[opensuse-factory] How do I enable ssh on 15.0 beta?
Hi, On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs. It was decided years ago to put this question prominently in YaST during the install after a long discussion. Thus, I can not connect to my own machine. I had to do "systemctl enable sshd.service", then start it, and I could connect "localhost". But not from outside: Telcontar:~ # ssh 192.168.1.128 ssh: connect to host 192.168.1.128 port 22: No route to host Telcontar:~ # Telcontar:~ # ping 192.168.1.128 PING 192.168.1.128 (192.168.1.128) 56(84) bytes of data. 64 bytes from 192.168.1.128: icmp_seq=1 ttl=64 time=0.294 ms 64 bytes from 192.168.1.128: icmp_seq=2 ttl=64 time=0.396 ms ^C --- 192.168.1.128 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.294/0.345/0.396/0.051 ms Telcontar:~ # I guess this is the new firewalld blocking it. Obviously there is a route, it works, and the IP is the correct one. There are no entries in the log about this blocking. How do I enable the firewalld log now? How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all. Any HOWTO for old SuSEfirewall2 users? -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys. I chose them, SSH is running smooth as silk on my machine. Note, though, that because I am inside my already-protected network, I chose not to enable the Firewall at this time. Therefore, I cannot look inside the Firewall at this time to give instructions after the fact. It is late, now, and I just finished an intense evening in the recording studio, so I am packing it in. I presume someone else will provide the answer before I return tomorrow, but if not, I will activate the Firewall and check things out. In the meantime, did you try turning the Firewall off to check if that is indeed what is blocking it? Good luck, Carlos. -- -Gerry Makaro openSUSE Member openSUSE Forum Moderator openSUSE Contributor aka Fraser_Bell on the Forums, OBS, IRC, and mail at openSUSE.org Fraser-Bell on Github -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Fraser_Bell wrote:
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys.
That appears when an existing install is detected. When you install onto a fresh system, you won't see that. -- Per Jessen, Zürich (8.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 09:38, Per Jessen wrote:
Fraser_Bell wrote:
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys.
That appears when an existing install is detected. When you install onto a fresh system, you won't see that.
It only says it imports the existing keys. It doesn't say anything about starting the daemon (it did not, two installs), and it did not open the firewall (two installs). -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
On 2018-03-10 09:38, Per Jessen wrote:
Fraser_Bell wrote:
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys.
That appears when an existing install is detected. When you install onto a fresh system, you won't see that.
It only says it imports the existing keys. It doesn't say anything about starting the daemon (it did not, two installs), and it did not open the firewall (two installs).
For a DVD install, that is probably the default that we've always had. Being able to open ssh at time of install would be good though. -- Per Jessen, Zürich (10.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 14:06, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-03-10 09:38, Per Jessen wrote:
Fraser_Bell wrote:
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys.
That appears when an existing install is detected. When you install onto a fresh system, you won't see that.
It only says it imports the existing keys. It doesn't say anything about starting the daemon (it did not, two installs), and it did not open the firewall (two installs).
For a DVD install, that is probably the default that we've always had. Being able to open ssh at time of install would be good though.
Yes, but there was, since years, a paragraph in the "installation_overview" about: starting sshd (not starting) open fireall (close) So we had a prominent place where to choose. This paragraph was the result of a long discussion by the community, and is missing now. See attached photo from the Leap 42.3 install (dvd, empty disk). -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 10/03/18 08:43 AM, Carlos E. R. wrote:
On 2018-03-10 14:06, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-03-10 09:38, Per Jessen wrote:
Fraser_Bell wrote:
On 03/09/2018 07:38 PM, Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
Hmmm. I installed 15.0 Beta the other day, and there *was* an option at the bottom of the summary page to enable SSH. In fact, there were options to import SSH configuration from other installs (42.3 and/or TW on my machine), as well as the additional option to import the SSH keys.
That appears when an existing install is detected. When you install onto a fresh system, you won't see that.
It only says it imports the existing keys. It doesn't say anything about starting the daemon (it did not, two installs), and it did not open the firewall (two installs).
For a DVD install, that is probably the default that we've always had. Being able to open ssh at time of install would be good though.
Yes, but there was, since years, a paragraph in the "installation_overview" about:
starting sshd (not starting) open fireall (close)
So we had a prominent place where to choose.
This paragraph was the result of a long discussion by the community, and is missing now. See attached photo from the Leap 42.3 install (dvd, empty disk).
Fedora provides firewalld info at this link: https://fedoraproject.org/wiki/Firewalld?rd=FirewallD#public -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-12 16:28, Roman Bysh wrote:
Fedora provides firewalld info at this link:
https://fedoraproject.org/wiki/Firewalld?rd=FirewallD#public
Yes, it does. +++............. work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. .............++- So, what is the difference between those three? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 12/03/18 02:45 PM, Carlos E. R. wrote:
On 2018-03-12 16:28, Roman Bysh wrote:
Fedora provides firewalld info at this link:
https://fedoraproject.org/wiki/Firewalld?rd=FirewallD#public
Yes, it does.
+++............. work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. .............++-
So, what is the difference between those three?
I agree. There are two or three that look to me that they are the same. And the help button should provide everything that's online. -- Cheers! Roman -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/12/2018 11:45 AM, Carlos E. R. wrote:
On 2018-03-12 16:28, Roman Bysh wrote:
Fedora provides firewalld info at this link:
https://fedoraproject.org/wiki/Firewalld?rd=FirewallD#public
Yes, it does.
+++............. work For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. .............++-
So, what is the difference between those three?
Hmmm. I am surprised at you, Carlos. It should be quite plain, even without any translation. Obviously, the difference is that one is called *work*, the other is called *home*, and the other is called *internal*. ... and that is the only difference. (?????!!!????) ROTFL -- -Gerry Makaro openSUSE Member openSUSE Forum Moderator openSUSE Contributor aka Fraser_Bell on the Forums, OBS, IRC, and mail at openSUSE.org Fraser-Bell on Github -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-03-12 at 15:19 -0700, Fraser_Bell wrote:
On 03/12/2018 11:45 AM, Carlos E. R. wrote:
On 2018-03-12 16:28, Roman Bysh wrote:
So, what is the difference between those three?
Hmmm. I am surprised at you, Carlos.
It should be quite plain, even without any translation.
Obviously, the difference is that one is called *work*, the other is called *home*, and the other is called *internal*.
... and that is the only difference. (?????!!!????)
