[opensuse-factory] Switching SuSEFirewall for iptables
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables? - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVPtInAAoJEM66EOTZRH6+U7gQAI2rcBEoRzhbvXKBbOZf5Wpy sWZWewMxCxJd+k0wyLdyB38ZYBJp5Sf0okPlPhX83XR0CtJPPmMnALAkZ7srb3KF wQYQSAiOnNM6wogzqqVbXRzcGUyEua3sLoP5phuKg/V1I9qjI3hzTnlrq7vBFc9I lgGPF2ZDg5sKOiYYVGh0Gy6I6jyPEcF71UcGREJnMLj2dgKFEuDAkAmRPOWbm8SN QQ0M08sMHQZlLOAlbKsykjFIk1W3SpnVDXspnSFYTQwGVNQkYV9ui9uyuzxKGFxK oo9bUjZtD6QVPVPRhDr+MLqKMU2g2u0Y6+ajsK0x0FJyvDZJitCxIwOaGVaBDFUu Ew6eJnoBpiRKO6J4IVpKxYP4goFNUFhovTL9XB2F2JhMiXrTmqOPG+Trbkogp+th 60LAWcQ8rAMSt9zwukSfIv+ea+ha9lNUz5mqGyOr+0SY8l3+Cnk560coVAPTHCCG okOcxR0V1zK4HBAysxlhaS+gLdSFvYGpH/6pmfHXH+8Xzd8okKOjSloerpEkQw+n 2gas9NjBC39M1PmvdQACNuo9fPzop3QIwRQwq/SdMJpr2SnUHhZlg4ZDYzDOVAdi JhKunFZX+C//wq8qzrVhDC9wuRKlzMXA/6S/y2MccI6TE3lHq2+euFXfQcGyPKnP dTK7jT6oARJX5nRgjNgk =Hakk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script. -- Per Jessen, Zürich (8.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan. @Marcus Meissner SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this. See: http://paste.opensuse.org/view/raw/59129206 and http://paste.opensuse.org/view/raw/17876326 - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVP5p8AAoJEM66EOTZRH6+vUgP+wQ4dLodva/9nOf8ZWS1q/Ej 6X6fwm4ryZi3KdacUPM51j/m0gzv1oA/3JeUYWfbZ3Akj/5rZLrjn0jHNT8MKK9h gSaBYa5pMNMfknown4+uAt2JQMtSsXpPIzBxoKnqWvSQ7fsxBgZWKsteInf696ik vt84mRiC2YXqPSAZ6bWkE7hGVFwQpB5SquEqBKmXgpiSRewOuKmFhLR+Nx33uSiu uCVTLdkaZafnOB4TExKiyEVJ8VYoqhujf9daL/OsGzcZPQ3Kj1uNVsHW9jFxc5RP 5W6QjfW0xK0szO4WBKphghvGrpQiO7pq0oBtFAop0zzJuiWmH9OTHieS6VSlpLno rGQIHhJ8lhT1HRmpGFHrg8SsW8gBIwrSDl9N7mcZwiHWFnoqfII9gbQZZooF83/G DowcO2B005VxDkdr7HXX/KqzzmrDCGqp6I7hqWwHmkCtqDMxWb+HUbVRrPKED+AY XMQ5aJme9oZDe/K303g26JRq9Hgu9YvxK9SmdHm+kpJ8Gmf/iNsyhuw+93NMbjI8 Oek3lEk3pcr1orYnF/xuuccr+E0P6iLsHBip+DMSbIblRWJC9NRhDyzyGz1hmQJH TLUql5VryeK1Jd6Ckv1SOsO3/HWLTnDUuEauitVQzZGK3YfGe7rQfHrJfW+4BrYO ISYDQj1FJhunJwfUdcqz =XZnk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28.04.15 Uzair Shamim wrote:
SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this.
