SuSEfirewall2/Service Definitions Added via Packages
This article describes how to use and support SuSEfirewall2 - Definition of services (e.g, Samba Server) via special sysconfig files.
Some complex services need to open many different TCP, UDP, RPC ports and/or allow different IP protocols or allow incoming broadcast on some ports. Additionally, you can have more services that share these ports with each other (like portmap). Once you open these ports in the firewall, you can't easily remember which port belongs to which service.
This feature (SuSEfirewall2 since openSUSE 10.2, YaST Firewall since openSUSE 10.3) allows you to define simple configuration files - one per service. These services are then specified in special configuration variables of SuSEfirewall2 (one variable for one firewall zone).
Why Are Service Definitions Contained in More Packages?
A static list of services doesn't work for a huge number of service definitions. A dynamic set of services is linked to the currently installed packages.
If you don't install apache2, there is no need to offer allowing HTTP Server in the YaST Firewall user interface and to fill that directory with configuration which will never be used.
How To Define a New Service?
All these service-definitions are stored in: /etc/sysconfig/SuSEfirewall2.d/services and /usr/share/SuSEfirewall2/services. The service-definition file should belong to the respective RPM package and should also reflect the package name or name of the daemon to avoid conflicts with other packages.
Use the file /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE as a template.
This is an example of the Samba Server service definition that might be written in /etc/sysconfig/SuSEfirewall2.d/services/samba-server file (samba package has client and server functionality in one package):
## Name: Samba Server ## Description: Opens ports for Samba Server with broadcast allowed. # space separated list of allowed TCP ports TCP="netbios-ssn microsoft-ds" # space separated list of allowed UDP ports UDP="netbios-ns netbios-dgm" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP ports that accept broadcasts BROADCAST="netbios-ns netbios-dgm"
Important lines were marked with a bold text. The Name variable (which is hidden by two # characters) is used in YaST Firewall as a name which is displayed in the user interface.
This example opens TCP ports 139, 445, UDP ports 137, 138 and allows broadcast on UDP ports 137, 138.
UDP ports that need to accept broadcasts have to be listed in UDP as well as in BROADCAST as SuSEfirewall2 can be configured to accept unicast packets but drop broadcasts. In fact, the external zone by default drops broadcasts.
There are several formats that are allowed in the configuration values.
Port Names - e.g., netbios-ns, allowed in TCP, UDP and BROADCAST. Port Numbers - e.g., 137, allowed in TCP, UDP and BROADCAST. Port Ranges - e.g., 200:250, allowed in TCP, UDP and BROADCAST. RPC Service Names - e.g., ypbind, allowed in RPC (these services dynamically occupy free ports, that's why they need to be defined by the name of the application that listens on that port). IP Protocol Name - e.g., esp, allowed in IP.
## Name: Exemplary Service ## Description: Opens several ports and makes your system insecure TCP="ssh 13:20 http 130:150 32000:38000" UDP="netbios-ns 150:300" RPC="portmap nlockmgr mountd nfs nfs_acl" IP="esp" BROADCAST="netbios-ns netbios-dgm"
How To Use The Service In Firewall Configuration?
This is very simple. There are three special variables in the /etc/sysconfig/SuSEfirewall2 configuration file: FW_CONFIGURATIONS_EXT, FW_CONFIGURATIONS_DMZ and FW_CONFIGURATIONS_INT. Just use the file name (which defines a service) and write it into a selected variable.
FW_CONFIGURATIONS_DMZ="samba" FW_CONFIGURATIONS_EXT="bind apache2 lukemftp"
This example uses four defined services, Samba Server is allowed in the Demilitarized zone, The other ones in the External zone.