Firewall configuration, confused.
Hello, I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router. There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues. Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed. I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav.
On 17/03/2021 19.42, Gustav Degreef wrote:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav.
I'm confused. - Do you need access via ssh from Internet? - your router, what does it run? Is it a computer acting as router and running openSUSE, or is it a normal, purchased router, or provided by your ISP? -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
OK, which one? Selecting home or internal but not public does not allow me access to that computer. But if I only select public, doesn't it allow connections from outside the home network?
I'm confused.
- Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
- your router, what does it run? Is it a computer acting as router and running openSUSE, or is it a normal, purchased router, or provided by your ISP?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Thanks, Gustav
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
OK, which one? Selecting home or internal but not public does not allow me access to that computer. But if I only select public, doesn't it allow connections from outside the home network?
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
I'm confused.
- Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
- your router, what does it run? Is it a computer acting as router and running openSUSE, or is it a normal, purchased router, or provided by your ISP?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
I'm confused.
 - Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
 - your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure.
Then I'll read up on how to do that. Gustav
On 18/03/2021 08.30, Gustav Degreef wrote:
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
I'm confused.
 - Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
It is *the* way. It is possible, with SuSEfirewall2, to block ssh (for example), but permit it only from certain listed IPs: FW_TRUSTED_NETS="192.168.1.10,tcp,ssh" as a second layer of protection besides the router. But the router must block outside attempts. Unfortunately, I don't know how to achieve the same thing with firewalld.
 - your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. Then I'll read up on how to do that. Gustav
Some people consider that the router does put a sufficient barrier by doing NAT, but it is much better if it also has a firewall. Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 3/18/21 11:11 AM, Carlos E. R. wrote:
On 18/03/2021 08.30, Gustav Degreef wrote:
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LANÂ My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
I'm confused.
 Â - Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
It is *the* way.
It is possible, with SuSEfirewall2, to block ssh (for example), but permit it only from certain listed IPs:
FW_TRUSTED_NETS="192.168.1.10,tcp,ssh"
as a second layer of protection besides the router. But the router must block outside attempts.
Unfortunately, I don't know how to achieve the same thing with firewalld.
 Â - your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. Then I'll read up on how to do that. Gustav
Some people consider that the router does put a sufficient barrier by doing NAT, but it is much better if it also has a firewall.
Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default.
Thanks Carlos and others. Sounds like configuring the router is the most direct and simplest way to do what I need. Gustav
On 3/18/21 11:11 AM, Carlos E. R. wrote:
On 18/03/2021 08.30, Gustav Degreef wrote:
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops ....... on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
- Do you need access via ssh from Internet? No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
It is *the* way.
- your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. Some people consider that the router does put a sufficient barrier by doing NAT, but it is much better if it also has a firewall.
Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default.
Yes, the router has a firewall enabled by default. There are basic and advanced security settings. The basic is to enable (or not) SPI Firewall - Stateful Packet Inspection (SPI). Not sure if this is sufficient to block all ssh connections from the internet. I could not see if there is a facility to block/allow specific protocols such as ssh. I will now look at the zones and NetworkManager settings more closely. Takes me time due to my visual disability. Gustav.
On 19/03/2021 12.25, Gustav Degreef wrote:
On 3/18/21 11:11 AM, Carlos E. R. wrote:
...
Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default.
Yes, the router has a firewall enabled by default. There are basic and advanced security settings. The basic is to enable (or not) SPI Firewall - Stateful Packet Inspection (SPI). Not sure if this is sufficient to block all ssh connections from the internet. I could not see if there is a facility to block/allow specific protocols such as ssh.
I will now look at the zones and NetworkManager settings more closely. Takes me time due to my visual disability. Gustav.
Typically, the most basic and default configuration will do. You don't have to do anything besides knowing the firewall is "up". The default state of a firewall is "block everything". The only things that pass it from outside are the replies to connections that came out from inside, so the firewall tracks the connections. You only need to configure the firewall if you want something specific to get "in" (connections that start from outside). For instance, some games needs adjustments on the firewall in order to play with other people on internet. Or some VoIP (internet telephone) applications. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 3/19/21 12:34 PM, Carlos E. R. wrote:
On 19/03/2021 12.25, Gustav Degreef wrote:
Yes, the router has a firewall enabled by default. There are basic and
advanced security settings. The basic is to enable (or not) SPI Firewall - Stateful Packet Inspection (SPI). Not sure if this is sufficient to block all ssh connections from the internet. I could not see if there is a facility to block/allow specific protocols such as ssh.
