[opensuse-factory] Idea for SuSEfirewall2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just a little idea I stumbled upon... How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/). Those files could include stuff like - - a detailed description of the ports that are relevant to the package - - parsable data for SuSEfirewall2, to be able to open (or close) ports based on that information - ---8<-------------------------------------------- <susefirewall2-service id="xmpp"> <summary>XMPP/Jabber</summary> <description> Open these ports to allow communication with an XMPP/Jabber server hosted in your network. </description> <ports> <port proto="udp" port="5222" /> <port-range proto="tcp" range="5222-5223"/> </ports> <susefirewall2-service> - ---8<-------------------------------------------- (of course, it should be capable of being localized) Those ports could then show up in "Allowed Services" and "Masquerading". Currently, SuSEfirewall2 has a fixed set of "well-known" (not in a sense of /etc/services) ports it can put names on (HTTP, SSH, rsync). But those ports don't include a description, that could be really valuable for beginners. Also, SuSEfirewall2 doesn't provide names for other ports, that are not in that fixed set, e.g. for gnutella, jabber/xmpp, ... and you have to go through [Advanced...] A system like above could be useful, to include port definitions for SuSEfirewall2 as part of RPM packages (e.g. jabberd). Well, just an idea, off the top of my head. What do you guys think, would it be useful ? feasible ? Post/discuss on another list ? cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <pascal.bleser@skynet.be> <guru@unixtech.be> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEpMeKr3NMWliFcXcRAuKDAJ9BLw5rhYnyuThfMVNaq9rus2Y5xwCgjp6I kVZmPXpltue+du3rGYGKnfA= =jqFo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Friday 30 June 2006 08:41, Pascal Bleser wrote:
Just a little idea I stumbled upon...
How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/).
Those files could include stuff like - a detailed description of the ports that are relevant to the package - parsable data for SuSEfirewall2, to be able to open (or close) ports based on that information ---8<-------------------------------------------- <susefirewall2-service id="xmpp"> <summary>XMPP/Jabber</summary> <description> Open these ports to allow communication with an XMPP/Jabber server hosted in your network. </description> <ports> <port proto="udp" port="5222" /> <port-range proto="tcp" range="5222-5223"/> </ports> <susefirewall2-service> ---8<-------------------------------------------- (of course, it should be capable of being localized)
I'd like to have that too :-) It's nothing SuSEfirewall2 should deal with though. The YaST firewall module can make use of that information instead. Currently the information about ports is hardcoded in /usr/share/YaST2/modules/SuSEFirewallServices.ycp cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Op vrijdag 30 juni 2006 08:41, schreef Pascal Bleser:
<summary>XMPP/Jabber</summary> <description> Open these ports to allow communication with an XMPP/Jabber server hosted in your network. </description> <ports> <port proto="udp" port="5222" /> <port-range proto="tcp" range="5222-5223"/> </ports> <susefirewall2-service> ---8<-------------------------------------------- (of course, it should be capable of being localized)
Perhaps with: <summary lang="XX_xx">XMPP/Jabber</summary> <description lang="XX_xx"> Open these ports to allow communication with an XMPP/Jabber server hosted in your network. </description> -- Richard Bos Without a home the journey is endless --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
2006/6/30, Pascal Bleser <pascal.bleser@skynet.be>:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Just a little idea I stumbled upon...
How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/).
Those files could include stuff like - - a detailed description of the ports that are relevant to the package - - parsable data for SuSEfirewall2, to be able to open (or close) ports based on that information - ---8<-------------------------------------------- <susefirewall2-service id="xmpp"> <summary>XMPP/Jabber</summary> <description> Open these ports to allow communication with an XMPP/Jabber server hosted in your network. </description> <ports> <port proto="udp" port="5222" /> <port-range proto="tcp" range="5222-5223"/> </ports> <susefirewall2-service> - ---8<-------------------------------------------- (of course, it should be capable of being localized)
Those ports could then show up in "Allowed Services" and "Masquerading".
Currently, SuSEfirewall2 has a fixed set of "well-known" (not in a sense of /etc/services) ports it can put names on (HTTP, SSH, rsync). But those ports don't include a description, that could be really valuable for beginners.