ROTFL
:-D I found a link that hints that there may be a difference in which services are opened on which zone. <https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7> It may be also possible that the user customizes the zones, so that a laptop opens different ports at home or work. - -- Cheers, Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlqoGv4ACgkQtTMYHG2NR9UhZwCglly8nBFbtvhsdqj19D2fMHqS lFgAnjo+zUomyfd4xjeUXbhOgZqoVq3P =uhTS -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
It hasn't been on any of my test installs. On a network install, sshd is automatically enabled. Dunno about the firewalld setting though, I don't install that.
Thus, I can not connect to my own machine. I had to do "systemctl enable sshd.service", then start it, and I could connect "localhost". But not from outside:
Telcontar:~ # ssh 192.168.1.128 ssh: connect to host 192.168.1.128 port 22: No route to host
I believe that message is an indication that the firewall is rejecting the access. If the port simply wasn't open for connections, you would get a "connection refused" instead. -- Per Jessen, Zürich (8.4°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 10.03.2018 um 08:47 schrieb Per Jessen:
Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
It hasn't been on any of my test installs. On a network install, sshd is automatically enabled. Dunno about the firewalld setting though, I don't install that.
https://openqa.opensuse.org/tests/630115#step/installation_overview/2 is missing it also. Did anyone of you file a bug? Greetings, Stephan -- Ma muaß weiterkämpfen, kämpfen bis zum Umfalln, a wenn die ganze Welt an Arsch offen hat, oder grad deswegn. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 08:49, Stephan Kulow wrote:
Am 10.03.2018 um 08:47 schrieb Per Jessen:
Carlos E. R. wrote:
Hi,
On install of 15.0 there is no question on enabling/disabling ssh as before, nor about opening the port, contrary to previous versions. Notice that this can be a blocker on remote installs.
It hasn't been on any of my test installs. On a network install, sshd is automatically enabled. Dunno about the firewalld setting though, I don't install that.
https://openqa.opensuse.org/tests/630115#step/installation_overview/2 is missing it also. Did anyone of you file a bug?
Sorry, I do not know how to understand that page. The photo is not what I saw: there was a last item saying it was going to import ssh keys from previous install. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that there is no module yet: Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line. -- Per Jessen, Zürich (8.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that there is no module yet:
See subsection "Firewalld enhancements" at Yast Development Sprint 50: https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-sprin...
Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line. Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything. By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Frank Krc3bcger wrote:
Am 10.03.2018 um 09:55 schrieb Per Jessen: [snip]
Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line.
Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything.
Yeah, I took a look at it. As long as the system has X :-) First impression, it's quite complex - for my systems, I think I'll stick to using vim on the firewall script ...
By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
In his OP, Carlos is complaining that it does not. I wonder if it might be because he is doing a local (non-network) installation. -- Per Jessen, Zürich (9.7°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 10:24, Frank Krüger wrote:
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that there is no module yet:
See subsection "Firewalld enhancements" at Yast Development Sprint 50:
https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-sprin...
We need simple documentation with examples. At <https://doc.opensuse.org/>
Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line. Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything. By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
It may allow configuration, if you know how. I did not understand any of it. And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal. Can you explain how to open 22? I installed from DVD with network active. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2018-03-10 13:56, Carlos E. R. wrote:
On 2018-03-10 10:24, Frank Krüger wrote:
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that there is no module yet:
See subsection "Firewalld enhancements" at Yast Development Sprint 50:
https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-sprin...
We need simple documentation with examples. At <https://doc.opensuse.org/>
Search for "firewalld" in there produces: two google adds that do not allow copy paste, about firewall in Centos, and then an error: Unauthorized access to internal API. Please refer to https://support.google.com/customsearch/answer/4542055 There is this link I found on google "opensuse.org: firewalld" <https://en.opensuse.org/Firewalld> It just has a short description of features, but no explanation or examples about how to use it. I still have no idea how to open the ssh port. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
Carlos E. R. wrote:
I still have no idea how to open the ssh port.
From the quick look I took at "firewall-config", you click the'ssh' box on the right hand side, and save the config. Something like that.
There is clearly a bit of a learning curve here. -- Per Jessen, Zürich (10.1°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2018-03-10 at 14:24 +0100, Per Jessen wrote:
Carlos E. R. wrote:
I still have no idea how to open the ssh port.
From the quick look I took at "firewall-config", you click the'ssh' box on the right hand side, and save the config. Something like that.
There is clearly a bit of a learning curve here.
If you do that, on the next boot you have to redo everything. By default, all changes are temporary. In "options" you have to click on "Runtime to permanent", or previously switch configuration to Permanent. Ah: the "Help" menu only has an "About" box. There are things I have no clue how to use. For instance, I can select the tab on "Services" and I see useful ones like ftp or nfs. But I have no idea if they are active or not, and how to activate them. I can only add services or edit them. Similarly for "Helpers". I rather hoped that "helper" stood for "wizard", but far from it. I go to the documentation site. <http://www.firewalld.org/documentation/helper/> "A firewalld helper defines the configuration that are needed to be able to use a netfilter connection tracking helper if automatic helper assignment is turned off, which is then the secure use of connection tracking helpers." I understand nothing... "This can be achieved wither with the kernel default setting for nf_conntrack_helper, a sysctl setting of net.netfilter.nf_conntrack_helper or with the AutomaticHelpers setting in the firewalld.conf file." "A firewalld helper can be a list of local ports, a kernel module and a fmaily definition." Whatisthat? There is a further link to "examples" which looks chineese to me. This no documentation on the YaST firewall module... - -- Cheers, Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlqlnn8ACgkQtTMYHG2NR9X68ACePZZWY58HNdPlOsTxRNSN7FZ1 8tsAn1MMHoglcdd8Zh9o1PkOt3NJvH0D =iCp/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
From the quick look I took at "firewall-config", you click the'ssh' box on the right hand side, and save the config. Something like that.
There is clearly a bit of a learning curve here.
If you do that, on the next boot you have to redo everything. By default, all changes are temporary. In "options" you have to click on "Runtime to permanent", or previously switch configuration to Permanent.
Come on - this is at least one of the things that *is* very clear in this GUI. And it's a usefull thing if you quickly want to change some setting without changing the defaults.
Ah: the "Help" menu only has an "About" box.
Well - you heard about the issue of distributing the docs? SCNR.....
I go to the documentation site.
<http://www.firewalld.org/documentation/helper/>
"A firewalld helper defines the configuration that are needed to be able to use a netfilter connection tracking helper if automatic helper assignment is turned off, which is then the secure use of connection tracking helpers."
I understand nothing...