I will now look at the zones and NetworkManager settings more closely. Takes me time due to my visual disability. Gustav.
Typically, the most basic and default configuration will do. You don't have to do anything besides knowing the firewall is "up".
The default state of a firewall is "block everything". The only things that pass it from outside are the replies to connections that came out from inside, so the firewall tracks the connections.
You only need to configure the firewall if you want something specific to get "in" (connections that start from outside). For instance, some games needs adjustments on the firewall in order to play with other people on internet. Or some VoIP (internet telephone) applications.
Excellent. Carlos, thanks a lot for the explanation, Gustav
On 17.03.2021 21:42, Gustav Degreef wrote:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
If you control DHCP server or have static DHCP range that is possible. If your DHCP range is dynamically allocated by your ISP, there is no simple way to do it (you simply do not know in advance what is "home network").
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Zone configuration is only relevant if this zone is actually used. I.e. either interface or source (IP range/MAC/ipset) are bound to this zone.
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do?
Assuming one of zones you mentioned is actually used (I believe default is public) and you only allowed incoming SSH connections in this zone, you allowed them from any address, not only from your home network.
On 2021-03-17 3:20 p.m., Andrei Borzenkov wrote:
Assuming one of zones you mentioned is actually used (I believe default is public) and you only allowed incoming SSH connections in this zone, you allowed them from any address, not only from your home network.
Where is "default" set? Also, it would be nice if WiFi SSID could be considered in setting zones. For example, if I use my notebook at home, I'd want to use my home zone, but public elsewhere.
On 18.03.2021 16:39, James Knott wrote:
On 2021-03-17 3:20 p.m., Andrei Borzenkov wrote:
Assuming one of zones you mentioned is actually used (I believe default is public) and you only allowed incoming SSH connections in this zone, you allowed them from any address, not only from your home network.
Where is "default" set?
man firewalld.conf
Also, it would be nice if WiFi SSID could be considered in setting zones.
NetworkManager can set zone per connection.
For example, if I use my notebook at home, I'd want to use my home zone, but public elsewhere.
On 3/18/21 6:50 PM, Andrei Borzenkov wrote:
On 18.03.2021 16:39, James Knott wrote:
On 2021-03-17 3:20 p.m., Andrei Borzenkov wrote:
Assuming one of zones you mentioned is actually used (I believe default is public) and you only allowed incoming SSH connections in this zone, you allowed them from any address, not only from your home network. Where is "default" set? man firewalld.conf
Also, it would be nice if WiFi SSID could be considered in setting zones. NetworkManager can set zone per connection.
I'll look into the man page and NM, thanks, Gustav.
On 2021-03-18 1:50 p.m., Andrei Borzenkov wrote:
Also, it would be nice if WiFi SSID could be considered in setting zones. NetworkManager can set zone per connection.
It doesn't stick. I set my home WiFi to home zone and rebooted. It was not selected when I then checked. Also, it appears there's a drop down box for selecting the zone, but there's nothing to choose from.
Is this through YaST, or through the Network-Manager GUI? I’ve set a number of rules for networks (wired, wireless) through the YaST interface: (Networking > Firewall). It’s not the most intuitive UI, but assigning networks based on the interface was mostly straightforward with my very-basic skill level. I’m not sure there are per-SSID zone rules, but that would be an amazing feature as well. Best I can think of would are through the Network-Manager GUI, various settings like “Always Connect to VPN on this Network” and the like. If you’re not root, settings don’t stick. On KDE, it’s possible there’s a pop-under requesting authentication for Network-Manager. On Gnome, I’m not sure.
On Mar 18, 2021, at 15:27, James Knott <james.knott@jknott.net> wrote:
On 2021-03-18 1:50 p.m., Andrei Borzenkov wrote:
Also, it would be nice if WiFi SSID could be considered in setting zones. NetworkManager can set zone per connection.
It doesn't stick. I set my home WiFi to home zone and rebooted. It was not selected when I then checked. Also, it appears there's a drop down box for selecting the zone, but there's nothing to choose from.
Cameron 柯智明 只要努力,就能成功 With hard work, success is possible.
On 2021-03-18 3:40 p.m., Cameron Cumberland wrote:
Is this through YaST, or through the Network-Manager GUI?
Through the network manager gui. However, it appears the problem is the firewall is not starting, even though it's configured to start on boot. If I manually start it, I see the zone choices in the Wifi config. But then after reboot the firewall is not running again.
I’ve set a number of rules for networks (wired, wireless) through the YaST interface: (Networking > Firewall).
It’s not the most intuitive UI, but assigning networks based on the interface was mostly straightforward with my very-basic skill level.
I’m not sure there are per-SSID zone rules, but that would be an amazing feature as well. Best I can think of would are through the Network-Manager GUI, various settings like “Always Connect to VPN on this Network” and the like.
If you’re not root, settings don’t stick. On KDE, it’s possible there’s a pop-under requesting authentication for Network-Manager. On Gnome, I’m not sure.
On Mar 18, 2021, at 15:27, James Knott <james.knott@jknott.net> wrote:
On 2021-03-18 1:50 p.m., Andrei Borzenkov wrote:
Also, it would be nice if WiFi SSID could be considered in setting zones. NetworkManager can set zone per connection.
It doesn't stick. I set my home WiFi to home zone and rebooted. It was not selected when I then checked. Also, it appears there's a drop down box for selecting the zone, but there's nothing to choose from.
Cameron 柯智明 只要努力,就能成功 With hard work, success is possible.
If you set the zone via YaST, do changes persist across reboots? I am aware there are some difficulties between Network-Manager and YaST system (and a host of /different/ issues with Wicked), but am not incredibly well versed on the internal functions of either. I tend to shy away from the Network-Manager GUI for configuring anything deeper than “Wifi On/Off", as it feels buggy in my experience and is prone to interesting visual quirks.
On Mar 18, 2021, at 15:52, James Knott <james.knott@jknott.net> wrote:
On 2021-03-18 3:40 p.m., Cameron Cumberland wrote:
Is this through YaST, or through the Network-Manager GUI?
Through the network manager gui. However, it appears the problem is the firewall is not starting, even though it's configured to start on boot. If I manually start it, I see the zone choices in the Wifi config. But then after reboot the firewall is not running again.
I’ve set a number of rules for networks (wired, wireless) through the YaST interface: (Networking > Firewall).
It’s not the most intuitive UI, but assigning networks based on the interface was mostly straightforward with my very-basic skill level.
I’m not sure there are per-SSID zone rules, but that would be an amazing feature as well. Best I can think of would are through the Network-Manager GUI, various settings like “Always Connect to VPN on this Network” and the like.
If you’re not root, settings don’t stick. On KDE, it’s possible there’s a pop-under requesting authentication for Network-Manager. On Gnome, I’m not sure.
On Mar 18, 2021, at 15:27, James Knott <james.knott@jknott.net> wrote:
On 2021-03-18 1:50 p.m., Andrei Borzenkov wrote:
Also, it would be nice if WiFi SSID could be considered in setting zones. NetworkManager can set zone per connection.
It doesn't stick. I set my home WiFi to home zone and rebooted. It was not selected when I then checked. Also, it appears there's a drop down box for selecting the zone, but there's nothing to choose from.
Cameron 柯智明 只要努力,就能成功 With hard work, success is possible.
On 2021-03-18 4:11 p.m., Cameron Cumberland wrote:
If you set the zone via YaST, do changes persist across reboots? I am aware there are some difficulties between Network-Manager and YaST system (and a host of/different/ issues with Wicked), but am not incredibly well versed on the internal functions of either.
I tend to shy away from the Network-Manager GUI for configuring anything deeper than “Wifi On/Off", as it feels buggy in my experience and is prone to interesting visual quirks.
At the moment, I'm focused on why the firewall isn't running. Here's what the details show: firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled) Active: inactive (dead) Docs: man:firewalld(1) Is it possible to assign a zone to SSID in Yast?
On 18/03/2021 21.18, James Knott wrote:
At the moment, I'm focused on why the firewall isn't running.
Here's what the details show:
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Well, the procedure is the same as always with a failed service: systemctl status firewalld.service and follow the logs. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-03-18 5:06 p.m., Carlos E. R. wrote:
On 18/03/2021 21.18, James Knott wrote:
At the moment, I'm focused on why the firewall isn't running.
Here's what the details show:
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Well, the procedure is the same as always with a failed service:
systemctl status firewalld.service
and follow the logs.
That tells me exactly what I posted above.
On 18/03/2021 22.28, James Knott wrote:
On 2021-03-18 5:06 p.m., Carlos E. R. wrote:
On 18/03/2021 21.18, James Knott wrote:
At the moment, I'm focused on why the firewall isn't running.
Here's what the details show:
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
Active: inactive (dead)
Well, the procedure is the same as always with a failed service:
systemctl status firewalld.service
and follow the logs.
That tells me exactly what I posted above.
And the log? -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-03-18 5:53 p.m., Carlos E. R. wrote:
That tells me exactly what I posted above.
And the log? journalctl -b|grep iptables Mar 19 08:52:32 E520.jknott.net kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
I have no idea what that means.
On 19/03/2021 13.55, James Knott wrote:
On 2021-03-18 5:53 p.m., Carlos E. R. wrote:
That tells me exactly what I posted above.
And the log? journalctl -b|grep iptables Mar 19 08:52:32 E520.jknott.net kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
I have no idea what that means.
Well, not that entry. Try: journalctl -b | grep -i firewalld if nothing, remove the 'd'. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 19/03/2021 14.03, Carlos E. R. wrote:
On 19/03/2021 13.55, James Knott wrote:
On 2021-03-18 5:53 p.m., Carlos E. R. wrote:
That tells me exactly what I posted above.
And the log? journalctl -b|grep iptables Mar 19 08:52:32 E520.jknott.net kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
I have no idea what that means.
Well, not that entry.
Try:
journalctl -b | grep -i firewalld
if nothing, remove the 'd'.
Just in case, did you try: systemctl status SuSEfirewall2 -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-03-19 9:03 a.m., Carlos E. R. wrote:
I have no idea what that means.
Well, not that entry.
Try:
journalctl -b | grep -i firewalld
if nothing, remove the 'd'.
SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2021-03-19 09:57:07 EDT; 24min ago Main PID: 1493 (code=exited, status=0/SUCCESS) Tasks: 0 CGroup: /system.slice/SuSEfirewall2.service Mar 19 09:57:01 E520 systemd[1]: Starting SuSEfirewall2 phase 2... Mar 19 09:57:01 E520 SuSEfirewall2[1493]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... Mar 19 09:57:02 E520 SuSEfirewall2[1493]: using default zone 'ext' for interface eth0 Mar 19 09:57:02 E520 SuSEfirewall2[1493]: using default zone 'ext' for interface wlan0 Mar 19 09:57:07 E520 SuSEfirewall2[1493]: Firewall rules successfully set Mar 19 09:57:07 E520 systemd[1]: Started SuSEfirewall2 phase 2. E520:~ # journalctl -b | grep -i firewall Mar 19 09:56:57 E520 systemd[1]: Starting SuSEfirewall2 phase 1... Mar 19 09:57:00 E520 SuSEfirewall2[1173]: Firewall rules set to CLOSE. Mar 19 09:57:00 E520 systemd[1]: Started SuSEfirewall2 phase 1. Mar 19 09:57:01 E520 systemd[1]: Starting SuSEfirewall2 phase 2... Mar 19 09:57:01 E520 SuSEfirewall2[1493]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... Mar 19 09:57:02 E520 SuSEfirewall2[1493]: using default zone 'ext' for interface eth0 Mar 19 09:57:02 E520 SuSEfirewall2[1493]: using default zone 'ext' for interface wlan0 Mar 19 09:57:07 E520 SuSEfirewall2[1493]: Firewall rules successfully set Mar 19 09:57:07 E520 systemd[1]: Started SuSEfirewall2 phase 2. Mar 19 09:57:16 E520.jknott.net kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead.
On 19.03.2021 17:24, James Knott wrote:
On 2021-03-19 9:03 a.m., Carlos E. R. wrote:
I have no idea what that means.
Well, not that entry.
Try:
journalctl -b | grep -i firewalld
if nothing, remove the 'd'.
SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2021-03-19 09:57:07 EDT; 24min ago
SuSfirewall2.service conflicts with firewalld.service - you cannot have two firewalls. Which one wins is hard to say, but if both are requested to be started, one request will be rejected.
On 2021-03-19 1:00 p.m., Andrei Borzenkov wrote:
SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2021-03-19 09:57:07 EDT; 24min ago SuSfirewall2.service conflicts with firewalld.service - you cannot have two firewalls. Which one wins is hard to say, but if both are requested to be started, one request will be rejected.
How did I wind up with that? This 15.2 system was an update from previous. I have disabled susefirewall in the services manager and all appears OK now. I guess I can uninstall susefirewall2 now.
On 19/03/2021 18.21, James Knott wrote:
On 2021-03-19 1:00 p.m., Andrei Borzenkov wrote:
SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled; vendor preset: disabled) Active: active (exited) since Fri 2021-03-19 09:57:07 EDT; 24min ago SuSfirewall2.service conflicts with firewalld.service - you cannot have two firewalls. Which one wins is hard to say, but if both are requested to be started, one request will be rejected.
How did I wind up with that? This 15.2 system was an update from previous.
The previous default was SuSEfirewall2. A new installation of 15.0 should have firewalld only.
I have disabled susefirewall in the services manager and all appears OK now. I guess I can uninstall susefirewall2 now.
Good :-) -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-03-19 2:42 p.m., Carlos E. R. wrote:
I have disabled susefirewall in the services manager and all appears OK now. I guess I can uninstall susefirewall2 now.
Good :-)
What would be nice now is for the Ethernet connections to recognize location and switch zones.
Am 19.03.2021 um 19:47 schrieb James Knott:
On 2021-03-19 2:42 p.m., Carlos E. R. wrote:
I have disabled susefirewall in the services manager and all appears OK now. I guess I can uninstall susefirewall2 now.
Good :-)
What would be nice now is for the Ethernet connections to recognize location and switch zones.
Networkmanager is your friend - there's a folder /etc/NetworkManager/dispatcher.d which holds any number of scripts that get executed in alphabetical order every time a connection goes up or down. One way to "recognize locations" would be to get the address of the default gateway from the routing table, then get the mac address for that ip address - MAC addresses are supposed to be unique. My laptop recognizes my home network that way, and enable and disable a few odds and ends that I don't need at home, and enable and disable some odds and ends that I don't need elsewhere - not just firewall zones: - nis - autofs - 2 factor authorization for logins - vpn - tor Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) telegram: https://telegram.me/lemmy98 keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 2021-03-19 3:39 p.m., Mathias Homann wrote:
What would be nice now is for the Ethernet connections to recognize location and switch zones.
Networkmanager is your friend - there's a folder /etc/NetworkManager/dispatcher.d which holds any number of scripts that get executed in alphabetical order every time a connection goes up or down.
One way to "recognize locations" would be to get the address of the default gateway from the routing table, then get the mac address for that ip address - MAC addresses are supposed to be unique.
My laptop recognizes my home network that way, and enable and disable a few odds and ends that I don't need at home, and enable and disable some odds and ends that I don't need elsewhere - not just firewall zones:
I'll have to look into that. tnx
Am Freitag, 19. März 2021, 20:45:36 CET schrieb James Knott:
On 2021-03-19 3:39 p.m., Mathias Homann wrote:
What would be nice now is for the Ethernet connections to recognize location and switch zones.
Networkmanager is your friend - there's a folder /etc/NetworkManager/dispatcher.d which holds any number of scripts that get executed in alphabetical order every time a connection goes up or down.
One way to "recognize locations" would be to get the address of the default gateway from the routing table, then get the mac address for that ip address - MAC addresses are supposed to be unique.
My laptop recognizes my home network that way, and enable and disable a few odds and ends that I don't need at home, and enable and disable
some odds and ends that I don't need elsewhere - not just firewall zones: I'll have to look into that.
the script I have is here: https://susepaste.org/62099200 I have it stored as /etc/NetworkManager/dispatcher.d/zz-amihome.sh to make sure it gets executed after everything else. The lines that are interesting for your are 10,11 and 12. Everything else just actually starts and stops stuff. Cheers Mathias -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) telegram: https://telegram.me/lemmy98 keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
the script I have is here: https://susepaste.org/62099200
and on https://susepaste.org/71899827 is a susepaste that does not expire after 60 minutes :facepalm: Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) telegram: https://telegram.me/lemmy98 keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 2021-03-19 5:54 p.m., Mathias Homann wrote:
some odds and ends that I don't need elsewhere - not just firewall zones: I'll have to look into that. the script I have is here: https://susepaste.org/62099200
I have it stored as /etc/NetworkManager/dispatcher.d/zz-amihome.sh to make sure it gets executed after everything else.
The lines that are interesting for your are 10,11 and 12.
Everything else just actually starts and stops stuff.
Cheers Mathias
tnx
Am Mittwoch, 17. März 2021, 19:42:52 CET schrieb Gustav Degreef:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav.
Here's a thing I wrote some time ago: https://www.tuxonline.tech/index.php/an-introduction-to-firewalld/ Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) telegram: https://telegram.me/lemmy98 keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 3/17/21 8:43 PM, Mathias Homann wrote:
Am Mittwoch, 17. März 2021, 19:42:52 CET schrieb Gustav Degreef:
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav. Here's a thing I wrote some time ago: https://www.tuxonline.tech/index.php/an-introduction-to-firewalld/
Cheers MH
Thanks, I'll study it, Gustav
Am Mittwoch, 17. März 2021, 20:57:03 CET schrieb Gustav Degreef:
On 3/17/21 8:43 PM, Mathias Homann wrote:
Am Mittwoch, 17. März 2021, 19:42:52 CET schrieb Gustav Degreef:
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav. Here's a thing I wrote some time ago: https://www.tuxonline.tech/index.php/an-introduction-to-firewalld/
the "next page" link at the end is broken right now, but there's a working link in the menu at the top. Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org Jabber (XMPP): lemmy@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) telegram: https://telegram.me/lemmy98 keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 3/17/21 9:32 PM, Mathias Homann wrote:
On 3/17/21 8:43 PM, Mathias Homann wrote:
Am Mittwoch, 17. März 2021, 19:42:52 CET schrieb Gustav Degreef:
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav. Here's a thing I wrote some time ago: https://www.tuxonline.tech/index.php/an-introduction-to-firewalld/
Am Mittwoch, 17. März 2021, 20:57:03 CET schrieb Gustav Degreef: the "next page" link at the end is broken right now, but there's a working link in the menu at the top.
Thanks a lot. I will certainly look at it more and try to understand the networking better. However, as a home user, much of this is well above my knowledge grade. I only run desktop, no servers. Gustav
On 3/17/21 1:42 PM, Gustav Degreef wrote:
Hello,
I read with great interest the entire recent thread "Possible malware?" and tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN. My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers to fix various issues.
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
I read quite a few articles on the firewall configuration, but I am not sure that I set it right. Is there anything else I should do? Thanks, Gustav.
Gustav, I've always liked iptables and managing the rules directly. For example, here is a reasonably helpful page. https://www.digitalocean.com/community/tutorials/iptables-essentials-common-... The reason I prefer managing the rules directly, is it eliminates the question whether the front-end you are using is actually doing what you think you are telling it to do? I always found it took about equal time to either look-up how to do something in iptables directly or to mess with a firewall front-end and figure out what it thinks a zone is and if this zone is really being applied in the way I think it is. Don't get me wrong, I'm not against front-ends and openSUSE has done a good job with firewalld (shorewall before that, etc...), but if you use more than one distribution, you may have to learn multiple front-ends. The documentation for firewalld is reasonably good: https://firewalld.org/documentation/ Those are the basic pros/cons I see it. Whichever you use, it just takes time (like anything else) to wade though the documentation and examples to the point where you are comfortable with what it is doing and how to configure it for your needs. -- David C. Rankin, J.D.,P.E.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 El 2021-03-19 a las 23:09 -0500, David C. Rankin escribió: ...
