SuSEfirewall2 configuration problem
![](https://seccdn.libravatar.org/avatar/7d3f689a92b49ddc86fe0958914dd775.jpg?s=120&d=mm&r=g)
Hi, I have some problems with the configuration of the SuSEfirewall2 (3.1) on a SuSE 9.0 system. I have read the unofficial SuSEFAQ by Togan Muftuoglu, but unfortunately this could not help me to solve the problem. The system is part of a NIS domain with central NFS server. When the firewall is off, I have full network functionality (i.e. the system boots as a NIS client with nfs mounted home directories). However, when I enable SuSEfirewall2 for this system (using YaST), the firewall (/etc/rc.d/rc5.d/S01SuSEfirewall2_init) blocks ("destination unreachable") all {dns, smb, nfs, nis} traffic until (S14SuSEfirewall2_setup) *after* the {smbfs, nfs, ypbind} services are started... I'm wondering if the above functionality is by design, and if so, why? And, more important, how do I configure the firewall so everything works? (I haven't seen any mention of this problem, so I'm wondering if I'm just doing something wrong, or noone else is using SuSE 9.0, SuSEfirewall2 and {smb, nfs, nis}?) Thanx in advance, Robbert Eggermont
![](https://seccdn.libravatar.org/avatar/d758606683ba9e3a216f6b5e5d9cf525.jpg?s=120&d=mm&r=g)
On Saturday 03 April 2004 18:28, Robbert Eggermont wrote:
Hi,
I have some problems with the configuration of the SuSEfirewall2 (3.1) on a SuSE 9.0 system. I have read the unofficial SuSEFAQ by Togan Muftuoglu, but unfortunately this could not help me to solve the problem.
The system is part of a NIS domain with central NFS server. When the firewall is off, I have full network functionality (i.e. the system boots as a NIS client with nfs mounted home directories).
However, when I enable SuSEfirewall2 for this system (using YaST), the firewall (/etc/rc.d/rc5.d/S01SuSEfirewall2_init) blocks ("destination unreachable") all {dns, smb, nfs, nis} traffic until (S14SuSEfirewall2_setup) *after* the {smbfs, nfs, ypbind} services are started...
I'm wondering if the above functionality is by design, and if so, why? And, more important, how do I configure the firewall so everything works? (I haven't seen any mention of this problem, so I'm wondering if I'm just doing something wrong, or noone else is using SuSE 9.0, SuSEfirewall2 and {smb, nfs, nis}?)
Thanx in advance,
Robbert Eggermont
I would venture a guess that the Firewall Defaults to a SECURE mode ( block
all ) until it cycles thru each service section and there decides to leave it
off or turn it on. If you want everything on there may be a possibility of
changing the defaults to all on and then turn off the unused services. I do
not use the built in firewall myself but have worked a little with the manual
mode of Iptables for a home firewall.
HTH Mike
--
From my SuSe Linux Desktop
![](https://seccdn.libravatar.org/avatar/9ea1cabc7fae4e5f0c0daddea9fc2c12.jpg?s=120&d=mm&r=g)
* Robbert Eggermont;
However, when I enable SuSEfirewall2 for this system (using YaST), the firewall (/etc/rc.d/rc5.d/S01SuSEfirewall2_init) blocks ("destination unreachable") all {dns, smb, nfs, nis} traffic until (S14SuSEfirewall2_setup) *after* the {smbfs, nfs, ypbind} services are started...
I'm wondering if the above functionality is by design, and if so, why?
yes by design. If you look to section 1.3 Techical background, you will see that SuSEfirewall2_init calls close function. I think the idea is until all services are setup close any incoming connection attempts. That is why after setup stage the final stage comes. So SuSEfirewall2 runs actualy 3 times before your actual protection is underway. Note that during the init stage trafic generated by the computer is allowed to pass. -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
![](https://seccdn.libravatar.org/avatar/7d3f689a92b49ddc86fe0958914dd775.jpg?s=120&d=mm&r=g)
Togan Muftuoglu wrote:
* Robbert Eggermont;
on 04 Apr, 2004 wrote: However, when I enable SuSEfirewall2 for this system (using YaST), the firewall (/etc/rc.d/rc5.d/S01SuSEfirewall2_init) blocks ("destination unreachable") all {dns, smb, nfs, nis} traffic until (S14SuSEfirewall2_setup) *after* the {smbfs, nfs, ypbind} services are started...
yes by design. If you look to section 1.3 Techical background, you will see that SuSEfirewall2_init calls close function. I think the idea is until all services are setup close any incoming connection attempts. That is why after setup stage the final stage comes. So SuSEfirewall2 runs actualy 3 times before your actual protection is underway. Note that during the init stage trafic generated by the computer is allowed to pass.
