SuSEfirewall2

From openSUSE

About

SuSEfirewall2 is a stateful network packet filter also known as firewall. It is a script that generates iptables rules from configuration stored in the /etc/sysconfig/SuSEfirewall2 file. SuSEfirewall2 protects you from network attacks by rejecting or dropping some unwanted packets that reach your network interface.

For more advanced configurations, firewall offers three different zones to which you can assign your network interface. This enables SuSEfirewall2 to act also as a network router between three different networks or rather a LAN server that provides masquerading to the Internet (or other network).

 +---------------------+
 | every Firewall Zone |
 +----------+----------+
            |
            +--> [ Has assigned Network interfaces ]
            |
            +--> [ Has defines Allowed Services ]

Configuration

To configure a SuSEfirewall2 either

• edit /etc/sysconfig/SuSEfirewall2 file manually and call

 /sbin/SuSEfirewall2

or

• use YaST configuration module described at YaST_Firewall page

Please note, the current YaST_Firewall does not show nor let you configure all settings of the firewall. This includes at least reject configuration (at least one activated by default).

Features

Although SuSEfirewall2 has many features, YaST can't obviously configure all of them. Configuration file itself provides all needed documentation for every single feature.

If a particular variable allows to assign more entries, they are separated by space.

 Example:
 FW_VARIABLE="value1 value2 value3,with,more,parameters"

Firewall Zones

SuSEfirewall2 has three different zones:

• EXT - External (untrusted, Internet) FW_DEV_EXT
• INT - Internal (trusted) FW_DEV_INT
• DMZ - Demilitarized FW_DEV_DMZ

Assign your network interfaces to particular zones according your needs. If you have only one network interface it is a good choice to assign it to the External zone. Network interface is assigned to a zone by adding the interface name to the variable.

 Examples:
 FW_DEV_EXT="eth-id-00:e0:4c:9f:61:9a"
 FW_DEV_EXT="any eth-id-00:e0:4c:9f:61:9a"
 FW_DEV_INT="eth5 eth6"

Furthermore, external zone has a special security feature. If you add a string any there, all network interfaces, that are not explicitly assigned to any zone (or that can appear in the future) will be assigned right to the external zone.

Allowing Access to Services

Every firewall zone can allow four types of services

• TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
• UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
• RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
• IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP

TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon inbetween.

 Examples:
 FW_SERVICES_EXT_TCP="ssh"
 FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514"
 FW_SERVICES_EXT_UDP="631 400:405"

Masquerading

... Example:

• Allow the network on the internal interface full access to the net.
• Allow the DMZ network full access to the net.

 FW_MASQ_NETS="10.1.1.0/24 192.168.1.0/24"

Forwarding to Masqueraded Hosts

...

Transparent Redirection

...

Logging

...

HTB - Tuning Maximum Upload Speed

...

IPv6

Internet Protocol version 6 (IPv6) configuration has the following items:

• IPv6 support - FW_IPv6 (yes/no)
• IPv6 outgoing configuration - FW_IPv6_REJECT_OUTGOING ([yes]/no/drop)

 Examples:
 FW_IPv6=""
 FW_IPv6_REJECT_OUTGOING="no"

• FW_IPv6 defaults to the ipv6 support by the Kernel when the option is empty.
• FW_IPv6_REJECT_OUTGOING default configuration is yes (rejecting).