You can also try to read the (local) manpages, there are quite some. I tried yesterday evening, but the result was similar, so I stopped. You need to read that fully awake (and maybe with a lot of coffee around...)
This no documentation on the YaST firewall module...
Well, the 'Yast Module' is just the (external, also from firewalld.org) firewall-config. But don't try to read the manpage... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-12 09:59, Peter Suetterlin wrote:
Carlos E. R. wrote:
From the quick look I took at "firewall-config", you click the'ssh' box on the right hand side, and save the config. Something like that.
There is clearly a bit of a learning curve here.
If you do that, on the next boot you have to redo everything. By default, all changes are temporary. In "options" you have to click on "Runtime to permanent", or previously switch configuration to Permanent.
Come on - this is at least one of the things that *is* very clear in this GUI. And it's a usefull thing if you quickly want to change some setting without changing the defaults.
I agree that it is useful, but no, it was not obvious to me at all. I read about it in a link at <https://en.opensuse.org/SDB:LAMP_setup> (posted by Victorhck).
Ah: the "Help" menu only has an "About" box.
Well - you heard about the issue of distributing the docs?
SCNR.....
Er... no... You mean that there is a licensing issue with the docs? Someone said so, yes. Why, no idea.
I go to the documentation site.
<http://www.firewalld.org/documentation/helper/>
"A firewalld helper defines the configuration that are needed to be able to use a netfilter connection tracking helper if automatic helper assignment is turned off, which is then the secure use of connection tracking helpers."
I understand nothing...
You can also try to read the (local) manpages, there are quite some. I tried yesterday evening, but the result was similar, so I stopped. You need to read that fully awake (and maybe with a lot of coffee around...)
So I'm not the only one ;-)
This no documentation on the YaST firewall module...
Well, the 'Yast Module' is just the (external, also from firewalld.org) firewall-config. But don't try to read the manpage...
Knowing now its name, I located a better place: <http://www.firewalld.org/documentation/utilities/firewall-config.html> I just added some modifications to our wiki. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 12 March 2018 at 13:21, Carlos E. R. <robin.listas@telefonica.net> wrote:
Well - you heard about the issue of distributing the docs?
SCNR.....
Er... no... You mean that there is a licensing issue with the docs? Someone said so, yes. Why, no idea.
I go to the documentation site.
licensing 101 - the above URL and the whole firewalld.org site has the following at the bottom of the page "Copyright © 2016 firewalld. All Rights Reserved." There is no mention anywhere on the site of any license which would allow redistribution or reuse of the content of the site. Therefore the rights for redistribution and reuse for the docs on the site are ambiguous at best, or not permitted at worst. This is different from the openSUSE wikis for example which have the following at the bottom of every page "© 2001-2017 SUSE LLC and others. All content is made available under the terms of the GNU Free Documentation License version 1.2 ("GFDL") unless expressly otherwise indicated" This makes sure there's no such ambiguity on our own documentation. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-12, 14:56 GMT, Richard Brown wrote:
There is no mention anywhere on the site of any license which would allow redistribution or reuse of the content of the site.
Then just don’t scrap the website (which is The Wrong Thing™ anyway) and use sources. Look at https://github.com/firewalld/firewalld/blob/master/doc/xml/firewalld.xml.in what's non-free on it? Pinging Thomas on this. We are Red Hat, we don't do non-free here. It must be some mistake. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Our lives are spectacles of powerlessness. -- Richard Rohr -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-12, 14:56 GMT, Richard Brown wrote:
"Copyright © 2016 firewalld. All Rights Reserved."
There is no mention anywhere on the site of any license which would allow redistribution or reuse of the content of the site.
https://github.com/firewalld/firewalld.github.io/issues/3 (developers confirmed to me on the internal IRC that it is a mistake). Take a notice also of https://github.com/firewalld/firewalld.github.io/blob/master/LICENSE However, the license will be probably changed, but certainly what's there is the intent. Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 It is a rare mind indeed that can render the hitherto non-existent blindingly obvious. The cry “I could have thought of that” is a very popular and misleading one, for the fact is that they didn’t, and a very significant and revealing fact it is too. -- Douglas Adams, Dirk Gently's Holistic Detective Agency -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-12, 14:56 GMT, Richard Brown wrote:
I go to the documentation site.
licensing 101 - the above URL and the whole firewalld.org site has the following at the bottom of the page
"Copyright © 2016 firewalld. All Rights Reserved."
There is no mention anywhere on the site of any license which would allow redistribution or reuse of the content of the site.
Fixed in https://github.com/firewalld/firewalld.github.io/commit/214f05fc44 Best, Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 <"}}}>< -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <robin.listas@telefonica.net> escribió:
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message
On 2018-03-10 10:24, Frank Krüger wrote: that
there is no module yet:
See subsection "Firewalld enhancements" at Yast Development Sprint 50:
https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-sprin...
We need simple documentation with examples. At <https://doc.opensuse.org/>
Error
YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line. Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything. By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki: As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. firewall-cmd --zone=public --add-port=80/tcp --permanent Once you add the firewall rule reload firewall service. firewall-cmd --reload If it's useful to you... -- Enviado desde mi dispositivo Android con K-9 Mail. Por favor, disculpa mi brevedad. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki:
URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected.
I have not selected any zone. I don't know what a zone is. I have done nothing. I simply started a module in YaST, it said it needed to install things, and presented a configuration window that I can't understand, too many options, bewildering.
firewall-cmd --zone=public --add-port=80/tcp --permanent
Once you add the firewall rule reload firewall service.
firewall-cmd --reload
If it's useful to you...
Yes, somewhat, thanks... -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
El 10 de marzo de 2018 14:32:10 CET, "Carlos E. R." <robin.listas@telefonica.net> escribió:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki:
URL?
https://en.opensuse.org/SDB:LAMP_setup Greetings -- Enviado desde mi dispositivo Android con K-9 Mail. Por favor, disculpa mi brevedad. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 14:56, Victorhck wrote:
El 10 de marzo de 2018 14:32:10 CET, "Carlos E. R." <> escribió:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki:
URL?
Oh. I hopped you had found the firewalld documentation for openSUSE. Thanks for finding it. Still, it is the only doc so far: Alternatively, you can use the graphic user interface through YaST Open the YaST Control Center Select Firewall The Configuration for modification defaults under Runtime. Any changes you make will only affect the current Runtime of the machine Note the Zone that the network is running and ensure that the current zone is selected under the Zones tab. In the Services tab, locate apache2 in the window. If you would like to make this change permanent under the selected Zone, select Options > Runtime to Permanent If no further changes to the firewall are required, close the Configuration window, changes are immediate. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2018-03-10 15:06, Carlos E. R. wrote:
On 2018-03-10 14:56, Victorhck wrote:
El 10 de marzo de 2018 14:32:10 CET, "Carlos E. R." <> escribió:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki:
URL?
