[oS-en] Migrating SuSEfirewall2 to firewalld
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have to finally do that migration. There is a script and some docs: https://en.opensuse.org/Firewalld https://github.com/openSUSE/susefirewall2-to-firewalld/blob/master/README.md The sequence of commands is: susefirewall2-to-firewalld If you like the output, then susefirewall2-to-firewalld -c To commit. This prints at the end (after a run of 14 minutes): INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall: So I do that (claims success). But something is wrong, the rules are not actually written. I confirm with "firewall-config" that there are no rich rules at all. I saw while the script was running text like these: INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=53792 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=53 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=3553 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=6666 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 protocol value=icmp accept" for zone="external" But they were not actually written. Not in "runtime", nor in "permanent". Nor in /etc/zones. This is the content of /etc/firewalld/zones/external.xml: <?xml version="1.0" encoding="utf-8"?> <zone> <short>External</short> <description>For use on external networks. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="ssh"/> <masquerade/> <interface name="eth0"/> <interface name="wlan0"/> </zone> /etc/firewalld/policies/allow-host-ipv6.xml: <?xml version="1.0" encoding="utf-8"?> <policy priority="-15000" target="CONTINUE"> <short>Allow host IPv6</short> <description>Allows basic IPv6 functionality for the host running firewalld.</description> <rule family="ipv6"> <icmp-type name="neighbour-advertisement"/> <accept/> </rule> <rule family="ipv6"> <icmp-type name="neighbour-solicitation"/> <accept/> </rule> <rule family="ipv6"> <icmp-type name="router-advertisement"/> <accept/> </rule> <rule family="ipv6"> <icmp-type name="redirect"/> <accept/> </rule> <ingress-zone name="ANY"/> <egress-zone name="HOST"/> </policy> Isengard:~ # firewall-cmd --list-all external (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: ssh ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: Isengard:~ # Isengard:~ # firewall-cmd --list-rich-rules Isengard:~ # That's all. Nothing was actually migrated from SuSEfirewal2. So, what can I do to actually migrate SuSEfirewall2 to firewalld? - -- Cheers Carlos E. R. (from 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEekoRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfVOisAmwfwhICegxmduEAav/Nu QM3NpQDtAJ45OmpRadedzwYYm4rLj011abVMtg== =MQ0M -----END PGP SIGNATURE-----
On Tue, Apr 25, 2023 at 1:00 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I have to finally do that migration. There is a script and some docs:
https://en.opensuse.org/Firewalld https://github.com/openSUSE/susefirewall2-to-firewalld/blob/master/README.md
The sequence of commands is:
susefirewall2-to-firewalld
If you like the output, then
susefirewall2-to-firewalld -c
To commit. This prints at the end (after a run of 14 minutes):
INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall:
So I do that (claims success). But something is wrong, the rules are not actually written. I confirm with "firewall-config" that there are no rich rules at all.
I saw while the script was running text like these:
INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=53792 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=53 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=3553 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=6666 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 protocol value=icmp accept" for zone="external"
But they were not actually written. Not in "runtime", nor in "permanent". Nor in /etc/zones.
It only changes configuration when -c flag is present.
On 2023-04-25 12:54, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 1:00 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi,
I have to finally do that migration. There is a script and some docs:
https://en.opensuse.org/Firewalld https://github.com/openSUSE/susefirewall2-to-firewalld/blob/master/README.md
The sequence of commands is:
susefirewall2-to-firewalld
If you like the output, then
susefirewall2-to-firewalld -c
To commit. This prints at the end (after a run of 14 minutes):
INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall:
So I do that (claims success). But something is wrong, the rules are not actually written. I confirm with "firewall-config" that there are no rich rules at all.
I saw while the script was running text like these:
INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.1/32 port port=53792 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 protocol value=icmp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.5/32 port port=162 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=53 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=139 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=137 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=5353 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=515 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.7/32 port port=3553 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=514 protocol=tcp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 port port=6666 protocol=udp accept" for zone="external" INFO: Enabling rich rule="rule family=ipv4 source address=192.168.1.14/32 protocol value=icmp accept" for zone="external"
But they were not actually written. Not in "runtime", nor in "permanent". Nor in /etc/zones.
It only changes configuration when -c flag is present.