Gustav,
I've always liked iptables and managing the rules directly. For example, here is a reasonably helpful page.
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-...
The reason I prefer managing the rules directly, is it eliminates the question whether the front-end you are using is actually doing what you think you are telling it to do?
I always found it took about equal time to either look-up how to do something in iptables directly or to mess with a firewall front-end and figure out what it thinks a zone is and if this zone is really being applied in the way I think it is.
Don't get me wrong, I'm not against front-ends and openSUSE has done a good job with firewalld (shorewall before that, etc...), but if you use more than one distribution, you may have to learn multiple front-ends.
What openSUSE did was using the in-house SuSEfirewall2, not firewalld nor shorewall ;-)
The documentation for firewalld is reasonably good:
https://firewalld.org/documentation/
Those are the basic pros/cons I see it. Whichever you use, it just takes time (like anything else) to wade though the documentation and examples to the point where you are comfortable with what it is doing and how to configure it for your needs.
If you like using iptables, you should consider using nftables instead. I'm told it is easier to use and more powerful. And modern. - -- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCYFXKOBwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfV+icAnRb+2HYbNCeDhBYr95OV SEut+/OgAJ9IMHBsUqINA0sWCxkh15qw2mTkmA== =pg0Q -----END PGP SIGNATURE-----
On 2021-03-20 6:11 a.m., Carlos E. R. wrote:
Those are the basic pros/cons I see it. Whichever you use, it just takes time (like anything else) to wade though the documentation and examples to the point where you are comfortable with what it is doing and how to configure it for your needs.
If you like using iptables, you should consider using nftables instead. I'm told it is easier to use and more powerful. And modern.
I also used to use IPTables. However, I moved to pfsense, because my Linux firewall couldn't handle DHCPv6-PD, which is needed for assigning an IPv6 prefix to a LAN. Pfsense does that well. It's built on FreeBSD, which uses packet filter.
On 3/20/21 11:11 AM, Carlos E. R. wrote:
El 2021-03-19 a las 23:09 -0500, David C. Rankin escribió:
...
Gustav,
I've always liked iptables and managing the rules directly. For example, here is a reasonably helpful page.
https://www.digitalocean.com/community/tutorials/iptables-essentials-common-...
The reason I prefer managing the rules directly, is it eliminates the question whether the front-end you are using is actually doing what you think you are telling it to do?
I always found it took about equal time to either look-up how to do something in iptables directly or to mess with a firewall front-end and figure out what it thinks a zone is and if this zone is really being applied in the way I think it is.
Don't get me wrong, I'm not against front-ends and openSUSE has done a good job with firewalld (shorewall before that, etc...), but if you use more than one distribution, you may have to learn multiple front-ends.
What openSUSE did was using the in-house SuSEfirewall2, not firewalld nor shorewall ;-)
The documentation for firewalld is reasonably good:
Those are the basic pros/cons I see it. Whichever you use, it just takes time (like anything else) to wade though the documentation and examples to the point where you are comfortable with what it is doing and how to configure it for your needs.
If you like using iptables, you should consider using nftables instead. I'm told it is easier to use and more powerful. And modern.
-- Cheers, Carlos E. R. (from openSUSE 15.2 x86_64 at Telcontar)
Thank you David and Carlos and all those that replied erarlier. Sorry for the late reply, got pulled away by some personal things. Once I understood that I had to make sure my router was blocking incoming ssh, then the firewall became a lower priority. But the recommendation to learn iptables or nftalbes sounds really good. As you say, reading the documentation and getting comfortable with it is really the key - and for linux in geenral also. Best regards, Gustav.
participants (7)
-
Andrei Borzenkov -
Cameron Cumberland -
Carlos E. R. -
David C. Rankin -
Gustav Degreef -
James Knott -
Mathias Homann