[opensuse] firewalld vs Shorewall?
Hi Folks, I've finally started to move 42.3 systems to Leap 15 and have run into some issues with firewalld. The basic install works okay on this dual-stack v4/v6 network, but when I try to configure two interfaces (exterior/interior) I lose my v6 address assignment. Stopping the firewall allows dhcpv6 to work, starting the firewall breaks it again. I've explicitly tried to enable the dhcpv6 service, and to enable logging for troubleshooting, all to no avail. The GUI interface is confusing at best, and I've got direct experience with ipchains and iptables, so I didn't just fall off of the turnip truck. Does anyone have experience with Shorewall as a replacement for firewalld? I'm tempted to try it before I get too far into the weeds with firewalld. Any suggestions? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Freitag, 22. Februar 2019, 02:44:44 CET schrieb Lew Wolfgang:
Hi Folks,
I've finally started to move 42.3 systems to Leap 15 and have run into some issues with firewalld. The basic install works okay on this dual-stack v4/v6 network, but when I try to configure two interfaces (exterior/interior) I lose my v6 address assignment. Stopping the firewall allows dhcpv6 to work, starting the firewall breaks it again. I've explicitly tried to enable the dhcpv6 service,
for IPv6 you have to enable the DHCP *CLIENT* as well, since it operates on multicast and needs an open port. Maybe that's your problem? Cheers MH
On 02/22/2019 01:04 AM, Mathias Homann wrote:
for IPv6 you have to enable the DHCP *CLIENT* as well, since it operates on multicast and needs an open port.
Actually, DHCPv6-PD, not just DHCPv6. There's a difference in that the "PD" (prefix delegation) is how the local network is assigned it's prefix. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2/21/19 10:04 PM, Mathias Homann wrote:
Am Freitag, 22. Februar 2019, 02:44:44 CET schrieb Lew Wolfgang:
Hi Folks,
I've finally started to move 42.3 systems to Leap 15 and have run into some issues with firewalld. The basic install works okay on this dual-stack v4/v6 network, but when I try to configure two interfaces (exterior/interior) I lose my v6 address assignment. Stopping the firewall allows dhcpv6 to work, starting the firewall breaks it again. I've explicitly tried to enable the dhcpv6 service,
for IPv6 you have to enable the DHCP *CLIENT* as well, since it operates on multicast and needs an open port.
Maybe that's your problem?
I finally got back to this. I confirmed with the GUI that firewalld is allowing DHCPv6-client and DHCPv6, but still no luck. Again, v6 works when the firewall isn't running, as confirmed with iptables -L. The GUI is not user-friendly and behaved inconsistently when I attempted to configure the two interfaces as external and internal, without NAT. So I uninstalled firewalld with zypper and locked it out. I then loaded susefirewall2 and copied over my old SuSEfirewall2 script. It works like a charm. This will do for now, I need to get this host to its user. If I can find the time I'll try 15.1 on a different host and see if things got any better for me with firewalld. If it doesn't I'll file a bug report. Shorewall may still be an option, it looks to be simpler and is configured by script. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 26/02/2019 02.55, Lew Wolfgang wrote:
On 2/21/19 10:04 PM, Mathias Homann wrote:
...
So I uninstalled firewalld with zypper and locked it out. I then loaded susefirewall2 and copied over my old SuSEfirewall2 script. It works like a charm. This will do for now, I need to get this host to its user.
Did you try the migration script? Perhaps it would generate a working firewalld config from SuSEfirewal2 -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/26/2019 01:28 AM, Carlos E. R. wrote:
On 26/02/2019 02.55, Lew Wolfgang wrote:
On 2/21/19 10:04 PM, Mathias Homann wrote: ...
So I uninstalled firewalld with zypper and locked it out. I then loaded susefirewall2 and copied over my old SuSEfirewall2 script. It works like a charm. This will do for now, I need to get this host to its user. Did you try the migration script? Perhaps it would generate a working firewalld config from SuSEfirewal2
I thought about that, Carlos, but didn't. I was so disappointed with the yast firewalld GUI I gave up. The old SuSEfirewall2 GUI was really good, it was intuitive and I could easily do what was needed. But the firewalld GUI reminded me of why I don't like RedHat and stopped using it decades ago. I'll get back to it when I can find the time, hopefully 15.1 is a bit better for me. BTW, one good feature of the old SuSEfirewall2 GUI was that it created an ascii configuration file that was well commented and easy to modify. Does firewalld have such a file? There must be one somewhere... Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 26/02/2019 18.09, Lew Wolfgang wrote:
On 02/26/2019 01:28 AM, Carlos E. R. wrote:
On 26/02/2019 02.55, Lew Wolfgang wrote:
On 2/21/19 10:04 PM, Mathias Homann wrote: ...