Oh. I hopped you had found the firewalld documentation for openSUSE. Thanks for finding it.
Still, it is the only doc so far:
Alternatively, you can use the graphic user interface through YaST
Open the YaST Control Center Select Firewall The Configuration for modification defaults under Runtime. Any changes you make will only affect the current Runtime of the machine Note the Zone that the network is running and ensure that the current zone is selected under the Zones tab. In the Services tab, locate apache2 in the window. If you would like to make this change permanent under the selected Zone, select Options > Runtime to Permanent If no further changes to the firewall are required, close the Configuration window, changes are immediate.
Ok, finally got ssh access. Thank you Victorhck and Per -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Samstag, 10. März 2018 14:32:10 CET Carlos E. R. wrote:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki: URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. I have not selected any zone. I don't know what a zone is. I have done nothing.
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html Regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019
On 2018-03-10 21:21, Stefan Brüns wrote:
On Samstag, 10. März 2018 14:32:10 CET Carlos E. R. wrote:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki: URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. I have not selected any zone. I don't know what a zone is. I have done nothing.
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 10 March 2018 at 21:28, Carlos E. R. <robin.listas@telefonica.net> wrote:
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
one of the benefits of openSUSE being an OPEN SOURCE distribution is that we include technologies which are not invented here Which means their documentation applies Why should we repeat documentation already provided by our partner software authors? Especially when redistribution license of the documentation is unclear on the site.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-10 23:14, Richard Brown wrote:
On 10 March 2018 at 21:28, Carlos E. R. <> wrote:
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
one of the benefits of openSUSE being an OPEN SOURCE distribution is that we include technologies which are not invented here
Which means their documentation applies
Then our documentation should clearly link to the upstream documentation site.
Why should we repeat documentation already provided by our partner software authors?
Because often openSUSE customizes. I don't go looking at fedora sites for documentation of openSUSE.
Especially when redistribution license of the documentation is unclear on the site..
You mean that firewalld is not opensource? Great. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" (Minas Tirith))
Carlos E. R. wrote:
On 2018-03-10 23:14, Richard Brown wrote:
On 10 March 2018 at 21:28, Carlos E. R. <> wrote:
Apparently not even tried. First hit when searching for "firewalld zone":
http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
one of the benefits of openSUSE being an OPEN SOURCE distribution is that we include technologies which are not invented here
Which means their documentation applies
Then our documentation should clearly link to the upstream documentation site.
Why should we repeat documentation already provided by our partner software authors?
Because often openSUSE customizes.
I don't go looking at fedora sites for documentation of openSUSE.
For "standard" software I will use whichever documentation is the best - redhat, Fedora, SUSE, openSUSE, Arch, *buntu, IBM. Using only openSUSE is rarely sufficient.
Especially when redistribution license of the documentation is unclear on the site..
You mean that firewalld is not opensource? Great.
Apparently there is an issue with the documentation, but firewalld itself is clearly okay. I don't now why the docuemnattion is separately licensed? -- Per Jessen, Zürich (9.3°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
On 2018-03-10 21:21, Stefan Brüns wrote:
On Samstag, 10. März 2018 14:32:10 CET Carlos E. R. wrote:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki: URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. I have not selected any zone. I don't know what a zone is. I have done nothing.
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
Most things are, Carlos. At this point - during the beta - it is not unreasonable to suggest you look elsewhere for the detailed documentation. Once Leap15 goes live, it would also be reasonable to expect some decent firewalld documentation in the openSUSE SDB (for instance). -- Per Jessen, Zürich (9.3°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-11 11:07, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-03-10 21:21, Stefan Brüns wrote:
On Samstag, 10. März 2018 14:32:10 CET Carlos E. R. wrote:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió:
It may allow configuration, if you know how. I did not understand any of it.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I saw this in openSUSE wiki: URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. I have not selected any zone. I don't know what a zone is. I have done nothing.
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
Most things are, Carlos. At this point - during the beta - it is not unreasonable to suggest you look elsewhere for the detailed documentation. Once Leap15 goes live, it would also be reasonable to expect some decent firewalld documentation in the openSUSE SDB (for instance).
I expected at least some pointers at opensuse.org. For documentation see this <link>. Specially howto migrate from SuSEfirewal2. How to migrate every token there. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" (Minas Tirith))
Am 11.03.2018 um 11:24 schrieb Carlos E. R.:
On 2018-03-11 11:07, Per Jessen wrote:
Carlos E. R. wrote:
On 2018-03-10 21:21, Stefan Brüns wrote:
On Samstag, 10. März 2018 14:32:10 CET Carlos E. R. wrote:
On 2018-03-10 14:27, Victorhck wrote:
El 10 de marzo de 2018 13:56:31 CET, "Carlos E. R." <> escribió: > It may allow configuration, if you know how. I did not > understand any of it. > > And it certainly did not open open port 22, and it > certainly did not log anything to the firewall log or the > journal. > > Can you explain how to open 22?
I saw this in openSUSE wiki: URL?
As root execute this. Note that this assumes that the zone you have configured is public. Replace public with your zone you have selected. I have not selected any zone. I don't know what a zone is. I have done nothing.
Apparently not even tried. First hit when searching for "firewalld zone": http://www.firewalld.org/documentation/man-pages/firewalld.zones.html
That is outside opensuse.org
Most things are, Carlos. At this point - during the beta - it is not unreasonable to suggest you look elsewhere for the detailed documentation. Once Leap15 goes live, it would also be reasonable to expect some decent firewalld documentation in the openSUSE SDB (for instance).
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
Have you tried susefirewall2-to-firewalld or is this bash script too simple for your needs? Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2018-03-11 11:32, Frank Krüger wrote:
Am 11.03.2018 um 11:24 schrieb Carlos E. R.:
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
Have you tried susefirewall2-to-firewalld or is this bash script too simple for your needs?
