed differently and is in addition to conventional 802.3 network management,
WiFi APs can be configured with both promiscuously broadcased SSID or non-broadcast SSID (Could this be what you really want?). The thought is that if the SSID isn’t publicly broadcasted, it’s difficult to find, and connect by unauthorized clients.

You should also be aware of port-based firewalls which are commonly used by WiFi commonly referred to as 802.1x.
Perhaps the easiest feature to recognize is that an 802.1x firewall does not issue a client an IP address first before authenticating, you have to authenticate <before> you’re issued an IP address.

An IP tables based firewall like SUSE Firewall is still very useful separating the private business LAN network from the public Wifi network… You’d simply assign your business network to the Internal Zone, and the AP to the DMZ zone.

TSU

I realize that the airspace is open but with something like a WPA key I feel comfortable enough that I can trust all peers on my home network that can submit data and/or understand any transmitted data. When on said encrypted home network I would like to open some ports so that I can communicate with others on this network. In a public WiFi though I would like to just have every port but HTTP blocked for added security. I realize I can protect all the services on my open ports with passwords and so but this but there is a change that I might have been careless. Blocking all ports by default on public WiFi should mitigate this to a large degree.

Having a different zone for encrypted and open wireless networks would also help but I also don’t trust every single encrypted network that I’m on and would like SSID based zone assignment. This is something that Windows supports very well from my experience and seems very well suited for a basic yet powerful level of protection.

If the fundamental architecture of an iptables FW is likely useless as I tried to describe,
Then deploy a solution based on the other concepts for wireless networks I described.

In other words, you won’t likely need to, or necessarily want to set up firewall zones…
Maybe just set up different AP for each network connected to your openSUSE server configured as a basic router.
You can then configure each AP however you wish.

TSU

I don’t know how you would do that but for my own (largely potential - the laptop rarely leaves home) laptop usage, I think ufw (uncomplicated firewall) and gufw (its gui program) is more convenient than the Yast firewall.

I don’t think it can work on a per interface basis as the Yast one does but it does have what it calls profiles for “home”, “office” and “public” with different firewall rules. If I was to take the laptop out, I’d just open the firewall gui and choose “public” from a drop down list.

@tsu2 I think there might be a misunderstanding between us. I am not trying to set up my home server to provide different services on different wireless networks hosted by me. What you are suggesting with regards to such a situation makes perfect sense there. My problem is that I want the firewall on my laptop to block everything when I am connect to the something like the network of a hotel where all I might want to do is some light browsing whilst not exposing any ports that I want open on my home network. Now I realize that iptables and zones etc. might not work very well for that but I am basically asking for any solution for OpenSUSE.

@Jon_Freeman your solution does sound interesting. Would it somehow be possible to listen for SSID changes and automate profile switching?

It’s not something I had considered

My initial thought was that the firewall side would be easy with the profiles but I can’t see how you tell ufw to use a profile from the command line. The only references I’m finding are for application profiles. I’m wondering whether the “home”, “office”, etc profiles are a feature of the gufw GUI with it sending the individual rules to ufw.

I’ve not looked at the other side of the problem, eg. whether there is something in Network Manager you could use as a trigger.

OK,
So it seems that you are actually looking to configure a wireless network client, and not a network server.
And, you want to configure something like what MS Windows does, which is to apply a security profile depending on whether you’re connecting to a public (untrusted) or private (trusted) network.

Windows Networking does this for a reason, it encourages all machines on network, even a Workgroup to share files with each other. I don’t see that to be the same philosophy for Linux clients on a network in general, if you want to serve network shares from a Linux machine, there is typically an involved process setting up security and discovery. Whereas the role and functionality of a Windows machine in a Workgroup often blurs between what is a Server or Client, a Linux box is typically more clear cut with some machines configured with Server roles and others as Clients.

But, understanding <why> Windows Networking does this should provide a starting point whether you would even want the same for your Linux client… Do you intend to set up your machine with Server functionality on a trusted private network some but not when connecting to other networks? Only if you answer that question with a “yes” then you might move forward, otherwise there is no point.

I don’t know if anyone has built this type of configuration on Linux.
If no packaged solution already exists, I would consider there could be two types of approaches to build a solution…
Of course, you’d have to start with how wireless connections are defined, and use that as a kind of “master switch” associating defined connections with different iptables rules.
A person could code to wpa_supplicant which is the fundamental and common utility underlying all WiFi capable network managers today, including Gnome Networking Manager which is the most common.
A person could also code to the network manager running on top of wpa_supplicant.

Also, security can be accomplished several different ways.
Consider for instance whether you might be able to accomplish your objectives simply by stopping/disabling undesirable network services when they aren’t needed.

TSU

I just set up my first openSUSE machine yesterday, and this has been bothering me all morning. I found a solution that I hope helps someone. I’m using Tumbleweed so the steps may be slightly different in LEAP.

  • Disable the built-in openSUSE firewall. It is only useful for servers and computers attached to a permanent network.
  • Install firewalld
zypper install firewalld
  • Enable and activate firewalld in Services Manager
  • If you don’t have a wireless tray icon, in Network Settings under Global Options->General Network Settings->Network Setup Method, make sure NetworkManager Service is selected. You should see the wireless icon in your system tray (I did not have a wireless system tray icon after install until I did this)
  • From the wireless tray icon select Configure Network Connections…
  • Select your home wireless connection and click edit, then go to General Configuration->Firewall Zone and select Home.

Firewalld’s documentation is here.

@tsu2 If you carry a laptop between different locations of varying levels of trust, this is a very important feature. You may want to expose services on your machine only when connected to trusted networks, and some devices like printers and scanners, chromecast, wireless projectors, file shares, etc. require permissive firewall settings for discovery. OpenSUSE is the first user-friendly Linux distribution I’ve used that doesn’t seem to support this out of the box.