Also, SuSEfirewall2 doesn't provide names for other ports, that are not in that fixed set, e.g. for gnutella, jabber/xmpp, ... and you have to go through [Advanced...]
A system like above could be useful, to include port definitions for SuSEfirewall2 as part of RPM packages (e.g. jabberd).
Well, just an idea, off the top of my head. What do you guys think, would it be useful ? feasible ? Post/discuss on another list ?
I agree on everything you say. SuSEfirewall2 and yast-interface to same could really benefit from this. Johan
With the feedback seen, I suggest we evaluate this for 10.2. could you add it to the feature wishlist? I've added it already to our internal feature tool so that we can start evaluating ourselves, Andreas -- Andreas Jaeger, aj@suse.de, http://www.suse.de/~aj/ SUSE Linux Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Andreas Jaeger wrote:
With the feedback seen, I suggest we evaluate this for 10.2. could you add it to the feature wishlist? I've added it already to our internal feature tool so that we can start evaluating ourselves,
Could someone else please take care of it and copy some of the stuff discussed here ? I'm off for holidays now and pretty much in a hurry. Maybe the discussion is worth a page on the wiki to collect ideas and potential issues, dunno... cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <pascal.bleser@skynet.be> <guru@unixtech.be> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEpPs5r3NMWliFcXcRAq3QAJwOuPKjyFZoeZ2bQLAinkYulfxMiwCfZZbK nR6S2m59gl4Hzlv9/pgELfw= =jbNi -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Pascal Bleser wrote:
How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/). ... Those ports could then show up in "Allowed Services" and "Masquerading".
If you masquerade a service, then the daemon package with the XML description will be installed on the target machine, not on the machine running the firewall. Otherwise, I like te idea too :) Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Friday 30 June 2006 01:41, Pascal Bleser wrote:
Just a little idea I stumbled upon...
How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/).
Excellent ideas.
Those ports could then show up in "Allowed Services" and "Masquerading".
Currently, SuSEfirewall2 has a fixed set of "well-known" (not in a sense of /etc/services) ports it can put names on (HTTP, SSH, rsync). But those ports don't include a description, that could be really valuable for beginners.
I'd like to see this tied into the YaST runlevel display also. Adding maybe an "FW" column that would indicate that a service can be exposed externally to a network and should be in a firewall rule for best practices. Also serves as another check & balance area for auditing. 0=internal only, non-networked, no need to firewall 1=can be exposed externally to a network, recommend to firewall 2=designed to be exposed externally to a network, must be firewalled 3=external, firewall disabled 4=external, firewall enabled 5=internal, firewall disabled 6= you get the idea . . . Provide some useful info for newbies to learn from and a refresher for the experts.
Also, SuSEfirewall2 doesn't provide names for other ports, that are not in that fixed set, e.g. for gnutella, jabber/xmpp, ... and you have to go through [Advanced...]
A system like above could be useful, to include port definitions for SuSEfirewall2 as part of RPM packages (e.g. jabberd).
In the spec file have recommended/established port definitions for firewalling? Excellent idea. Even for FWBuilder and others...
Well, just an idea, off the top of my head. What do you guys think, would it be useful ? feasible ? Post/discuss on another list ?
One of the most needed enhancements to SUSE Linux, open or enterprise. Thanks Pascal, Stan --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Stan Glasoe wrote:
On Friday 30 June 2006 01:41, Pascal Bleser wrote:
Just a little idea I stumbled upon...
How about having a directory that allows dropping in files as part of packages (e.g. /etc/sysconfig/SuSEfirewall2.d/).
Excellent ideas.
So, who's gonna do that :)? Just kidding... I have had this in my TODO since last October or so and now it appears to be quite a big feature. On the other hand, it seems that more people would like to have it implemented so I'm gonna put my effort into it. Lukas --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
participants (8)
-
Andreas Jaeger -
Johan N. -
Ludwig Nussel -
Lukas Ocilka -
Michal Marek -
Pascal Bleser -
Richard Bos -
Stan Glasoe