I would also guess that restarting SuseFirewall2 completely erases all iptable rules that docker might or might nor have set before. At least that is what happens with libvirt rules... Johannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlU/m/gACgkQzi3gQ/xETbKp6gCfbdURPB19EC/VUNmozXCoEhCJ 82EAn2+kt1EHNcoH4roALOocfH4vmhaM =Lm6T -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 10:41 AM, Johannes Kastl wrote:
On 28.04.15 Uzair Shamim wrote:
SuSEFirewall does not detect the docker interface. It is fine with non docker virtual interfaces (like those created by libvirt) but it seems it does not know how to handle the interface docker creates. So since it relies on Masquerade/port forward on a interface basis (rather than say with iptables alone where you can just specify the IPs) its unable to even be configured for this.
I would also guess that restarting SuseFirewall2 completely erases all iptable rules that docker might or might nor have set before.
At least that is what happens with libvirt rules...
Johannes
I dont think docker set any rules, but either way yes, SuSEFirewall erases any rules that were in before. WRT libvirt you can just restart the libvirtd service and that brings the rules back. But now I am just using plain iptables and its working great, thanks again to everyone for the help :) - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVQPSvAAoJEM66EOTZRH6+4psP/iJWJWcFNtmNpqm9LU9WM0tS lJ2M10mqTheiY6QcBjyyRJ+TPxP+xoX5o2DKk4QQ1N1fu4bCeZVH4Fu39sW1Hnck NYGEYyX7QUOuyTKVHQIlv8rygHTZZ2UDXfpXe/JqeRL2rsU9qe9nZra3WdqL9vVo qpGMpX/guh9i9EEkiM0TUFjE0DXY3V8aacZqLLTP9M27x3rN1TrV/m9TQdSYqEIe sOAbr2kvfMLIESUhfefqeINQ6iFtNQc65V6dEJmqEzJvlIZyBrOJZMxoc2/S5EcW BxYl2uifoCf3zAquJrO1JnNMZyYGMuf0HTzj9mq4elzeVr7gYpCgi+EcbKYFefof xPmx/1ktfMl8waj15u/sG9gXJibK/B64IA2W8BOURcmbSeq4OD2zHf2tg3yYgStQ 3GEXOJ0bDB9anSc6NHXVkMdckxqs27hDZGxvMvVqQVcP2Fla88YYFQu+Xt/z0WoZ 3wMBYBw1gKble8bpElFHaPFTUvWpsASGsbBlV8tgjwl/oNmT5bggJ5vsCQZ5KtrA R/heeIWrJX2x7jJ4+qpvGcuwBX4Qsa1r7wcQ2zxF5j4uurf3sp4dgtuzBXUlc9C9 jjeHZSEZvaUEmI9lg7mjUui9iitri470/MR63ejnqCS/EGjd9ZxdJBAFviQBgM0e uf0ZfYJ+m08GanytMIz8 =tqe7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 10:34 AM, Uzair Shamim wrote:
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables? - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVP6dZAAoJEM66EOTZRH6+88UP/0Bi+15qMMmxTPwNDnSBBvbq tytjtenh83I7G8ms6Qn5Ky282cJrhBHnPdAejuSLyizY8VubhqMt8TH1q75zOyNT QtsNSgPc5iA42Gpp1IW+Klmt0S4C/1Sjc9BieybXEOO3l3kcqSdF0CfLjPG1rFgj UDtFyCRWH2cBIuNOtf/WRvEjzcUkjLs/H1kJHbQVSxDKUu68sanNOhiJOUHTUcFe fl7YpSJvOEonk8feDV1pJDTWA32qhjSu0ery0OXT6hgzRefHMXpu93N3KtPQffNm SlzhsNDM1KmElDxkqVf5wQ/rgPLvgJbbv7sNjjrCpH3aVYCv8pb4+4UWYCPPt8vH FgKdK7wvuFXXqh+f7QOT1puvuRwuS10NeKaEP06diDFTcM1hkEskMlF8S6F3WfuJ n4df6OSEr5Tc7YzlytXuI+k9+N8wKk/dnheZ5bCD/wLIDlMnGER53lbk7G90NhNQ dfNReroM2GuA8GA8hf3UyIVXwJpvQAB2EaAxB6KzB88nhJz0Utw8XoET9CRxpJJi xr4crWk7SgDPhIhNv0GbpBz/2rFFclIv3i5lCzYA5ZwAKSpayhCkOTgTNb6W9Ux8 exKDHloo8P3hqTkiho+rRwSksOAhWelG3O3cL9I1iaCFDSknmDyTc+BuGr5NEuGa 1i1RwzeJR9ewasPWZSM4 =+I8a -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service. Thanks though, I guess I can just add ACCEPT rules as needed. :) - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVP8d+AAoJEM66EOTZRH6+VOQP/3RGff9jkALVuQhSChYGEKQc OJnCRit4gwk3z2JYOCtZ3/L6ILVO29JfvklfBzj96YGbdVYYAOTgCevkkSzFOteP dUAFaE0MAy5d9cTD/IsrQIM9D08sGGp+UG3RUMCh4h6mvEey6fZpfYqPyZutbiwa HyKtTRjGhBboUgrLN4JSFYwVAXh1Hy1NhfZIJny2X3E4Zwyo4FSUJeCS6wN0KszJ edhWAPc547ckpvXH2HJRAxQI1tEPUceJsyf1F2omaMfRBuIUd59Fpm3aSzhYfsrT ubMXxSJrRILiXOrQKqJ3yWiiCwFkM7MvWiLPg18cFnrVIlsoPKSTOJKi2VEPQB3L BQmIQZ+KAhjvUoB4RQRJZXr1cHt1nIh1n6VzhQoan/I4b8C3mfHJIoSeatH0g3Rv nsKmRQDc48HU3WMytyPs2xGZyCxf3JSQ5GORPfoxv+I9IXhQClvjzf//5RCKlxvu F2o+E24wk9IGqQwINJrD0cRKjPt+q1A+r5JzfO1/SVxWdZ5ILHE+CUBT9wAUXhB2 LQBMALJWAU8hCd6ewvrup5k+fDVLRvIMXNAz1NFhxsYx1X6aQkqlXFXIMM5jzb6e EU8gBCxRU9R2VNnt6QS54wr0ePAZI9BJpw2dZnGndFGJt9yq7OXBTyLTpp9RGP1E jP6Zsnr9xY161tbs5EmC =dYW9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service.
Which presumably means running iptables commands according to some configuration <somewhere>. -- Per Jessen, Zürich (9.0°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
В Tue, 28 Apr 2015 19:57:50 +0200 Per Jessen <per@computer.org> пишет:
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 12:40 PM, Jan Engelhardt wrote:
On Tuesday 2015-04-28 17:29, Uzair Shamim wrote:
Just tried this. There is no iptables service
This is because iptables is not a service, it is more of a configuration setting that is, in essence, one-shot loaded like sysctl.
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service.
Which presumably means running iptables commands according to some configuration <somewhere>.
IIRC this old service simply did iptables-save/iptables-restore. This had advantage of making simple "iptables" suddenly persistent. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-04-28 19:46, Uzair Shamim wrote:
Really because in Fedora/CentOS there is a service for iptables that you can stop/restart/start like any other service. Thanks though, I guess I can just add ACCEPT rules as needed. :)
What about /etc/sysconfig/scripts/SuSEfirewall2-custom? You can add your commands in there. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlU/z8cACgkQja8UbcUWM1xd1QEAmshysssbaCPT12RWGgaYJ4lt UYdlnKxlk93E5HvOGu0A/jWiJfPyB9obtr+WAdZZtFhOQxPxAkCjtxeKBgczwAaA =LKqC -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Uzair Shamim wrote:
On 04/28/2015 10:34 AM, Uzair Shamim wrote:
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables?
Apologies, I assumed you were familiar with how to build a firewall using iptables. It is typically just a script filled with iptables commands which construct the firewall setup. Such a script is easily called with a systemd service unit: [Unit] Description=firewall After=network.target [Service] Type=oneshot ExecStart=/usr/sbin/firewall ExecStop=/usr/sbin/firewall stop RemainAfterExit=yes [Install] WantedBy=multi-user.target If you don't have a firewall script/setup already built and ready to use, you'e probably better of with using the openSUSE firewall. -- Per Jessen, Zürich (9.6°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/28/2015 01:45 PM, Per Jessen wrote:
Uzair Shamim wrote:
On 04/28/2015 10:34 AM, Uzair Shamim wrote:
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
Just tried this. There is no iptables service, how can I control (start/stop) iptables?
Apologies, I assumed you were familiar with how to build a firewall using iptables. It is typically just a script filled with iptables commands which construct the firewall setup. Such a script is easily called with a systemd service unit:
[Unit] Description=firewall After=network.target
[Service] Type=oneshot ExecStart=/usr/sbin/firewall ExecStop=/usr/sbin/firewall stop RemainAfterExit=yes
[Install] WantedBy=multi-user.target
If you don't have a firewall script/setup already built and ready to use, you'e probably better of with using the openSUSE firewall.
I am familiar with iptables, I am just used to being able to start and stop a iptables service in CentOS. I'll try this out but its not a big deal, I dont ever stop the firewall anyways. - -- Regards, Uzair Shamim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBAgAGBQJVP8nBAAoJEM66EOTZRH6+4kYP/24bP8S/yy2Pahuhg1d4iRle 0g44HJaO2MzX341X+LBFL98WpfWf363zhvbCOUu5kjsoQY/XNQFVo7Bs4+SGsQsY e2SyalRi0R/aAvbHboNahd2L7DVf2AOpsHMlUH4gtMq8pOCqo98oclNggR/dTe/6 WHoMZHYQJOi+uvsa/UnPYqyOOwL1kCdSQKSY8YzE3A+rPMlvCssx5z4geQAsYXt0 D31wA3juR5sa5rOiv5e9glAu3ezwhI/TmsH8BSc0y0M+p76yBLd2ntxzgINsD2ZE pyR4+Qx6Y2inXo4kkxXLKdEdMqJD4zlx/lzlgJGm5q7j34/QuZNLc1sHvJo8zgwS nqdHhq8zhu4argcULCOAMEOj3WYpgwJzw+ANyb3iRHZlFc4FUtZYEQKG9EcaOKoN XuPrIJhKQqXJr3TBl+25sLWXPb9Ck9JL3oJ85WG9vPh263+BygXbOHcj8j+s4FOx X/SkC8DBBHfqEJVAW2MNFEDQmD/YjqrcfAZQTJy8trHsw6cwwEJJxbG4x31JA0/n 4b6Q2DfAVOVxHBr4wXWKGeZoiM/pQw1Hz+R/hoh2VaJHZGGUsf51KEfV1+gK0DrL 4QuC9SufNLQlUMzzWJ2qEWsJJ9sVx8Jay0sqKwwLmExg+Z4gAcauc1cj4UyZjFBD qsX9Z6x2MwWlTtLMLqwK =TgP4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Uzair Shamim wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 04/28/2015 04:59 AM, Marcus Meissner wrote:
On Tue, Apr 28, 2015 at 10:43:07AM +0200, Per Jessen wrote:
Uzair Shamim wrote:
I am trying to setup a machine with some docker containers but the default suse firewall is interfering. Normally I would just add the required rules to iptables for NAT and forwarding but it seems suse firewall does not recognize the interface connected to docker so I cannot add rules to allow traffic to/from it. Is there a way to disable the SuSEFirewall and just use plain old iptables?
Yep, that's exactly what you do - disable (or even uninstall) the openSUSE firewall, then add your own iptables script.
What interface is detected? SuSEfirewall would probably put it in the external zone by default.
Ciao, Marcus
@Per Jessen So its fine if I just disable the SuSEFirewall and then build iptables as desired? Obviously I will have to add all the rules I need but this wont cause any known issues? Sounds like a plan.
That's what I do - I've had my own iptables (ipchains) firewall setup from way before SuSEFirewall, I've never had any reason to change. To my knowledge, SuSEFirewall is "just" a framework for managing an iptables firewall - I just use vi :-) -- Per Jessen, Zürich (9.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (7)
-
Andrei Borzenkov -
Carlos E. R. -
Jan Engelhardt -
Johannes Kastl -
Marcus Meissner -
Per Jessen -
Uzair Shamim