Hi, btw people, SuSEfirewall/firewals v3.2 is available at www.suse.de/~marc
better to stick with rc.config as a bunch of variables and ask SuSE to extend the firewall script like sketched below (didn't
Yes please - Marc??
+# optional(?): empty function body as a fallback, +# would be overridden when sourcing the specified script +fw_custom_rules() { + # EMPTY +} + +# make use of what the user supplies us with +[ -r "$FW_CUSTOMRULES" ] && . "$FW_CUSTOMRULES"
Excellent idea. If $FW_CUSTOMRULES was sourced at the location in SuSEfirewall from which I called fw_custom_rules, the need to call a function would go away.
I already thought heavily about adding "hooks" where people can plugin customized rules. But I realized, that it is hopeless - where should they be loaded. The problem is, that the firewals script tries to be perfect, hence the rulesetup is pretty complicated. no easy way to make a hook somewhere which will sattisfy more than 50% of the people who want this feature I think. If you can come up with a good idea, solution or point me to the location in the file which you think would be the best place to install such a hook - tell me.
+# script's filename with local rules in addition to or as a +# substitute for what can be done with the FW_* variables +# e.g. FW_CUSTOMRULES=/sbin/init.d/rc.d/firewall.custom +FW_CUSTOMRULES=""
Yes, but I'd put it into firewall.rc.config.
the FW_CUSTOMRULES config would be in firewall.rc.config, however the custom file should be /etc/rc.config.d/firewall.custom.rc.config or something worse ;-)
- leave the FW_ variables alone and doing it *all* yourself :)
Possible already by replacing SuSEfirewall with another script...
you can also hack your lines into the script.
- switching between several rule sets just by pointing to a different function (i.e. script)
Possible already by "SuSEfirewall file someotherfile"
yes. people should occasionally check for updates and take a look at the CHANGES file or type "SuSEfirewall help" :)
- deliver some "usually asked for" scripts in /usr/doc/packages with the SuSEfirewall script
Yes please :-)
if you mean "usual configurations" -> there an EXAMPLES file in the doc directory. if you mean such sustomized scripts - once it really can be implemented in a useful way, send me yours :)
2 other suggestions:
1) This "dns" is confusing. I would have thought to be rather common to run xntpd, even on dial-up connections? Could that be changed to # Common: "dns", or "domain, ntp" ??
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "dns" # # For the ntpdate command to work, the ntp port must belisted here. # Note: "dns" is a script-internal string. To specify the dns # port, use "domain"!! -VK FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
I'll enhance that a bit, yeah
2) Taking the risk of greatly embarrassing myself, would it be possible to add a couple more sentences to explain what DMZ is good for???
there are already good books about that. chapman/zwicky: building internet firewalls cheswick/bellovin: firewall and internet security Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security