I don't know. The test Leap 15.0 install is new, so it erases the previous config. The susefirewall2 is in backup and other installs. Can I simply copy the susefirewal2 config file and apply that script to it? For example, I had entries that limited access to a port to certain IPs only. There was another rule that failed a connection if attempted 3 times in a minute. Next, I have to try how to use nfs client and server. - -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iF4EAREIAAYFAlqlCVUACgkQja8UbcUWM1y4CgD9GpLMYGc1tp+4LJgHqU4vkd6c RkojtfX07BWcVOxDp5oA/AvT8hz2QIvXbTzb+Q5B68kvxqE5hgnduiRMctcMrmDs =VBak -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 11.03.2018 um 11:47 schrieb Carlos E. R.:
On 2018-03-11 11:32, Frank Krüger wrote:
Am 11.03.2018 um 11:24 schrieb Carlos E. R.:
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
Have you tried susefirewall2-to-firewalld or is this bash script too simple for your needs?
I don't know. The test Leap 15.0 install is new, so it erases the previous config. The susefirewall2 is in backup and other installs.
Can I simply copy the susefirewal2 config file and apply that script to it?
I never used this script, so my answer would be just a guess. More information on the usage and the restrictions can be found here: https://github.com/openSUSE/susefirewall2-to-firewalld. Hope this helps. Regards, Frank -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 03/11/2018 12:19 PM, Frank Krüger wrote:
Am 11.03.2018 um 11:47 schrieb Carlos E. R.:
On 2018-03-11 11:32, Frank Krüger wrote:
Am 11.03.2018 um 11:24 schrieb Carlos E. R.:
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
Have you tried susefirewall2-to-firewalld or is this bash script too simple for your needs?
I don't know. The test Leap 15.0 install is new, so it erases the previous config. The susefirewall2 is in backup and other installs.
Can I simply copy the susefirewal2 config file and apply that script to it?
I never used this script, so my answer would be just a guess. More information on the usage and the restrictions can be found here: https://github.com/openSUSE/susefirewall2-to-firewalld.
Looking at it now. Installing the script also installs SuSEfirewall2, which is weird. I hope it doesn't enable the service. The script runs for a long time, writes a lot of text. I have no idea of what it is doing and whether I will be able to maintain the changes. linux-9vao:~ # susefirewall2-to-firewalld INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. INFO: This will start/stop/restart firewall services and it's likely INFO: to cause network disruption. INFO: If you do not wish for this to happen, please stop the script now! 5...4...3...2...1...Lets do it! INFO: Stopping firewalld INFO: Restarting SuSEfirewall2_init INFO: Restarting SuSEfirewall2 INFO: ICMP: Adding icmp type="4[source-quench]" to zone="ext" INFO: ICMP: Adding icmp type="4[source-quench]" to zone="int" INFO: ICMP: Adding icmp type="8[echo-request]" to zone="ext" INFO: ICMP: Adding icmp type="8[echo-request]" to zone="int" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=68 protocol=udp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=21 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=20 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=143 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=993 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=2049 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.16/32 port port=2049 protocol=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" to zone="ext" INFO: RICH: Adding rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" to zone="ext" INFO: Port(s) "5060(TCP)" will be added to the "external" zone INFO: Port(s) "1720(TCP)" will be added to the "external" zone INFO: Port(s) "30000:30010(TCP)" will be added to the "external" zone INFO: Port(s) "21(TCP)" will be added to the "external" zone INFO: Port(s) "20(TCP)" will be added to the "external" zone INFO: Port(s) "22(TCP)" will be added to the "external" zone INFO: Port(s) "5060(UDP)" will be added to the "external" zone INFO: Port(s) "1720(UDP)" will be added to the "external" zone INFO: Port(s) "5060:5100(UDP)" will be added to the "external" zone INFO: Port(s) "123(UDP)" will be added to the "external" zone INFO: DIRECT: Adding direct rule="ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT" INFO: ICMP: Adding icmp type="133[router-solicitation]" to zone="ext" INFO: ICMP: Adding icmp type="133[router-solicitation]" to zone="int" INFO: ICMP: Adding icmp type="134[router-advertisement]" to zone="ext" INFO: ICMP: Adding icmp type="134[router-advertisement]" to zone="int" INFO: ICMP: Adding icmp type="135[neighbour-solicitation]" to zone="ext" INFO: ICMP: Adding icmp type="135[neighbour-solicitation]" to zone="int" INFO: ICMP: Adding icmp type="136[neighbour-advertisement]" to zone="ext" INFO: ICMP: Adding icmp type="136[neighbour-advertisement]" to zone="int" INFO: ICMP: Adding icmp type="137[redirect]" to zone="ext" INFO: ICMP: Adding icmp type="137[redirect]" to zone="int" INFO: ICMP: Adding icmp type="130[multicast-listener-query]" to zone="ext" INFO: ICMP: Adding icmp type="130[multicast-listener-query]" to zone="int" INFO: RICH: Adding rich rule="rule family=ipv6 source address=fe80::/64 port port=5353 protocol=udp accept" to zone="ext" INFO: Interface "eth0" will be added to the "ext" zone INFO: Interface "wlan0" will be added to the "ext" zone INFO: Stopping SuSEfirewall2 INFO: Stopping SuSEfirewall2_init INFO: Starting firewalld INFO: Resetting Zone: "block" INFO: Resetting Zone: "dmz" INFO: -> Removing service: "ssh" INFO: Resetting Zone: "drop" INFO: Resetting Zone: "external" INFO: -> Removing masquerade INFO: -> Removing service: "ssh" INFO: Resetting Zone: "home" INFO: -> Removing service: "ssh" INFO: -> Removing service: "mdns" INFO: -> Removing service: "samba-client" INFO: -> Removing service: "dhcpv6-client" INFO: Resetting Zone: "internal" INFO: -> Removing service: "ssh" INFO: -> Removing service: "mdns" INFO: -> Removing service: "samba-client" INFO: -> Removing service: "dhcpv6-client" INFO: Resetting Zone: "public" INFO: -> Removing service: "dhcpv6-client" INFO: -> Removing service: "ssh" INFO: -> Removing interface: "eth0" INFO: Resetting Zone: "trusted" INFO: Resetting Zone: "work" INFO: -> Removing service: "ssh" INFO: -> Removing service: "dhcpv6-client" INFO: INFO: FirewallD has been reset! INFO: INFO: Setting default zone to "external" INFO: Adding interface="eth0" to zone="external" INFO: Adding interface="wlan0" to zone="external" INFO: Enabling service="sip" to zone="external" INFO: Adding port(s)="1720/tcp" to zone="external" INFO: Adding port(s)="30000-30010/tcp" to zone="external" INFO: Enabling service="ftp" to