[opensuse] Issues with Susefirewall - Opensuse 15.0
I am trying to set up the firewall for a very specific and perhaps unusual situation. First thing I noticed, when trying to set up the firewall was that the Yast firewall-config package was not installed. Even after installing, I find that when I try to configure the firewall, I get a message firewalld is not running. I can go into Services Manager, to enable and start it. However, after rebooting, while still enabled, firewalld is not starting. Seems to me there's a bit of a problem here. Next, is there anyway to filter outgoing packets? I don't see it in the firewall configuration. I'm trying to block the MAC address from the Ethernet port on my notebook from going out onto the network. This is the unusual situation I referred to. I have a small managed switch, which I configured for port mirroring, so that I can use Wireshark to monitor traffic to other computers. This involves inserting what's commonly referred to as a "data tap" between the two devices. I am using the managed switch in that roll. However, unlike switches from Cisco, Adtran etc., this TP-Link switch allows traffic from the monitor port to pass through the other switch ports. In a network, where a switch is configured for port security, this may cause problems, in that the port may be shut down, if an unauthorized MAC address appears on that port. Since this switch I'm using to monitor the connection allows frame from the mirror port out, this might actually cause a failure. My goal is to block any frame with the Ethernet port MAC address from leaving the computer. While I could write the appropriate IPTables commands to do this, I would prefer to do it in the firewall configuration, as the network manager supports loading specific zones, but I don't see a way to call a script. I am trying to use the "drop" zone and filtering on source MAC address. Suggestions? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/07/2018 10:02 AM, James Knott wrote:
I am trying to set up the firewall for a very specific and perhaps unusual situation.
I see the firewall is completely different from when I used to manually edit the susefirewall file. How is it done with the new system? I have found the file /etc/firewalld/firewalld.conf, but there doesn't appear to be much relevant there. I have also found /etc/firewalld/zones/drop.xml, which shows: <?xml version="1.0" encoding="utf-8"?> <zone target="DROP"> <short>Drop</short> <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <source address="F0:DE:F1:8C:DC:99"/> </zone> However, I don't see anything about a custom rule to block outgoing MAC addresses. Where would that be added There is also nothing about this in the Leap 15 Security Guide. It has only general info on the firewall. Any firewall experts here? tnx jk -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op vrijdag 7 september 2018 18:02:22 CEST schreef James Knott:
On 09/07/2018 10:02 AM, James Knott wrote:
I am trying to set up the firewall for a very specific and perhaps unusual situation.
I see the firewall is completely different from when I used to manually edit the susefirewall file. How is it done with the new system? I have found the file /etc/firewalld/firewalld.conf, but there doesn't appear to be much relevant there.
I have also found /etc/firewalld/zones/drop.xml, which shows:
<?xml version="1.0" encoding="utf-8"?> <zone target="DROP"> <short>Drop</short> <description>Unsolicited incoming network packets are dropped. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <source address="F0:DE:F1:8C:DC:99"/> </zone>
However, I don't see anything about a custom rule to block outgoing MAC addresses. Where would that be added There is also nothing about this in the Leap 15 Security Guide. It has only general info on the firewall.
Any firewall experts here?
tnx jk install and run firewalld-config
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/07/2018 01:01 PM, Knurpht-openSUSE wrote:
install and run firewalld-config
That was one of the first things I did. I'm well past that point, other than having manually start it. It's enabled in Services Manager, but doesn't start on it's own. The big question here is how to create a rule that blocks an outgoing packet, filtering on MAC address. There doesn't seem to be anyway of doing that, short of running a specific iptables command. Even Rich Rules don't seem to handle that situation. Apparently, to run an iptables command, I'd have to use firewall-cmd --direct, but I don't see any way to do that from within the firewall config and I haven't found any hooks that might do it either. If this was the old susefirewall, I'd just go in and edit the file to add the iptables command. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
07.09.2018 17:02, James Knott пишет:
frame from the mirror port out, this might actually cause a failure. My goal is to block any frame with the Ethernet port MAC address from leaving the computer.
There is no frame nor MAC address before locally originated packet leaves computer.
While I could write the appropriate IPTables commands to do this,
Really? mac [!] --mac-source address Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains. Care to show your command?
I would prefer to do it in the firewall configuration, as the network manager supports loading specific zones, but I don't see a way to call a script. I am trying to use the "drop" zone and filtering on source MAC address.
Suggestions?
You can call arbitrary iptables/ebtables commands from firewalld. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/07/2018 01:46 PM, Andrei Borzenkov wrote:
While I could write the appropriate IPTables commands to do this, Really?
Perhaps I should have said in general. I did manually edit it to provide support for IPv6 that was not provided for in the firewall config.
Really?
mac [!] --mac-source address Match source MAC address. It must be of the form XX:XX:XX:XX:XX:XX. Note that this only makes sense for packets coming from an Ethernet device and entering the PREROUTING, FORWARD or INPUT chains.
Care to show your command?
Sorry, I guess I wasn't thinking straight. Frustration can do that. ;-) Still though, it shouldn't be so hard to add custom rules, such as blocking an outgoing IP address or protocol. As far as I can tell, the new firewall makes it difficult to do so. In routers from Cisco etc., you have full control in both directions. I now run pfSense for my firewall and it also supports filtering on any interface, including traffic that's heading out to the 'net. BTW, don't buy cheap TP-Link switches. In addition to this issue, they don't handle VLANs properly. I have configuring port mirroring on Adtran switches and when a computer is plugged into the mirror port, it can't even get an address with DHCP, as all outgoing frames are dropped. Here's what Cisco says in the manual for one of their switches: "When a port is configured as a probe port, the switch does not forward or receive any traffic or respond to a ping." For some reason, TP-Link thinks it's OK to pass frames from a mirror port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
07.09.2018 21:07, James Knott пишет:
Still though, it shouldn't be so hard to add custom rules, such as blocking an outgoing IP address or protocol.
It should not be so hard to understand that ranting on this list is not going to change anything. If you have something to say about firewalld design, do it where it belongs - on firewalld support channels. As of now firewalld is only concerned about incoming packets (with some exceptions like masquerading). The only way to add rules that deal with outgoing locally generated packets is via direct interface. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2018 08:36 AM, Andrei Borzenkov wrote:
As of now firewalld is only concerned about incoming packets (with some exceptions like masquerading). The only way to add rules that deal with outgoing locally generated packets is via direct interface.
As I mentioned, there doesn't appear to be an easy way to add direct commands, either in the config or a hook to call a script. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
08.09.2018 19:07, James Knott пишет:
On 09/08/2018 08:36 AM, Andrei Borzenkov wrote:
As of now firewalld is only concerned about incoming packets (with some exceptions like masquerading). The only way to add rules that deal with outgoing locally generated packets is via direct interface.
As I mentioned, there doesn't appear to be an easy way to add direct commands
Besides a) using firewall-config b) using firewall-(offline-)cmd c) directly editing configuration file ? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2018 12:15 PM, Andrei Borzenkov wrote:
Besides
a) using firewall-config b) using firewall-(offline-)cmd c) directly editing configuration file
I looked into all those. I didn't see any way in the firewall config. I didn't see any other way to lauch a command when a zone is used I couldn't find any config file other than the zone xml file and I didn't see anything there to support it. If such is available, I certainly didn't see it documented anywhere. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
09.09.2018 16:27, James Knott пишет:
On 09/08/2018 12:15 PM, Andrei Borzenkov wrote:
Besides
a) using firewall-config b) using firewall-(offline-)cmd c) directly editing configuration file
I looked into all those. I didn't see any way in the firewall config.
It's not like there are thousands of menu items. It is even called - surprise - "Direct".
I didn't see any other way to lauch a command when a zone is used
Direct commands are not associated with any zone. Actually they are processed before any zone configuration (except passthrough where you are supposed to know exactly what you are doing).
I couldn't find any config file other than the zone xml file and I didn't see anything there to support it. If such is available, I certainly didn't see it documented anywhere.
man firewalld.direct -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/09/2018 09:52 AM, Andrei Borzenkov wrote:
09.09.2018 16:27, James Knott пишет:
On 09/08/2018 12:15 PM, Andrei Borzenkov wrote:
Besides
a) using firewall-config b) using firewall-(offline-)cmd c) directly editing configuration file I looked into all those. I didn't see any way in the firewall config.
It's not like there are thousands of menu items. It is even called - surprise - "Direct".
I didn't see any other way to lauch a command when a zone is used
Direct commands are not associated with any zone. Actually they are processed before any zone configuration (except passthrough where you are supposed to know exactly what you are doing).
The idea was to create a specific network management connection that used the drop zone. I don't want it used at any other time.
I couldn't find any config file other than the zone xml file and I didn't see anything there to support it. If such is available, I certainly didn't see it documented anywhere.
man firewalld.direct
NAME firewalld.direct - firewalld direct configuration file SYNOPSIS /etc/firewalld/direct.xml DESCRIPTION Direct configuration gives a more direct access to the firewall. It requires user to know basic ip(6)tables/ebtables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...). Direct configuration should be used only as a last resort when it's not possible to use firewalld.zone(5). See also Direct Options in firewall-cmd(1). Looks to me like it's not intended to be used with zones. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Quoting James Knott <james.knott@jknott.net>:
I am trying to set up the firewall for a very specific and perhaps unusual situation. First thing I noticed, when trying to set up the firewall was that the Yast firewall-config package was not installed. Even after installing, I find that when I try to configure the firewall, I get a message firewalld is not running. I can go into Services Manager, to enable and start it. However, after rebooting, while still enabled, firewalld is not starting. Seems to me there's a bit of a problem here.
[snip] I did something like this many years ago. The solution I use was to make a read-only Ethernet cable. Search for "read only ethernet cable" and you will find several how to articles. HTH, Jeffrey -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2018 11:08 AM, Jeffrey L. Taylor wrote:
I did something like this many years ago. The solution I use was to make a read-only Ethernet cable. Search for "read only ethernet cable" and you will find several how to articles.
That only works with 10 or 100 Mb, where there are separate pairs for transmit & receive. Gigabit uses all 4 pairs for both directions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Andrei Borzenkov -
James Knott -
Jeffrey L. Taylor -
Knurpht-openSUSE