Op dinsdag 25 juni 2019 17:00:05 CEST schreef Patrick Shanahan: It took some time to get more familiar with firewalld. I have some specific requirements. The firewall log should be available for parsing to report unwanted access to dshield.org. Still I do not understand all the particulars of the elements in firewalld. Even the concept of a zone is still unclear to me. A simple concept is that an interface is connected/belongs to a zone. So in my case the eth0 interface, which is connected to the local network, but is also a server connected to the internet via a router with a NAT firewall should be in the zone external, the default zone. However I would like to make exceptions for the systems in my local network. The question is how to do that. There is a zone trusted or something similar. Should I enter the source addresses of the systems in that local network in such a zone? Furthermore I want services like ssh, smtp, smtps, imaps, etc to be accessible from all over the world, but not imap, only from the local network. I also want ACCEPT messages for these services in the firewall log, but, for ssh, I want to limit access to 3 per minute and also limited logging. Any ideas how to configure firewalld with rich rules? -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

Hi, everything you wanna do can be done with firewalld, and much easier than with susefirewall, even more so because you don't have to worry about IPv4 / IPv6. Let me write up something about what you want to do when it's not half past eleven at night... :) Cheers MH Am Samstag, 24. August 2019, 23:17:11 CEST schrieb Freek de Kruijf: *Mathias Homann* Mathias.Homann@openSUSE:.org[1] irc: [Lemmy] @ freenode, ircnet obs: lemmy04 *gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102* -------- [1] mailto:Mathias.Homann@eregion.de -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

Am Sonntag, 25. August 2019, 14:53:36 CEST schrieb Freek de Kruijf: s/Martin/Mathias/ :) I put it on my blog: https://www.tuxonline.tech/an-introduction-to-firewalld/ Cheers MH -- *Mathias Homann* Mathias.Homann(a)openSUSE.org[1] telegram: https://telegram.me/lemmy98[2] irc: [lemmy] on freenode and ircnet obs: lemmy04 *gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102 * -------- [1] mailto:Mathias.Homann@eregion.de [2] https://telegram.me/lemmy98 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

On 26/08/2019 18.31, Darin Perusich wrote: firewall-config Menu "options", entry "Change log-denied" -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)

On 2019-08-27 14:29, Darin Perusich wrote: There doesn't seem to be a blanket setting for this, but it can be done using the rich language for rules, see man 5 firewalld.richlanguage There are Audit and Log settings on a per rule (per zone) basis. The RHEL documentation [1] is also fairly comprehensive I think. Cheers [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/ht… -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

On Mon, 2019-08-26 at 11:45 +0200, Mathias Homann wrote: Thank you. Here come a few remarks. That's a strange definition. I'd rather define it as a group of *interfaces* that share a certain trust level. The official documentation says "A firewall zone defines the trust level for a connection, interface or source address binding."( https://firewalld.org/documentation/zone/). One thing worth mentioning about zones is that commands normally affect packets *originating* from a given zone (i.e. "--zone=A --add- service=http" allows incoming HTTP traffic from zone "A"). But there's one important exception: the --add-masquerade command (and the "masquerade" rich rule) affects *outgoing* packets for the given zone. I for one didn't realize that immediately, and I found it hard to write a rule saying "masquerade packets going to zone B, but only if they originate from zone A". (*) About your configuration example: rather then using --permanent and finish with "firewall-cmd --reload", I'd prefer applying new rules to the current state (without --permanent), test, and finish with "firewall-cmd --runtime-to-permanent". It's mostly a matter of taste, but it may be easier for beginners because effects of new rules can be examined immediately. Also, there are typos ("--add=service=https") in your example. Rich rules and direct rules: this is where the fun begins, and where the upstream docs are also somewhat sparse. At least I found it non- obvious how to construct new rich rules. So I'd appreciate more information in that section :-) I guess many would appreciate a cheat sheet for "how do I <X> with firewalld", where <X> is something that used to be done with SuSEfirewall2. Regards Martin (*) In case you wonder: the solution that worked for me was adding a rich rule rule family="ipv4" source address="192.168.X.Y/24" masquerade to the rule set of zone "B", where the above address was associated with an interface in zone "A". I did not find a way to express this in terms of zones exclusively.

On Thu, 29 Aug 2019 15:24:06 +0000 Martin Wilck &lt;Martin.Wilck(a)suse.com&gt; wrote: Or in summary: no, it is not ready. That said, I never tried any serious firewalling with susefirewall2 either. Thanks Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

Martin Wilck wrote: Could you please give us some examples of your FirewallD commands for LibvirtD guests? How you integrated these FirewallD commands? Until now, FirewallD works acceptable on my Desktop, but I have trouble with LibvirtD KVM guests, OpenVPN networks, Docker and LXC. And I have trouble with my DLNA client which accesses my MythTV server. (Also with SuSEfirewall2 I had to write custom script rules for DLNA access.) Currently I locked SuSEfirewall2 so that the package management could not remove the package. Greetings, Björn -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

On Fri, Sep 06, 2019 at 06:18:38AM +0000, Martin Wilck wrote: I will update firewalld in the next week. Sorry for the inconvenience! Cheers, Michal -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org

Op maandag 2 september 2019 10:53:19 CEST schreef Freek de Kruijf: "fe80::/8" should be "fe80::/16". Just in case my server is bothered with pounding packages from a certain IP address I also use the zone drop firewall-cmd --zone=drop -add-address=<pounding-IP-address> -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse-factory+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-factory+owner(a)opensuse.org