YAST Firewall Unknown network interface

Trying to set up my firewall using YAST.

It’ didn’t show my wireless card in any of the zones, so I added it to the Internal zone using Interfaces -> Custom. I added Secure Shell Server to the Allowed Services for the internal zone but when I click Next, I see the following:


 Firewall Starting
 


  - Enable firewall automatic starting 
  - Firewall starts after the configuration has been written 


 [HR][/HR] Internal Zone
 Interfaces
 


  - 'wlan0' Unknown network interface. 


 Open Services, Ports, and Protocols
 


  - Secure Shell Server 


 Demilitarized Zone
 


  - No interfaces assigned to this zone. 


 External Zone
 


  - No interfaces assigned to this zone. 



I clicked Finish and got no errors, and looking in sysconfig shows:


[richard@andromeda-ascendant sysconfig]$ sudo cat SuSEfirewall2 | grep FW_DEV_INT=
FW_DEV_INT="wlan0"

Am I correctly protected?

The real answer can be found via the iptables commands, which is what
SuSEfirewall2 manipulates. For example:


/usr/sbin/iptables-save
/usr/sbin/iptables -nvL

On 08/04/2016 08:36 AM, elijathegold wrote:
> Open Services, Ports, and Protocols


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

So, this tells me absolutely nothing!


Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
20747   26M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED
  646 94994 input_int  all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
    0     0 input_ext  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-IN-ILL-TARGET "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT 15288 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           

Chain forward_ext (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain forward_int (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain input_ext (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT "
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain input_int (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3   687 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 4
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INint-ACC-TCP "
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
  641 94227 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = multicast
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            PKTTYPE = broadcast
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT "
    2    80 reject_func  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain reject_func (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    2    80 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-proto-unreachable

I’m none-the-wiser but now I have a headache so I’m thinking of installing ufw because I understand that rotfl!

wlan0 is part of input_int (internal zone).

You’re good!

On 08/04/2016 09:26 AM, elijathegold wrote:
> 646 94994 input_int all – wlan0 * 0.0.0.0/0 0.0.0.0/0


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Fantastic. Ufw is easier to understand though!

On 08/04/2016 01:46 PM, elijathegold wrote:
>
> Fantastic. Ufw is easier to understand though!

Most things we already know seem that way.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

There’s no doubting the general truth of this; however, if I had any, I would bet money that someone who had previously seen neither would find the output of # ufw status verbose easier to follow. The “u” stands for uncomplicated and it does manage to live up to that.

On 08/05/2016 04:16 PM, elijathegold wrote:
>
> ab;2787954 Wrote:
>> Most things we already know seem that way.
>
> There’s no doubting the general truth of this; however, if I had any, I
> would bet money that someone who had previously seen neither would find
> the output of -# ufw status verbose- easier to follow. The “u” stands
> for uncomplicated and it does manage to live up to that.

Yes, I’m sure that’s the case, though Yast (relatively uncomplicated) was
also providing that benefit, but with (in my opinion) another benefit of
being built on iptables, so allowing you to do complicated things too.
SUSE (and openSUSE) tries to strike this balance a lot, and it’s a lot of
work, so that those who are new can get things done, and those who need
all of the power of iptables are not locked out. I’m not meaning UFW
cannot do this, as I have no idea.

Two more things:

I think you’ll find the output of this command useful. It’s basically
what you saw in your summary screen, but you can get at it interactively
and it seems to work for me:


yast firewall interfaces show

Keep in mind that if something is not explicitly defined one way or
another, by default it is in the external (EXT) zone, since that’s
presumably the most-locked/secure zone.

Also, if you (as I do) find the Yast summary confusing (leading to your
original post) I’d encourage you to open a bug against that in BugZila (
https://bugzilla.opensuse.org/ ). The credentials should be identical to
those used to get into these forums via the HTTP/web interface. Feel free
to cite this thread and hopefully the maintainer of that module of Yast
can make things a bit clearer.

Take care.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…