I did use "-c". Isengard:~ # susefirewall2-to-firewalld INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. ... INFO: ################################################################################## INFO: INFO: The dry-run has been completed. Please check the above output to ensure INFO: that everything looks good. INFO: INFO: ################################################################################## INFO: Stopping firewalld INFO: Restarting SuSEfirewall2_init INFO: Restarting SuSEfirewall2 Isengard:~ # Isengard:~ # time susefirewall2-to-firewalld -c <======**** INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. INFO: This will start/stop/restart firewall services and it's likely INFO: to cause network disruption. ... INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall: INFO: INFO: - http://www.firewalld.org/documentation/ INFO: - firewall-cmd --help INFO: - firewall-cmd --list-all-zones INFO: - firewall-cmd --direct --get-all-passthrough INFO: - And the firewalld manpages of course! INFO: INFO: ################################################################################## INFO: Stopping and disabling SuSEfirewall2 INFO: Stopping and disabling SuSEfirewall2_init INFO: Starting firewalld real 13m58.523s user 9m55.374s sys 0m42.877s Isengard:~ # ls /etc/firewalld/zones/ Isengard:~ # firewall-cmd --list-all-zones block target: %%REJECT%% icmp-block-inversion: no ... ocker (active) target: ACCEPT icmp-block-inversion: no interfaces: docker0 sources: services: ports: protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: ... external (active) target: default icmp-block-inversion: no interfaces: eth0 wlan0 sources: services: ssh ports: protocols: forward: no masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules: ... Isengard:~ # firewall-cmd --runtime-to-permanent success Isengard:~ # tmux capture-pane -p -S- -E- > capture error connecting to /run/tmux/0/default (No such file or directory) Isengard:~ # logout cer@Isengard:~> tmux capture-pane -p -S- -E- > capture -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On Tue, Apr 25, 2023 at 2:25 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # time susefirewall2-to-firewalld -c <======**** INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. INFO: This will start/stop/restart firewall services and it's likely INFO: to cause network disruption. ... INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall: INFO: INFO: - http://www.firewalld.org/documentation/ INFO: - firewall-cmd --help INFO: - firewall-cmd --list-all-zones INFO: - firewall-cmd --direct --get-all-passthrough INFO: - And the firewalld manpages of course! INFO: INFO: ################################################################################## INFO: Stopping and disabling SuSEfirewall2 INFO: Stopping and disabling SuSEfirewall2_init INFO: Starting firewalld
real 13m58.523s user 9m55.374s sys 0m42.877s Isengard:~ # ls /etc/firewalld/zones/
It is not expected to change at this point. Anyway, if you expect someone to look into it you should provide a complete output. Maybe even with the -d switch.
On 2023-04-25 13:40, Andrei Borzenkov wrote:
On Tue, Apr 25, 2023 at 2:25 PM Carlos E. R. <robin.listas@telefonica.net> wrote:
Isengard:~ # time susefirewall2-to-firewalld -c <======**** INFO: Reading the /etc/sysconfig/SuSEfirewall2 file INFO: Ensuring all firewall services are in a well-known state. INFO: This will start/stop/restart firewall services and it's likely INFO: to cause network disruption. ... INFO: ################################################################################## INFO: INFO: Your SuSEfirewall2 rules have been migrated to FirewallD. A celebration is in order! INFO: INFO: Please note that the firewalld rules haven't been made permanent yet. INFO: Use 'firewall-cmd --list-all-zones' to verify you are happy with the proposed INFO: configuration and then use 'firewall-cmd --runtime-to-permanent' to make it permanent. INFO: However, you are advised to look at the following resources and/or INFO: commands before making permanent changes to your firewall: INFO: INFO: - http://www.firewalld.org/documentation/ INFO: - firewall-cmd --help INFO: - firewall-cmd --list-all-zones INFO: - firewall-cmd --direct --get-all-passthrough INFO: - And the firewalld manpages of course! INFO: INFO: ################################################################################## INFO: Stopping and disabling SuSEfirewall2 INFO: Stopping and disabling SuSEfirewall2_init INFO: Starting firewalld
real 13m58.523s user 9m55.374s sys 0m42.877s Isengard:~ # ls /etc/firewalld/zones/
It is not expected to change at this point.
You are looking too fast at what I write. You stop looking at "ls /etc/firewalld/zones/" and do not see the "firewall-cmd --runtime-to-permanent" later. What command have I not done that I should do? I did what the documentation says to do: susefirewall2-to-firewalld susefirewall2-to-firewalld -c firewall-cmd --list-all-zones firewall-cmd --runtime-to-permanent All four commands in sequence.
Anyway, if you expect someone to look into it you should provide a complete output. Maybe even with the -d switch.
Certainly, I can try with "-d". I expect it to save the debug information to some file, because the documentation doesn't say if it does or not. [...] (didn't write to log file) Well, with "-c -d" it actually worked, and "firewall-cmd --list-all" did list it all. So "firewall-cmd --runtime-to-permanent" finally wrote a very complex set of rules. Now the "external.xml" file has 13042 bytes. Nfs mounts are working, which is a fire test. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
participants (3)
-
Andrei Borzenkov -
Carlos E. R. -
Carlos E.R.