Citeren Matthias Gerstner <mgerstner@suse.de>:
Hello,
On Mon, Jan 22, 2018 at 12:34:35PM +0200, Robert Munteanu wrote:
Is there a plan or some guidance for packages that drop files in /etc/sysconfig/SuSEfirewall2.d/services/ ?
$ ls -1 /etc/sysconfig/SuSEfirewall2.d/services/ | grep -v TEMPLATE | wc -l 33
With firewalld these files are no longer needed. Firewalld ships builtin service definitions which can be listed via
$ firwall-cmd --get-services
You can get the definition of a single service like this
$ firewall-cmd --info-service=samba-client
These service names can then be used for opening them in a certain zone:
$ firewall-cmd --add-service=samba-client --zone=internal [--permanent]
You can also find the XML definitions of the services in /usr/lib/firewalld/services.
I think the SuSEfirewall2 service files should stay around until the migration to the new default firewall is complete. We can get rid of these files only after SuSEfirewall2 has been completely removed from openSUSE. It's unconvenient that these files are spread across many different packages so it will probably take a while until they're all cleaned up.
If anybody thinks that a service definition is missing in firewalld then please tell me so we can see what to do about it. The correct way in such cases would probably be to contribute suitable files to firewalld upstream. New firewalld services can also be added dynamically during runtime. Here is some upstream documentation on adding services:
http://www.firewalld.org/documentation/howto/add-a-service.html
So there's /etc/firewalld/services for custom services but dropping service files into /usr/lib/firewalld/services seems also to be supported.
One thing that seems to be missing in firewalld is the equivalent of SuSEfirewall2-custom. I use some modules from the xtables-addons-kmp-default package. By nature, these are fragile and tend to break occasionally when the kernel changes. Right now, the xt_geoip module is present, but broken. When including an iptables rule that relies on these modules, this will stop SuSEfirewall2 from loading. This has locked me out several times in the past. So I now use something like the following to prevent this from happening in SuSEfirewall2-custom: fw_custom_before_port_handling() { if modprobe --quiet xt_geoip; then iptables -A input_ext -p tcp -m tcp --dport 443 -m geoip --source-country NL -j ACCEPT else iptables -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT fi } I have not found a similar way of conditional loading of rules, depending on the ability to load a module. Did I miss something?
Should many additional service files be needed (what I don't hope) then we could also think about introducing a separate package that holds all those custom service files. This would make maintaining them easier from the firewall perspective. But adds some burden to packagers that need changes to them.
Regards
Matthias
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org