https://bugzilla.novell.com/show_bug.cgi?id=764302 https://bugzilla.novell.com/show_bug.cgi?id=764302#c0 Summary: Set Suse-firewall interfaces to internal or external, based on network manager connections Classification: openSUSE Product: openSUSE 12.2 Version: Factory Platform: Other OS/Version: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: colAflash@gmx.net QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0 Can we get something that let's us configure firewall rules by a NetworkManager connection or specific network properties? For all examples: Usually my eth0 and wlan0 are external interfaces in Suse firewall. First example: If my notebook attaches to my wireless network at home, it should mark wlan0 as internal interface in Suse firewall (and undo this when disconnecting). Second example: If my notebook attaches to my wired (not wireless this time) network at home, it should mark eth0 as internal interface in Suse firewall. Third example: If my notebook attaches to the university wired network nothing should happen (the eth0 should be an external interface). I already started on thinking about this a little deeper. There should be a script in /etc/NetworkManager/dispatcher.d listening what happens. If it gets an "up" or "down" it checks what kind of connection came up. This can be done by the variables those scripts in dispatcher.d already get by the network manager. Essential variables on "up": DEVICE_IP_IFACE=wlan0 CONNECTION_UUID=19d3oah3-3jla-429c-92el-le3r0ualr92k DHCP4_DHCP_SERVER_IDENTIFIER=192.168.60.1 DHCP4_BROADCAST_ADDRESS=192.168.60.255 DHCP4_IP_ADDRESS=192.168.60.19 CONNECTION_ID=myNetworkAtHome Essential variables on "down": DEVICE_IP_IFACE=wlan0 CONNECTION_UUID=19d3oah3-3jla-429c-92el-le3r0ualr92k DEVICE_IFACE=wlan0 CONNECTION_ID=myNetworkAtHome The other variables from "up" don't appear on down! Each network manager connection-profile has a CONNECTION_UUID and a CONNECTION_ID. I'd prefer to use CONNECTION_UUID instead of CONNECTION_ID for this tasks (CONNECTION_ID can have strange letters and spaces in it and may appear multiple times for different connections). For wireless connections we usually just have to look at the CONNECTION_UUID, because in network manager every wireless connection (usually) has another SSID and KEY so there also is a individual network manager connection-profile. But for wired networks it's not so easy. I think the best is to look at DHCP4_DHCP_SERVER_IDENTIFIER, DHCP4_BROADCAST_ADDRESS and DHCP4_IP_ADDRESS. So when configuring a connection in network manager there should be a possibility to add information like: When this connection is active, then configure the interface as internal. AND (one to choose in the gui) When this connection is active, DHCP4_DHCP_SERVER_IDENTIFIER==x, DHCP4_BROADCAST_ADDRESS==y and DHCP4_IP_ADDRESS==z, then configure the interface as internal. But: Because on connect we have information we'll don't have on disconnect (DHCP4_DHCP_SERVER_IDENTIFIER, DHCP4_BROADCAST_ADDRESS, DHCP4_IP_ADDRESS) we'll have so save them in some status file (maybe something like /var/run/nm-suse-fw/${CONNECTION_UUID}) to be able to decide if we have to change firewall settings back on a disconnect of that connection. As you may guessed, I already wrote some scripts trying to do that but I got stuck. Currently the scripts are pretty dirty and don't work well (that's why I don't like to upload them). And I also don't have any idea how to integrate into the network manager kde gui (instead config is currently done via config-files in /etc/NetworkManager/suse-fw). Thanks :-) colAflash Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.