Indeed, but... the return traffic is blocked!?! The services I talk about above are *client* services, so they need to be able to interact with the server(s)... (At least, that's what I'm thinking. :-) So, shouldn't the firewall be (more) completely setup before any network activity occurs (network related services are started)? I don't see any options to partly open up the firewall in the init stage (at least for the {dns, nfs, nis} server responses). Is there a way to do this (or should I do it differently)? Thanks, Robbert Eggermont
![](https://seccdn.libravatar.org/avatar/9ea1cabc7fae4e5f0c0daddea9fc2c12.jpg?s=120&d=mm&r=g)
* Robbert Eggermont;
Indeed, but... the return traffic is blocked!?! The services I talk about above are *client* services, so they need to be able to interact with the server(s)... (At least, that's what I'm thinking. :-)
So, shouldn't the firewall be (more) completely setup before any network activity occurs (network related services are started)? I don't see any options to partly open up the firewall in the init stage (at least for the {dns, nfs, nis} server responses). Is there a way to do this (or should I do it differently)?
you can change $local_fs to $remote_fs in SuSEFirewall2_setup required for setup action as by default $remote_fs should be $local_fs+nfs and cjamhe $network to $named so dns and networking devices are setup before SuSEfirewall2is called. Make sure you call insserv /etc/init.d/SuSEfirewall2_init insserv /etc/init.d/SuSEfirewall2_setup insserv /etc/init.d/SuSEfirewall2_final so the respective links are established. Nevertheless it is the job of SuSEfirewall2_final to have the firewall setup for the final as all these services have already started. I still believe the intenden format is correct For mor information you can refer to "man insserv" and "man init.d" -- Togan Muftuoglu | Unofficial SuSE FAQ Maintainer | Please reply to the list; http://susefaq.sf.net | Please don't put me in TO/CC. Nisi defectum, haud refiecendum
![](https://seccdn.libravatar.org/avatar/7d3f689a92b49ddc86fe0958914dd775.jpg?s=120&d=mm&r=g)
Togan Muftuoglu wrote:
* Robbert Eggermont;
on 04 Apr, 2004 wrote: Indeed, but... the return traffic is blocked!?! The services I talk about above are *client* services, so they need to be able to interact with the server(s)... (At least, that's what I'm thinking. :-)
So, shouldn't the firewall be (more) completely setup before any network activity occurs (network related services are started)? I don't see any options to partly open up the firewall in the init stage (at least for the {dns, nfs, nis} server responses). Is there a way to do this (or should I do it differently)?
you can change $local_fs to $remote_fs in SuSEFirewall2_setup required for setup action as by default $remote_fs should be $local_fs+nfs and cjamhe $network to $named so dns and networking devices are setup before SuSEfirewall2is called.
Thanks for thinking with me here. :-) The problem is not that SuSEFirewall2_setup is being run too early, the problem is that SuSEFirewall2_setup is being run too *late* (assuming that SuSEFirewall2_setup opens up the firewall enough to allow network interaction for the dns, nfs & nis client services). Details: The way things are "functioning" now is that SuSEFirewall2_init rejects about all inbound traffic except dhcp client traffic, including ansers to the DNS lookups for the nfs/nis server ip addresses. Even if I would specify the ip addresses, all traffic from (the servers to) the nfslock, nfs and nis client services is blocked. SuSEFirewall2_setup is being run *after* these services. If I change $local_fs to $remote_fs in SuSEFirewall2_setup, SuSEFirewall2_setup is moved even further down the line in the bootprocess (which of course does helps nothing). Before trying out every possible combination, I probably need to know the correct order of enabling services... Should/could SuSEFirewall2_setup be run before or after $network? I think SuSEFirewall2_setup requires some data from the dhcp client (such as the machine's ip & nameserver, right?), so then it should run somewhere between S05network and S06syslog (if I were to log to another machine?), or S09portmap (?) or S10nfslock/S10smbfs? And how can I get SuSEFirewall2_setup to run *then*? Thanks again, Robbert
participants (3)
-
ka1ifq
-
Robbert Eggermont
-
Togan Muftuoglu