zone="external" INFO: Adding port(s)="20/tcp" to zone="external" INFO: Enabling service="sip" to zone="external" INFO: Adding port(s)="1720/udp" to zone="external" INFO: Adding port(s)="5060-5100/udp" to zone="external" INFO: Enabling service="freeipa-ldap" to zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=68 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=21 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=20 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=143 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=993 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=2049 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.16/32 port port=2049 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.0/24 protocol value=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv6 source address=fe80::/64 port port=5353 protocol=udp accept" for zone="external" INFO: Blocking icmp="address-unreachable" for zone="internal" INFO: Blocking icmp="bad-header" for zone="internal" INFO: Blocking icmp="beyond-scope" for zone="internal" INFO: Blocking icmp="communication-prohibited" for zone="internal" INFO: Blocking icmp="destination-unreachable" for zone="internal" INFO: Blocking icmp="echo-reply" for zone="internal" INFO: Blocking icmp="failed-policy" for zone="internal" INFO: Blocking icmp="fragmentation-needed" for zone="internal" INFO: Blocking icmp="host-precedence-violation" for zone="internal" INFO: Blocking icmp="host-prohibited" for zone="internal" INFO: Blocking icmp="host-redirect" for zone="internal" INFO: Blocking icmp="host-unknown" for zone="internal" INFO: Blocking icmp="host-unreachable" for zone="internal" INFO: Blocking icmp="ip-header-bad" for zone="internal" INFO: Blocking icmp="network-prohibited" for zone="internal" INFO: Blocking icmp="network-redirect" for zone="internal" INFO: Blocking icmp="network-unknown" for zone="internal" INFO: Blocking icmp="network-unreachable" for zone="internal" INFO: Blocking icmp="no-route" for zone="internal" INFO: Blocking icmp="packet-too-big" for zone="internal" INFO: Blocking icmp="parameter-problem" for zone="internal" INFO: Blocking icmp="port-unreachable" for zone="internal" INFO: Blocking icmp="precedence-cutoff" for zone="internal" INFO: Blocking icmp="protocol-unreachable" for zone="internal" INFO: Blocking icmp="reject-route" for zone="internal" INFO: Blocking icmp="required-option-missing" for zone="internal" INFO: Blocking icmp="source-route-failed" for zone="internal" INFO: Blocking icmp="time-exceeded" for zone="internal" INFO: Blocking icmp="timestamp-reply" for zone="internal" INFO: Blocking icmp="timestamp-request" for zone="internal" INFO: Blocking icmp="tos-host-redirect" for zone="internal" INFO: Blocking icmp="tos-host-unreachable" for zone="internal" INFO: Blocking icmp="tos-network-redirect" for zone="internal" INFO: Blocking icmp="tos-network-unreachable" for zone="internal" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="internal" INFO: Blocking icmp="ttl-zero-during-transit" for zone="internal" INFO: Blocking icmp="unknown-header-type" for zone="internal" INFO: Blocking icmp="unknown-option" for zone="internal" INFO: Blocking icmp="address-unreachable" for zone="dmz" INFO: Blocking icmp="bad-header" for zone="dmz" INFO: Blocking icmp="beyond-scope" for zone="dmz" INFO: Blocking icmp="communication-prohibited" for zone="dmz" INFO: Blocking icmp="destination-unreachable" for zone="dmz" INFO: Blocking icmp="echo-reply" for zone="dmz" INFO: Blocking icmp="echo-request" for zone="dmz" INFO: Blocking icmp="failed-policy" for zone="dmz" INFO: Blocking icmp="fragmentation-needed" for zone="dmz" INFO: Blocking icmp="host-precedence-violation" for zone="dmz" INFO: Blocking icmp="host-prohibited" for zone="dmz" INFO: Blocking icmp="host-redirect" for zone="dmz" INFO: Blocking icmp="host-unknown" for zone="dmz" INFO: Blocking icmp="host-unreachable" for zone="dmz" INFO: Blocking icmp="ip-header-bad" for zone="dmz" INFO: Blocking icmp="neighbour-advertisement" for zone="dmz" INFO: Blocking icmp="neighbour-solicitation" for zone="dmz" INFO: Blocking icmp="network-prohibited" for zone="dmz" INFO: Blocking icmp="network-redirect" for zone="dmz" INFO: Blocking icmp="network-unknown" for zone="dmz" INFO: Blocking icmp="network-unreachable" for zone="dmz" INFO: Blocking icmp="no-route" for zone="dmz" INFO: Blocking icmp="packet-too-big" for zone="dmz" INFO: Blocking icmp="parameter-problem" for zone="dmz" INFO: Blocking icmp="port-unreachable" for zone="dmz" INFO: Blocking icmp="precedence-cutoff" for zone="dmz" INFO: Blocking icmp="protocol-unreachable" for zone="dmz" INFO: Blocking icmp="redirect" for zone="dmz" INFO: Blocking icmp="reject-route" for zone="dmz" INFO: Blocking icmp="required-option-missing" for zone="dmz" INFO: Blocking icmp="router-advertisement" for zone="dmz" INFO: Blocking icmp="router-solicitation" for zone="dmz" INFO: Blocking icmp="source-quench" for zone="dmz" INFO: Blocking icmp="source-route-failed" for zone="dmz" INFO: Blocking icmp="time-exceeded" for zone="dmz" INFO: Blocking icmp="timestamp-reply" for zone="dmz" INFO: Blocking icmp="timestamp-request" for zone="dmz" INFO: Blocking icmp="tos-host-redirect" for zone="dmz" INFO: Blocking icmp="tos-host-unreachable" for zone="dmz" INFO: Blocking icmp="tos-network-redirect" for zone="dmz" INFO: Blocking icmp="tos-network-unreachable" for zone="dmz" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="dmz" INFO: Blocking icmp="ttl-zero-during-transit" for zone="dmz" INFO: Blocking icmp="unknown-header-type" for zone="dmz" INFO: Blocking icmp="unknown-option" for zone="dmz" INFO: Blocking icmp="address-unreachable" for zone="external" INFO: Blocking icmp="bad-header" for zone="external" INFO: Blocking icmp="beyond-scope" for zone="external" INFO: Blocking icmp="communication-prohibited" for zone="external" INFO: Blocking icmp="destination-unreachable" for zone="external" INFO: Blocking icmp="echo-reply" for zone="external" INFO: Blocking icmp="failed-policy" for zone="external" INFO: Blocking icmp="fragmentation-needed" for zone="external" INFO: Blocking icmp="host-precedence-violation" for zone="external" INFO: Blocking icmp="host-prohibited" for zone="external" INFO: Blocking icmp="host-redirect" for zone="external" INFO: Blocking icmp="host-unknown" for zone="external" INFO: Blocking icmp="host-unreachable" for zone="external" INFO: Blocking icmp="ip-header-bad" for zone="external" INFO: Blocking icmp="network-prohibited" for zone="external" INFO: Blocking icmp="network-redirect" for zone="external" INFO: Blocking icmp="network-unknown" for zone="external" INFO: Blocking icmp="network-unreachable" for zone="external" INFO: Blocking icmp="no-route" for zone="external" INFO: Blocking icmp="packet-too-big" for