Adding arbitrary firewall (iptables?) rules
I want to block network access for some programs. I found this suggestion https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). What's the right way to do this? Leslie
* J Leslie Turriff <jlturriff@mail.com> [02-02-21 21:21]:
I don't know if still the way but using SuSEfirewall2, edit: /etc/sysconfig/scripts/SuSEfirewall2-custom and include FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSEfirewall2 but most are now using firewalld and installing yast2-firewall-4.3.9-1.2.noarch allows customizing examples abound on giggle -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode
On 2021-02-03 1:08 a.m., J Leslie Turriff wrote:
Okay, firewalld must be what I'm using. YaST totally obscures that. Perhaps one is not supposed to use the YaST Firewall module to insert custom rules? It doesn't look to me like there's a way to do it from there.
Application Launcher --> Applications --> System The icon is a cute little fireplace :)
On Wed, Feb 3, 2021 at 9:43 AM J Leslie Turriff <jlturriff@mail.com> wrote:
If it was a new install of this version it defaults to using firewalld. YaST frontend only offers the most basic configuration, you will need to use native firewalld tools (firewall-cmd, firewall-config) or edit configuration files directly. As was already mentioned, you need direct rules that allow to add arbitrary iptables command lines. Something like (untested) firewall-cmd --direct --add-rule ipv4 filter OUTPUT 10 -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT read manual, watch out for --permanent flag and for rules priority.
W dniu 03.02.2021 o 03:20, J Leslie Turriff pisze:
I don't have enough experience to show you exactly what to do, but this is the way: https://firewalld.org/documentation/man-pages/firewalld.direct
* J Leslie Turriff <jlturriff@mail.com> [02-02-21 21:21]:
I don't know if still the way but using SuSEfirewall2, edit: /etc/sysconfig/scripts/SuSEfirewall2-custom and include FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSEfirewall2 but most are now using firewalld and installing yast2-firewall-4.3.9-1.2.noarch allows customizing examples abound on giggle -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode
On 2021-02-03 1:08 a.m., J Leslie Turriff wrote:
Okay, firewalld must be what I'm using. YaST totally obscures that. Perhaps one is not supposed to use the YaST Firewall module to insert custom rules? It doesn't look to me like there's a way to do it from there.
Application Launcher --> Applications --> System The icon is a cute little fireplace :)
On Wed, Feb 3, 2021 at 9:43 AM J Leslie Turriff <jlturriff@mail.com> wrote:
If it was a new install of this version it defaults to using firewalld. YaST frontend only offers the most basic configuration, you will need to use native firewalld tools (firewall-cmd, firewall-config) or edit configuration files directly. As was already mentioned, you need direct rules that allow to add arbitrary iptables command lines. Something like (untested) firewall-cmd --direct --add-rule ipv4 filter OUTPUT 10 -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT read manual, watch out for --permanent flag and for rules priority.
participants (5)
-
Adam Mizerski -
Andrei Borzenkov -
Darryl Gregorash -
J Leslie Turriff -
Patrick Shanahan