SuSEfirewall2
About
SuSEfirewall2 is basically a script that generates iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2 file. SuSEfirewall2 protects you from network attacks by rejecting or dropping some unwanted packets that reach your network interface.
For more advanced configurations, firewall offers three different zones to which you can assign your network interface. This enables SuSEfirewall2 to act also as a network router between three different networks or rather a LAN server that provides masquerading to the Internet (or other network).
+---------------------+ | every Firewall Zone | +----------+----------+ | +--> [ Has assigned Network interfaces ] | +--> [ Has defines Allowed Services ]
Configuration
To configure a SuSEfirewall2 either
- edit /etc/sysconfig/SuSEfirewall2 file manually and call
or
- use YaST configuration module described at YaST_Firewall page.
Please note, the current YaST_Firewall does not show nor let you configure all settings of the firewall. This includes at least reject configuration (at least one activated by default).
Features
Although SuSEfirewall2 has many features, YaST can't obviously configure all of them. Configuration file itself provides all needed documentation for every single feature.
If a particular variable allows to assign more entries, they are separated by space.
Example:
FW_VARIABLE="value1 value2 value3,with,more,parameters"
Firewall Zones
SuSEfirewall2 has three different zones by default:
- EXT - External Zone (ie untrusted, Internet)
- INT - Internal Zone (fully trusted, no filtering, LAN)
- DMZ - Demilitarized Zone (for servers that should be reachable from the Internet)
Network interface can be assigned to zones by adding the interface name to the of the FW_DEV_zone variables where zone is one of the configured zones.
Examples:
FW_DEV_EXT="dsl0" FW_DEV_EXT="any wlan0" FW_DEV_INT="eth0 wlan1"
The special string any can be used to tell SuSEfirewall to assign all interfaces that are not listed anywhere to the specified zone. By default all unassigned interfaces are automatically assigned to the external zone.
The variable FW_ZONES can be used to define additional zones. For example, if you don't want the restrictive filtering of the external zone in your WLAN, but also don't fully trust the WLAN so you can't use the internal zone, you could define a new zone:
FW_ZONES="wlan" FW_DEV_wlan="ra0"
Allowing Access to Services
Every firewall zone can allow four types of services
- TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
- UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
- RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
- IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP
TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon inbetween.
Examples:
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514" FW_SERVICES_EXT_UDP="631 400:405"
Alternatively packages may provide a configuration file that describes which ports need to be opened to run a specific service, see SuSEfirewall2/Service_Definitions_Added_via_Packages. Using this method is especially convenient if a service needs multiple ports.
More Restricted Access to Services
The above mentioned way to allow access to services is not very restrictive, it allows or it does not allow. There is parameter that can be set to allow more restrictive access to a service. However the above definitions of allowed services take precedence over the definitions mentioned below when the same port is used. These are:
- FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZ
For each service these parameters take 4 positional parameters and additional keyword parameters, also called flags.
So the format is a space separated list of net,protocol[,dport[,sport[,flags]]]
- Example
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22" # This 0.0.0.0/0 restricts access via IPv4 only
Supported flags are:
-
hitcount=NUMBER
: ipt_recent --hitcount parameter -
blockseconds=NUMBER
: ipt_recent --seconds parameter -
recentname=NAME
: ipt_recent --name parameter
Example:
# Allow max three ssh connects per minute from the same IP address somewhere in the Internet: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # This 0/0 allows access via both IPv4 and IPv6
Masquerading
... Example:
- Allow the network on the internal interface full access to the net.
- Allow the DMZ network full access to the net.
FW_MASQ_NETS="10.1.1.0/24 192.168.1.0/24"
Forwarding to Masqueraded Hosts
...
Transparent Redirection
...
Logging
...
HTB - Tuning Maximum Upload Speed
...
IPv6
Internet Protocol version 6 (IPv6) configuration has the following items:
- IPv6 support - FW_IPv6 (yes/no)
- IPv6 outgoing configuration - FW_IPv6_REJECT_OUTGOING ([yes]/no/drop)
Examples:
FW_IPv6="" FW_IPv6_REJECT_OUTGOING="no"
- FW_IPv6 defaults to the ipv6 support by the Kernel when the option is empty.
- FW_IPv6_REJECT_OUTGOING default configuration is yes (rejecting).
To allow forwarding from a IPv6 subnet behind SuSEfirewall2 set FW_FORWARD="[your IPv6 prefix]/64,2000::/3"
Custom Rules
This is an example of using custom rules to non-intrusively disable martian sources logging. Unfortunately, the standard way to disable martian sources logging is to set FW_SECURITY to "no". But this choice will also switch off several other security options. The following configuration creates a custom rules file that does the necessary changes to the system configuration.
- $ cp /etc/sysconfig/scripts/SuSEfirewall2-custom /root/bin/
- Run Yast's /etc/sysconfig editor
- Set Network->Firewall->SuSEfirewall2->FW_CUSTOMRULES to /root/bin/SuSEfirewall2-custom
- Edit /root/bin/SuSEfirewall2-custom. In our example, we want to add some code to the fw_custom_after_finished function:
fw_custom_after_finished() { # these are the rules to be loaded after the firewall is fully configured for i in /proc/sys/net/ipv4/conf/*; do setproc 0 $i/log_martians done true }
Have a look at /usr/sbin/SuSEfirewall2 to see exactly what can be done and at what point of the script.
Non-working items
- SuSEfirewall2 does not support all its features on IPv6.
- List of non-working keywords:
- FW_TRUSTED_NETS
- FW_SERVICES_ACCEPT_EXT
- ... (Feel free to add more)
Further reading
Please see /usr/share/doc/packages/SuSEfirewall2/ content, from SuSEfirewall2 package.