zone="external" INFO: Blocking icmp="parameter-problem" for zone="external" INFO: Blocking icmp="port-unreachable" for zone="external" INFO: Blocking icmp="precedence-cutoff" for zone="external" INFO: Blocking icmp="protocol-unreachable" for zone="external" INFO: Blocking icmp="reject-route" for zone="external" INFO: Blocking icmp="required-option-missing" for zone="external" INFO: Blocking icmp="source-route-failed" for zone="external" INFO: Blocking icmp="time-exceeded" for zone="external" INFO: Blocking icmp="timestamp-reply" for zone="external" INFO: Blocking icmp="timestamp-request" for zone="external" INFO: Blocking icmp="tos-host-redirect" for zone="external" INFO: Blocking icmp="tos-host-unreachable" for zone="external" INFO: Blocking icmp="tos-network-redirect" for zone="external" INFO: Blocking icmp="tos-network-unreachable" for zone="external" INFO: Blocking icmp="ttl-zero-during-reassembly" for zone="external" INFO: Blocking icmp="ttl-zero-during-transit" for zone="external" INFO: Blocking icmp="unknown-header-type" for zone="external" INFO: Blocking icmp="unknown-option" for zone="external" INFO: Enabling direct rule=ipv6 -t filter -A INPUT -p udp -m udp --dport 546 -j ACCEPT INFO: Enable logging for denied packets INFO: ################################################################################## INFO: INFO: The dry-run has been completed. Please check the above output to ensure INFO: that everything looks good. INFO: INFO: ################################################################################## INFO: Stopping firewalld INFO: Restarting SuSEfirewall2_init INFO: Restarting SuSEfirewall2 linux-9vao:~ # Uninstalling conversion script and SuSEfirewall2. Oh, and now YaST firewall module fails to connect to firewalld. The service had been stopped... -- Cheers/Saludos Carlos E. R. (testing openSUSE Leap 15.0, at Minas-Anor) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Carlos E. R. wrote:
On 2018-03-11 11:07, Per Jessen wrote:
Carlos E. R. wrote:
Most things are, Carlos. At this point - during the beta - it is not unreasonable to suggest you look elsewhere for the detailed documentation. Once Leap15 goes live, it would also be reasonable to expect some decent firewalld documentation in the openSUSE SDB (for instance).
I expected at least some pointers at opensuse.org. For documentation see this <link>.
Yes, that would have been better.
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
There is a script available - if you do "zypper se firewall", you'll see it. I have no idea how well it works. -- Per Jessen, Zürich (9.0°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Per Jessen wrote:
Carlos E. R. wrote:
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
There is a script available - if you do "zypper se firewall", you'll see it. I have no idea how well it works.
The issue with this script (see Carlos' other post) is that it does 'surgery on the open heart'. You have to run it on the machine you want to convert, and it shuts down the old firewall, then (hopefully) builds a new setup for firewalld. Not really something you just want to try on your server to see if it does the right thing.... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Peter Suetterlin wrote:
Per Jessen wrote:
Carlos E. R. wrote:
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
There is a script available - if you do "zypper se firewall", you'll see it. I have no idea how well it works.
The issue with this script (see Carlos' other post) is that it does 'surgery on the open heart'. You have to run it on the machine you want to convert, and it shuts down the old firewall, then (hopefully) builds a new setup for firewalld.
It can't be run off-line on a copy of your old firewall?
Not really something you just want to try on your server to see if it does the right thing....
Where you might not want to be running Leap15 beta either, to see if it does the right thing :-) I think there is really just one key issue - what happens in the upgrade situation? -- Per Jessen, Zürich (9.9°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Per Jessen wrote:
Peter Suetterlin wrote:
The issue with this script (see Carlos' other post) is that it does 'surgery on the open heart'. You have to run it on the machine you want to convert, and it shuts down the old firewall, then (hopefully) builds a new setup for firewalld.
It can't be run off-line on a copy of your old firewall?
Don't think so. It goes ahead actually doing firewalld comands, i.e., set up a real firewall. So your test machine would have to have the same network setup to produce something reasonable, no?
Not really something you just want to try on your server to see if it does the right thing....
Where you might not want to be running Leap15 beta either, to see if it does the right thing :-)
Sure not. But at some time you're supposed to update your old 42.3 to then-stable 15.0 - and by then a suitable update path has* to be there for critical machines....
I think there is really just one key issue - what happens in the upgrade situation?
That's for the switch, yes. But even start from scratch: The old /etc/sysconfig/SuSEfirewall2 gave very good instructions how to tweak the firewall and adapt it to your needs. A similar guidance for the user should be in place for 15.0, too. Both for completely new users, and also for those who so far only used SFW2. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Peter Suetterlin wrote:
Per Jessen wrote:
Peter Suetterlin wrote:
The issue with this script (see Carlos' other post) is that it does 'surgery on the open heart'. You have to run it on the machine you want to convert, and it shuts down the old firewall, then (hopefully) builds a new setup for firewalld.
It can't be run off-line on a copy of your old firewall?
Don't think so. It goes ahead actually doing firewalld comands, i.e., set up a real firewall. So your test machine would have to have the same network setup to produce something reasonable, no?
Sounds like it, yes. I was thinking the conversion script would just produce a pile of firewall-cmd lines. -- Per Jessen, Zürich (7.7°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-11 17:25, Per Jessen wrote:
Peter Suetterlin wrote:
Per Jessen wrote:
Carlos E. R. wrote:
Specially howto migrate from SuSEfirewal2. How to migrate every token there.
There is a script available - if you do "zypper se firewall", you'll see it. I have no idea how well it works.
The issue with this script (see Carlos' other post) is that it does 'surgery on the open heart'. You have to run it on the machine you want to convert, and it shuts down the old firewall, then (hopefully) builds a new setup for firewalld.
It can't be run off-line on a copy of your old firewall?
Apparently not. It can be run in dry mode, which is what I did. Even so, it switched off firewalld, and I think it started SuSEfirewal2. I uninstalled it, but I'm still unsure the current firewall status is correct: linux-9vao:~ # systemctl status SuSEfirewall2_init.service ● SuSEfirewall2_init.service Loaded: not-found (Reason: No such file or directory) Active: active (exited) since Sun 2018-03-11 13:45:46 CET; 6h ago Main PID: 9248 (code=exited, status=0/SUCCESS) Tasks: 0 (limit: 4915) CGroup: /system.slice/SuSEfirewall2_init.service Mar 11 13:45:46 linux-9vao systemd[1]: Starting SuSEfirewall2 phase 1... Mar 11 13:45:46 linux-9vao SuSEfirewall2[9248]: Firewall rules set to CLOSE. Mar 11 13:45:46 linux-9vao systemd[1]: Started SuSEfirewall2 phase 1. linux-9vao:~ #
Not really something you just want to try on your server to see if it does the right thing....
Where you might not want to be running Leap15 beta either, to see if it does the right thing :-)
I think there is really just one key issue - what happens in the upgrade situation?
Even on a fresh install to replace the old. Install susefirewall2, copy the config from backup, install the translate script, run it, remove susefirewall2. I would prefer documentation saying how to translate manually each token, on YaST or on the command line, so that we learn how the new configuration is done. How am I going to maintain my firewall if I have no idea what the translation did? -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
[as a simple user] i avoided the translation script. it appeared to simply open ports on a number by number basis instead of named service, e.g. kde connect opens dozens of ports so better to set up from scratch as a single named service rather than a collection of unlabelled ports for control and identification. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2018-03-12 at 08:06 +0100, nicholas cunliffe wrote:
[as a simple user] i avoided the translation script. it appeared to simply open ports on a number by number basis instead of named service, e.g. kde connect opens dozens of ports so better to set up from scratch as a single named service rather than a collection of unlabelled ports for control and identification.
I think I'll do the same, but I need to learn how. I'll try some reading. - -- Cheers, Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlqm6AUACgkQtTMYHG2NR9V6RQCfa3C7U1FdENXa+Yy+twJXZDP0 UakAmgOT0i06pA5Bb0YFtZUq+AdLYx4z =z7KN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
firewalld seems quite straight forward and well designed. the main documentation is a bit dense, i followed the tutorial below which got me up to speed for my (simple) use case, im sure there are many more. https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-us... -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
2018-03-12 16:39 GMT-06:00 nicholas cunliffe <ndcunliffe@gmail.com>:
firewalld seems quite straight forward and well designed. the main documentation is a bit dense, i followed the tutorial below which got me up to speed for my (simple) use case, im sure there are many more.
https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-us...
I never understood and applied SuSEFirewall. This guide to use firewalld is very good and simple, I have followed it to apply some rules in my openSUSE client and some servers with CentOS. -- Saludos, cheperobert -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Op zaterdag 10 maart 2018 13:56:31 CET schreef Carlos E. R.:
On 2018-03-10 10:24, Frank Krüger wrote:
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that
there is no module yet: See subsection "Firewalld enhancements" at Yast Development Sprint 50:
https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-spr int-50/ We need simple documentation with examples. At <https://doc.opensuse.org/>
Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line.
Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything. By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
It may allow configuration, if you know how. I did not understand any of it.
Could you give us an overview of the steps you took to actually get some understanding of it, apart from popping questions here? It took me half an hour to get my firewalld instance in the same state as I had SuSEfirewall before the move to firewalld.
And it certainly did not open open port 22, and it certainly did not log anything to the firewall log or the journal.
Can you explain how to open 22?
I installed from DVD with network active.
-- Gertjan Lettink, a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team Linux user #548252 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2018-03-11 14:44, Knurpht - Gertjan Lettink wrote:
Op zaterdag 10 maart 2018 13:56:31 CET schreef Carlos E. R.:
On 2018-03-10 10:24, Frank Krüger wrote:
Am 10.03.2018 um 09:55 schrieb Per Jessen:
Carlos E. R. wrote:
How do I open the ssh port in the new firewald? There is a module in YaST, but I can not understand it at all.
When trying to run the YaST firewall module, I only got a message that
there is no module yet: See subsection "Firewalld enhancements" at Yast Development Sprint 50:
https://lizards.opensuse.org/2018/02/09/highlights-of-yast-development-spr int-50/ We need simple documentation with examples. At <https://doc.opensuse.org/>
Error YaST currently does not have a module for configuring firewall. Please, either use "firewall-config" to configure your firewall via a user interface or "firewall-cmd" for the command line.
Given the package firewall-config (and the corresponding applet, if you wish) allows you to configure almost everything. By the way, in firewalld ssh and open port 22 is enabled per default, e.g., for the home zone.
It may allow configuration, if you know how. I did not understand any of it.
Could you give us an overview of the steps you took to actually get some understanding of it, apart from popping questions here? It took me half an hour to get my firewalld instance in the same state as I had SuSEfirewall before the move to firewalld.
Mine is still undone. I opened the yast firewall module and I was bewildered by the complexity. I moved around windows. I looked at the openSUSE sites and searched for documents. Then asked here. There are things I still do not know how to do, like open ssh only to incoming from a single computer. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
On 2018-03-10, 03:38 GMT, Carlos E. R. wrote:
Thus, I can not connect to my own machine. I had to do "systemctl enable sshd.service", then start it, and I could connect "localhost". But not from outside:
Let me just note here https://bugzilla.suse.com/1084177 Matěj -- https://matej.ceplovi.cz/blog/, Jabber: mcepl@ceplovi.cz GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 understand, v.: To reach a point, in your investigation of some subject, at which you cease to examine what is really present, and operate on the basis of your own internal model instead.
On 2018-03-12 13:54, Matěj Cepl wrote:
On 2018-03-10, 03:38 GMT, Carlos E. R. wrote:
Thus, I can not connect to my own machine. I had to do "systemctl enable sshd.service", then start it, and I could connect "localhost". But not from outside:
Let me just note here https://bugzilla.suse.com/1084177
Thanks. On your question why can not one conflict the other, I can offer one reason: the script that converts SuSEfirewall2 to firewalld needs both. While playing with this, though, I noticed that my ssh port had been disabled, but I don't know how or by "whom". This is very dangerous to a remotely connected machine. I'll have to pay attention and see if it repeats. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" at Telcontar)
participants (14)
-
Carlos E. R. -
Frank Krüger -
Fraser_Bell -
José Roberto Alas -
Knurpht - Gertjan Lettink -
Matěj Cepl -
nicholas cunliffe -
Per Jessen -
Peter Suetterlin -
Richard Brown -
Roman Bysh -
Stefan Brüns -
Stephan Kulow -
Victorhck