So I uninstalled firewalld with zypper and locked it out. I then loaded susefirewall2 and copied over my old SuSEfirewall2 script. It works like a charm. This will do for now, I need to get this host to its user. Did you try the migration script? Perhaps it would generate a working firewalld config from SuSEfirewal2
I thought about that, Carlos, but didn't. I was so disappointed with the yast firewalld GUI I gave up. The old SuSEfirewall2 GUI was really good, it was intuitive and I could easily do what was needed. But the firewalld GUI reminded me of why I don't like RedHat and stopped using it decades ago. I'll get back to it when I can find the time, hopefully 15.1 is a bit better for me.
I'm still using SuSEfirewall2 on three 15.0 machines, till I find the optimistic mood to try the migration. I only use firewalld on a machine that was born on 15.0.
BTW, one good feature of the old SuSEfirewall2 GUI was that it created an ascii configuration file that was well commented and easy to modify. Does firewalld have such a file? There must be one somewhere...
Probably. I think it has a CLI interface. I see "/etc/sysconfig/firewalld" and directory /etc/firewalld, and in it there is file /etc/firewalld/firewalld.conf with comments. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. I was never enamoured with the idea of 'personal firewall' on each machine, since I'm a bit old school and agreed that the 'firewall as the networks response to poor host security', the quote some guru or other. But that was then, this is now; many individuals at their workstations are either idiot or had a passing bout of idiocy that opened them to an attack. They too need to be either isolated or given a 'personal firewall'. Then, too, there are the 'single machines on the net', users. So not I think differently. Professionally. But here I have a number of layers before getting to my host, and a lot of my processing isn't done on my host. Have you looked at https://software.opensuse.org/package/gufw -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/2019 12.12, Anton Aylward wrote:
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. I was never enamoured with the idea of 'personal firewall' on each machine, since I'm a bit old school and agreed that the 'firewall as the networks response to poor host security', the quote some guru or other.
But that was then, this is now; many individuals at their workstations are either idiot or had a passing bout of idiocy that opened them to an attack. They too need to be either isolated or given a 'personal firewall'.
Then, too, there are the 'single machines on the net', users.
So not I think differently. Professionally. But here I have a number of layers before getting to my host, and a lot of my processing isn't done on my host.
Remember that in a today's house there are a lot of gadgets with Internet connectivity that we don't control fully. Say, the fridge.
Have you looked at https://software.opensuse.org/package/gufw
My setup is not simple. My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 2019-02-27 6:19 a.m., Carlos E. R. wrote:
Remember that in a today's house there are a lot of gadgets with Internet connectivity that we don't control fully. Say, the fridge.
I'm not forgetting. EVERYTHING including my wifi is behind a firewall here. You'll have to ask James if his large number of directly addressable IPv6 addresses are all behind a firewall and what capability the firewall has.
Have you looked at https://software.opensuse.org/package/gufw
My setup is not simple.
I'll grant you that GUFW has a LOT of preconfigured simplistic and game-oriented packages to invoke but there is a way to do a more traditional port by port GUI setup reminiscent of the "Big Vendor" style listings. It is a setup that it /calls/ 'complex mode'. I think it can deal with the complexity and specifics P-T-P that you require. Remember that these front ends, like them or not, and indeed Shorewall and IPCop, were/are front-end for IPTables. I recall with Shorewall and IPCop looking 'under the hod' at what the table rules were that they generated, algorithmically, and being amazed.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
I get a very strong feeling that firewalld s a regression. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Anton Aylward <opensuse@antonaylward.com> [02-27-19 06:49]:
On 2019-02-27 6:19 a.m., Carlos E. R. wrote:
Remember that in a today's house there are a lot of gadgets with Internet connectivity that we don't control fully. Say, the fridge.
I'm not forgetting. EVERYTHING including my wifi is behind a firewall here. You'll have to ask James if his large number of directly addressable IPv6 addresses are all behind a firewall and what capability the firewall has.
Have you looked at https://software.opensuse.org/package/gufw
My setup is not simple.
I'll grant you that GUFW has a LOT of preconfigured simplistic and game-oriented packages to invoke but there is a way to do a more traditional port by port GUI setup reminiscent of the "Big Vendor" style listings. It is a setup that it /calls/ 'complex mode'. I think it can deal with the complexity and specifics P-T-P that you require.
Remember that these front ends, like them or not, and indeed Shorewall and IPCop, were/are front-end for IPTables. I recall with Shorewall and IPCop looking 'under the hod' at what the table rules were that they generated, algorithmically, and being amazed.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
I get a very strong feeling that firewalld s a regression.
yes, new things usually confound old f..ts -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-27 06:46, Anton Aylward wrote:
I'm not forgetting. EVERYTHING including my wifi is behind a firewall here. You'll have to ask James if his large number of directly addressable IPv6 addresses are all behind a firewall and what capability the firewall has.
