YaST Firewall

Hi,

I’m coming from Debian and I’m used to configure a basic firewall with nftables, but apparently OpenSuse has got its own firewall.
So I was wondering the following:

  • which packet filter framework does the YaST firewall use -> iptables or nftables?
  • what are the default settings → block all incoming, allow all outgoing, …?

Thank you

By default, openSUSE Leap 15.x is using the firewalld firewall implementation (firewall backend is using iptables under the hood).

Some useful references:
https://en.opensuse.org/Firewalld

  • what are the default settings -> block all incoming, allow all outgoing, …?

The default zone for external interfaces is ‘public’ zone (if not otherwise explicitly configured).

https://www.cyberciti.biz/faq/set-up-a-firewall-using-firewalld-on-opensuse-linux/#zones

BTW, firewalld 0.6.0 onwards uses nftables as the default backend, and openSUSE Leap 15.2 is using firewalld 0.5.5, so one would need to upgrade it in order to support nftables.

thank you, that was very helpful

Just 1 more question, if I were to upgrade firewalld, what would be the best/safest way to do this? Through OBS?

Happy to be of guidance.

Just 1 more question, if I were to upgrade firewalld, what would be the best/safest way to do this? Through OBS?

Yes, you can. The security:netfilter repo offers version 0.9.0 currently…
https://software.opensuse.org/package/firewalld
*Refer 'Show experimental packages for the appropriate openSUSE release

Ok I’m afraid I have 1 more question :slight_smile:
If it is experimental, can I trust its stability?

Yes, that’s not really a good description of the packages offered by that repo IMHO. The openSUSE Leap releases are characterised by a stable release built with a frozen set of packages following a reasonable level testing involving the community as well. In general, a given release gets updated with security and bugfix updates only. However, sometimes users will have need for requiring particular a software version, and can subscribe to the appropriate repo(s) for this.

Some further explanation here…
https://en.opensuse.org/openSUSE:Packaging_for_Leap

FWIW, a similar discussion that may be of interest…
https://www.reddit.com/r/openSUSE/comments/efoym9/safety_of_experimental_vs_community_packages/

Super, thank you

I’ve got some more questions about downloading from extra repos, but I’ll ask it in another thread :wink: