On Tue, Apr 30, 2013 at 01:03:10AM -0500, Juan Luis Baptiste wrote:
Hi,
There's another behavior with SuSEfirewall2 with multiple network interfaces that I would like to discuss. We're working with an appliance that has six network interfaces. We only need two of those six interfaces, so only two of them are configured, one with DHCP and the other is static. The other interfaces are present and detected by OpenSUSE but they're not configured so ifconfig output only shows those two interfaces (yast2 shows them as not configured).
I have configured SuSEfirewall2 like this:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
When I start the firewall I get this message:
linux-test:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: using default zone 'ext' for interface eth4 SuSEfirewall2: using default zone 'ext' for interface eth5 SuSEfirewall2: Firewall rules successfully set
This means that for each rule specified for example in FW_MASQ_NETS or FW_FORWARD, five usless additional rules will be created, one for each of the not configured interfaces. Currently I don't have that appliance at hand so I'm testing on a VM with four interfaces and the previous configuration. With the previous configuration this is the output when starting the firewall:
linux-w43c:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: Firewall rules successfully set
And the output of SuSEfirewall2 status here:
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ? is there a way to avoid this ?
You can try avoiding to set a default zone using FW_ZONE_DEFAULT='no' (default is auto) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org