On 03/11/2018 12:19 PM, Frank Krüger wrote:
Am 11.03.2018 um 11:47 schrieb Carlos E. R.:
On 2018-03-11 11:32, Frank Krüger wrote:
Am 11.03.2018 um 11:24 schrieb Carlos E. R.:
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
Have you tried susefirewall2-to-firewalld or is this bash script too simple for your needs?
I don't know. The test Leap 15.0 install is new, so it erases the previous config. The susefirewall2 is in backup and other installs.
Can I simply copy the susefirewal2 config file and apply that script to it?
I never used this script, so my answer would be just a guess. More information on the usage and the restrictions can be found here: https://github.com/openSUSE/susefirewall2-to-firewalld.
Looking at it now. Installing the script also installs SuSEfirewall2, which is weird. I hope it doesn't enable the service. The script runs for a long time, writes a lot of text. I have no idea of what it is doing and whether I will be able to maintain the changes. linux-9vao:~ # susefirewall2-to-firewalld INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. INFO: This will start/stop/restart firewall services and it's likely INFO: to cause network disruption. INFO: If you do not wish for this to happen, please stop the script now! 5...4...3...2...1...Lets do it! INFO: Stopping firewalld INFO: Restarting SuSEfirewall2_init INFO: Restarting SuSEfirewall2 INFO: ICMP: Adding icmp type="4[source-quench]" to zone="ext" INFO: ICMP: Adding icmp type="4[source-quench]" to zone="int" INFO: ICMP: Adding icmp type="8[echo-request]" to zone="ext" INFO: ICMP: Adding icmp type="8[echo-request]" to zone="int" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=68 protocol=udp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=21 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=20 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=143 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=993 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=2049 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.16/32 port port=2049 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" to zone="ext" INFO: Port(s) "5060(TCP)" will be added to the "external" zone INFO: Port(s) "1720(TCP)" will be added to the "external" zone INFO: Port(s) "30000:30010(TCP)" will be added to the "external" zone INFO: Port(s) "21(TCP)" will be added to the "external" zone INFO: Port(s) "20(TCP)" will be added to the "external" zone INFO: Port(s) "22(TCP)" will be added to the "external" zone INFO: Port(s) "5060(UDP)" will be added to the "external" zone INFO: Port(s) "1720(UDP)" will be added to the "external" zone INFO: Port(s) "5060:5100(UDP)" will be added to the "external" zone INFO: Port(s) "123(UDP)" will be added to the "external" zone INFO: DIRECT: Adding direct rule="ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT" INFO: ICMP: Adding icmp type="133[router-solicitation]" to zone="ext" INFO: ICMP: Adding icmp type="133[router-solicitation]" to zone="int" INFO: ICMP: Adding icmp type="134[router-advertisement]" to zone="ext" INFO: ICMP: Adding icmp type="134[router-advertisement]" to zone="int" INFO: ICMP: Adding icmp type="135[neighbour-solicitation]" to zone="ext" INFO: ICMP: Adding icmp type="135[neighbour-solicitation]" to zone="int" INFO: ICMP: Adding icmp type="136[neighbour-advertisement]" to zone="ext" INFO: ICMP: Adding icmp type="136[neighbour-advertisement]" to zone="int" INFO: ICMP: Adding icmp type="137[redirect]" to zone="ext" INFO: ICMP: Adding icmp type="137[redirect]" to zone="int" INFO: ICMP: Adding icmp type="130[multicast-listener-query]" to zone="ext" INFO: ICMP: Adding icmp type="130[multicast-listener-query]" to zone="int" INFO: RICH: Adding rich rule="rule family=ipv6 source address=fe80::/64 port port=5353 protocol=udp accept" to zone="ext" INFO: Interface "eth0" will be added to the "ext" zone INFO: Interface "wlan0" will be added to the "ext" zone INFO: Stopping SuSEfirewall2 INFO: Stopping SuSEfirewall2_init INFO: Starting firewalld INFO: Resetting Zone: "block" INFO: Resetting Zone: "dmz" INFO: -> Removing service: "ssh" INFO: Resetting Zone: "drop" INFO: Resetting Zone: "external" INFO: -> Removing masquerade INFO: -> Removing service: "ssh" INFO: Resetting Zone: "home" INFO: -> Removing service: "ssh" INFO: -> Removing service: "mdns" INFO: -> Removing service: "samba-client" INFO: -> Removing service: "dhcpv6-client" INFO: Resetting Zone: "internal" INFO: -> Removing service: "ssh" INFO: -> Removing service: "mdns" INFO: -> Removing service: "samba-client" INFO: -> Removing service: "dhcpv6-client" INFO: Resetting Zone: "public" INFO: -> Removing service: "dhcpv6-client" INFO: -> Removing service: "ssh" INFO: -> Removing interface: "eth0" INFO: Resetting Zone: "trusted" INFO: Resetting Zone: "work" INFO: -> Removing service: "ssh" INFO: -> Removing service: "dhcpv6-client" INFO: INFO: FirewallD has been reset! INFO: INFO: Setting default zone to "external" INFO: Adding interface="eth0" to zone="external" INFO: Adding interface="wlan0" to zone="external" INFO: Enabling service="sip" to zone="external" INFO: Adding port(s)="1720/tcp" to zone="external" INFO: Adding port(s)="30000-30010/tcp" to zone="external" INFO: Enabling service="ftp" to zone="external" INFO: Adding port(s)="20/tcp" to zone="external" INFO: Enabling service="sip" to zone="external" INFO: Adding port(s)="1720/udp" to zone="external" INFO: Adding port(s)="5060-5100/udp" to zone="external" INFO: Enabling service="freeipa-ldap" to zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=68 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=21 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=20 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=143 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=993 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=2049 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.16/32 port port=2049 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv6 source address=fe80::/64 port port=5353 protocol=udp accept" for zone="external" INFO: Blocking icmp="address-unreachable" for zone="internal" INFO: Blocking icmp="bad-header" for zone="internal" INFO: Blocking icmp="beyond-scope" for zone="internal" INFO: Blocking icmp="communication-prohibited" for zone="internal" INFO: Blocking icmp="destination-unreachable" for zone="internal" INFO: Blocking icmp="echo-reply" for zone="internal" INFO: Blocking icmp="failed-policy" for zone="internal" INFO: Blocking icmp="fragmentation-needed" for zone="internal" INFO: Blocking icmp="host-precedence-violation" for zone="internal" INFO: Blocking icmp="host-prohibited" for zone="internal" INFO: Blocking icmp="host-redirect" for zone="internal" INFO: Blocking icmp="host-unknown" for zone="internal" INFO: Blocking icmp="host-unreachable" for zone="internal" INFO: Blocking icmp="ip-header-bad" for zone="internal" INFO: Blocking icmp="network-prohibited" for zone="internal" INFO: Blocking icmp="network-redirect" for zone="internal" INFO: Blocking icmp="network-unknown" for zone="internal" INFO: Blocking icmp="network-unreachable" for zone="internal" INFO: Blocking icmp="no-route" for zone="internal" INFO: Blocking icmp="packet-too-big" for zone="internal" INFO: Blocking icmp="parameter-problem" for zone="internal" INFO: Blocking icmp="port-unreachable" for zone="internal" INFO: Blocking icmp="precedence-cutoff" for zone="internal" INFO: Blocking icmp="protocol-unreachable" for zone="internal" INFO: Blocking icmp="reject-route" for zone="internal" INFO: Blocking icmp="required-option-missing" for zone="internal" INFO: Blocking icmp="source-route-failed" for zone="internal" INFO: Blocking icmp="time-exceeded" for zone="internal" INFO: Blocking icmp="timestamp-reply" for zone="internal" INFO: Blocking icmp="timestamp-request" for zone="internal" INFO: Blocking icmp="tos-host-redirect" for zone="internal" INFO: Blocking icmp="tos-host-unreachable" for zone="internal" INFO: Blocking icmp="tos-network-redirect" for zone="internal" INFO: Blocking icmp="tos-network-unreachable" for zone="internal" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="internal" INFO: Blocking icmp="ttl-zero-during-transit" for zone="internal" INFO: Blocking icmp="unknown-header-type" for zone="internal" INFO: Blocking icmp="unknown-option" for zone="internal" INFO: Blocking icmp="address-unreachable" for zone="dmz" INFO: Blocking icmp="bad-header" for zone="dmz" INFO: Blocking icmp="beyond-scope" for zone="dmz" INFO: Blocking icmp="communication-prohibited" for zone="dmz" INFO: Blocking icmp="destination-unreachable" for zone="dmz" INFO: Blocking icmp="echo-reply" for zone="dmz" INFO: Blocking icmp="echo-request" for zone="dmz" INFO: Blocking icmp="failed-policy" for zone="dmz" INFO: Blocking icmp="fragmentation-needed" for zone="dmz" INFO: Blocking icmp="host-precedence-violation" for zone="dmz" INFO: Blocking icmp="host-prohibited" for zone="dmz" INFO: Blocking icmp="host-redirect" for zone="dmz" INFO: Blocking icmp="host-unknown" for zone="dmz" INFO: Blocking icmp="host-unreachable" for zone="dmz" INFO: Blocking icmp="ip-header-bad" for zone="dmz" INFO: Blocking icmp="neighbour-advertisement" for zone="dmz" INFO: Blocking icmp="neighbour-solicitation" for zone="dmz" INFO: Blocking icmp="network-prohibited" for zone="dmz" INFO: Blocking icmp="network-redirect" for zone="dmz" INFO: Blocking icmp="network-unknown" for zone="dmz" INFO: Blocking icmp="network-unreachable" for zone="dmz" INFO: Blocking icmp="no-route" for zone="dmz" INFO: Blocking icmp="packet-too-big" for zone="dmz" INFO: Blocking icmp="parameter-problem" for zone="dmz" INFO: Blocking icmp="port-unreachable" for zone="dmz" INFO: Blocking icmp="precedence-cutoff" for zone="dmz" INFO: Blocking icmp="protocol-unreachable" for zone="dmz" INFO: Blocking icmp="redirect" for zone="dmz" INFO: Blocking icmp="reject-route" for zone="dmz" INFO: Blocking icmp="required-option-missing" for zone="dmz" INFO: Blocking icmp="router-advertisement" for zone="dmz" INFO: Blocking icmp="router-solicitation" for zone="dmz" INFO: Blocking icmp="source-quench" for zone="dmz" INFO: Blocking icmp="source-route-failed" for zone="dmz" INFO: Blocking icmp="time-exceeded" for zone="dmz" INFO: Blocking icmp="timestamp-reply" for zone="dmz" INFO: Blocking icmp="timestamp-request" for zone="dmz" INFO: Blocking icmp="tos-host-redirect" for zone="dmz" INFO: Blocking icmp="tos-host-unreachable" for zone="dmz" INFO: Blocking icmp="tos-network-redirect" for zone="dmz" INFO: Blocking icmp="tos-network-unreachable" for zone="dmz" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="dmz" INFO: Blocking icmp="ttl-zero-during-transit" for zone="dmz" INFO: Blocking icmp="unknown-header-type" for zone="dmz" INFO: Blocking icmp="unknown-option" for zone="dmz" INFO: Blocking icmp="address-unreachable" for zone="external" INFO: Blocking icmp="bad-header" for zone="external" INFO: Blocking icmp="beyond-scope" for zone="external" INFO: Blocking icmp="communication-prohibited" for zone="external" INFO: Blocking icmp="destination-unreachable" for zone="external" INFO: Blocking icmp="echo-reply" for zone="external" INFO: Blocking icmp="failed-policy" for zone="external" INFO: Blocking icmp="fragmentation-needed" for zone="external" INFO: Blocking icmp="host-precedence-violation" for zone="external" INFO: Blocking icmp="host-prohibited" for zone="external" INFO: Blocking icmp="host-redirect" for zone="external" INFO: Blocking icmp="host-unknown" for zone="external" INFO: Blocking icmp="host-unreachable" for zone="external" INFO: Blocking icmp="ip-header-bad" for zone="external" INFO: Blocking icmp="network-prohibited" for zone="external" INFO: Blocking icmp="network-redirect" for zone="external" INFO: Blocking icmp="network-unknown" for zone="external" INFO: Blocking icmp="network-unreachable" for zone="external" INFO: Blocking icmp="no-route" for zone="external" INFO: Blocking icmp="packet-too-big" for zone="external" INFO: Blocking icmp="parameter-problem" for zone="external" INFO: Blocking icmp="port-unreachable" for zone="external" INFO: Blocking icmp="precedence-cutoff" for zone="external" INFO: Blocking icmp="protocol-unreachable" for zone="external" INFO: Blocking icmp="reject-route" for zone="external" INFO: Blocking icmp="required-option-missing" for zone="external" INFO: Blocking icmp="source-route-failed" for zone="external" INFO: Blocking icmp="time-exceeded" for zone="external" INFO: Blocking icmp="timestamp-reply" for zone="external" INFO: Blocking icmp="timestamp-request" for zone="external" INFO: Blocking icmp="tos-host-redirect" for zone="external" INFO: Blocking icmp="tos-host-unreachable" for zone="external" INFO: Blocking icmp="tos-network-redirect" for zone="external" INFO: Blocking icmp="tos-network-unreachable" for zone="external" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="external" INFO: Blocking icmp="ttl-zero-during-transit" for zone="external" INFO: Blocking icmp="unknown-header-type" for zone="external" INFO: Blocking icmp="unknown-option" for zone="external" INFO: Enabling direct rule=ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT INFO: Enable logging for denied packets INFO: ################################################################################## INFO: INFO: The dry-run has been completed. Please check the above output to ensure INFO: that everything looks good. INFO: INFO: ################################################################################## INFO: Stopping firewalld INFO: Restarting SuSEfirewall2_init INFO: Restarting SuSEfirewall2 linux-9vao:~ # Uninstalling conversion script and SuSEfirewall2. Oh, and now YaST firewall module fails to connect to firewalld. The service had been stopped... -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org