Adding arbitrary firewall (iptables?) rules
I want to block network access for some programs. I found this suggestion https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). What's the right way to do this? Leslie
* J Leslie Turriff <jlturriff@mail.com> [02-02-21 21:21]:
I want to block network access for some programs. I found this suggestion
https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer...
which seems to do what I want, but I can't see how to add the following rules using YaST Firewall:
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). What's the right way to do this?
I don't know if still the way but using SuSEfirewall2, edit: /etc/sysconfig/scripts/SuSEfirewall2-custom and include FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSEfirewall2 but most are now using firewalld and installing yast2-firewall-4.3.9-1.2.noarch allows customizing examples abound on giggle -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode
On 2021-02-02 21:25:04 Patrick Shanahan wrote:
|* J Leslie Turriff <jlturriff@mail.com> [02-02-21 21:21]: |> I want to block network access for some programs. I found this suggestion |> |> https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... |> |> which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: |> |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP |> |> I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). |> What's the right way to do this? | |I don't know if still the way but using SuSEfirewall2, edit: | /etc/sysconfig/scripts/SuSEfirewall2-custom | |and include | FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" | |in /etc/sysconfig/SuSEfirewall2 | |but most are now using firewalld |and installing yast2-firewall-4.3.9-1.2.noarch |allows customizing | |examples abound on giggle | Okay, firewalld must be what I'm using. YaST totally obscures that. Perhaps one is not supposed to use the YaST Firewall module to insert custom rules? It doesn't look to me like there's a way to do it from there.
Leslie --
On 2021-02-03 1:08 a.m., J Leslie Turriff wrote:
Okay, firewalld must be what I'm using. YaST totally obscures that. Perhaps one is not supposed to use the YaST Firewall module to insert custom rules? It doesn't look to me like there's a way to do it from there.
Application Launcher --> Applications --> System The icon is a cute little fireplace :)
03.02.2021 05:20, J Leslie Turriff пишет:
I want to block network access for some programs. I found this suggestion
https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer...
which seems to do what I want, but I can't see how to add the following rules using YaST Firewall:
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). What's the right way to do this?
Leslie
You expect us to magically guess what distribution and version you are using?
On 2021-02-02 23:02:06 Andrei Borzenkov wrote:
|03.02.2021 05:20, J Leslie Turriff пишет: |> I want to block network access for some programs. I found this suggestion |> |> https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... |> |> which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: |> |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP |> |> I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). |> What's the right way to do this? |> |> Leslie |> | |You expect us to magically guess what distribution and version you are |using? | Sorry; forgot to tell you all that I'm running OpenSuSE Leap 15.2.
Leslie --
On Wed, Feb 3, 2021 at 9:43 AM J Leslie Turriff <jlturriff@mail.com> wrote:
On 2021-02-02 23:02:06 Andrei Borzenkov wrote:
|03.02.2021 05:20, J Leslie Turriff пишет: |> I want to block network access for some programs. I found this suggestion |> |> https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer... |> |> which seems to do what I want, but I can't see how to add the following rules using YaST Firewall: |> |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT |> iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP |> |> I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). |> What's the right way to do this? |> |> Leslie |> | |You expect us to magically guess what distribution and version you are |using? | Sorry; forgot to tell you all that I'm running OpenSuSE Leap 15.2.
If it was a new install of this version it defaults to using firewalld. YaST frontend only offers the most basic configuration, you will need to use native firewalld tools (firewall-cmd, firewall-config) or edit configuration files directly. As was already mentioned, you need direct rules that allow to add arbitrary iptables command lines. Something like (untested) firewall-cmd --direct --add-rule ipv4 filter OUTPUT 10 -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT read manual, watch out for --permanent flag and for rules priority.
W dniu 03.02.2021 o 03:20, J Leslie Turriff pisze:
I want to block network access for some programs. I found this suggestion
https://serverfault.com/questions/550276/how-to-block-internet-access-to-cer...
which seems to do what I want, but I can't see how to add the following rules using YaST Firewall:
iptables -A OUTPUT -m owner --gid-owner no-internet -d 192.168.1.0/24 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -d 127.0.0.0/8 -j ACCEPT iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP
I haven't looked at firewall settings for a long time, and now I find that YaST Firewall doesn't seem to allow any but generic controls (and a very confusing list of zones). What's the right way to do this?
Leslie
I don't have enough experience to show you exactly what to do, but this is the way: https://firewalld.org/documentation/man-pages/firewalld.direct
participants (5)
-
Adam Mizerski -
Andrei Borzenkov -
Darryl Gregorash -
J Leslie Turriff -
Patrick Shanahan