Yes, everything is behind a pfSense firewall, which is quite flexible. One nice thing is the ability to set rules independently for IPv4 and IPv6 or one rule for both. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* James Knott <james.knott@jknott.net> [02-27-19 10:00]:
On 2019-02-27 06:46, Anton Aylward wrote:
I'm not forgetting. EVERYTHING including my wifi is behind a firewall here. You'll have to ask James if his large number of directly addressable IPv6 addresses are all behind a firewall and what capability the firewall has.
Yes, everything is behind a pfSense firewall, which is quite flexible. One nice thing is the ability to set rules independently for IPv4 and IPv6 or one rule for both.
and appears firewalld can also, example: firewall-cmd --add-rich-rule='rule family="ipv4" priority=32767 source address="10.1.1.0/24" reject' from: https://firewalld.org/blog/ -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-27 10:35, Patrick Shanahan wrote:
Yes, everything is behind a pfSense firewall, which is quite flexible.
One nice thing is the ability to set rules independently for IPv4 and IPv6 or one rule for both. and appears firewalld can also, example: firewall-cmd --add-rich-rule='rule family="ipv4" priority=32767 source address="10.1.1.0/24" reject'
That's writing IPtables rules directly. With pfSense, it's done in the graphical interface. Also, you'd require an IPv6 address for that command to work with it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Carlos E. R. <robin.listas@telefonica.net> [02-27-19 06:22]:
On 27/02/2019 12.12, Anton Aylward wrote:
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. I was never enamoured with the idea of 'personal firewall' on each machine, since I'm a bit old school and agreed that the 'firewall as the networks response to poor host security', the quote some guru or other.
But that was then, this is now; many individuals at their workstations are either idiot or had a passing bout of idiocy that opened them to an attack. They too need to be either isolated or given a 'personal firewall'.
Then, too, there are the 'single machines on the net', users.
So not I think differently. Professionally. But here I have a number of layers before getting to my host, and a lot of my processing isn't done on my host.
Remember that in a today's house there are a lot of gadgets with Internet connectivity that we don't control fully. Say, the fridge.
Have you looked at https://software.opensuse.org/package/gufw
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-... https://firewalld.org/documentation/ -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/2019 14.36, Patrick Shanahan wrote:
* Carlos E. R. <> [02-27-19 06:22]:
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones
firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent
That's not it. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On Wed, 27 Feb 2019 14:38:24 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 27/02/2019 14.36, Patrick Shanahan wrote:
* Carlos E. R. <> [02-27-19 06:22]:
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones
firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent
That's not it.
That's not a very constructive/useful/helpful/polite reply. In what way is it not it? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/2019 14.44, Dave Howorth wrote:
On Wed, 27 Feb 2019 14:38:24 +0100 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 27/02/2019 14.36, Patrick Shanahan wrote:
* Carlos E. R. <> [02-27-19 06:22]:
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones
firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent
That's not it.
That's not a very constructive/useful/helpful/polite reply. In what way is it not it?
I said: "opens certain ports to only certain IPs" so whatever command would have to be: whatever --port=1234/tcp --ip=192.168.1.5 And obviously what I have looked at is the GUI, not the CLI. The CLI is the last recourse. In time, I'll look. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
* Patrick Shanahan <paka@opensuse.org> [02-27-19 08:38]:
* Carlos E. R. <robin.listas@telefonica.net> [02-27-19 06:22]:
On 27/02/2019 12.12, Anton Aylward wrote:
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. I was never enamoured with the idea of 'personal firewall' on each machine, since I'm a bit old school and agreed that the 'firewall as the networks response to poor host security', the quote some guru or other.
But that was then, this is now; many individuals at their workstations are either idiot or had a passing bout of idiocy that opened them to an attack. They too need to be either isolated or given a 'personal firewall'.
Then, too, there are the 'single machines on the net', users.
So not I think differently. Professionally. But here I have a number of layers before getting to my host, and a lot of my processing isn't done on my host.
Remember that in a today's house there are a lot of gadgets with Internet connectivity that we don't control fully. Say, the fridge.
Have you looked at https://software.opensuse.org/package/gufw
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones
firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent
https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-... https://firewalld.org/documentation/
perhaps you need to look further (cmds are single lines): Deny IPv4 traffic over TCP from host 192.168.1.10 to port 22. firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject' Allow IPv4 traffic over TCP from host 10.1.0.3 to port 80, and forward it locally to port 6532. firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532' Forward all IPv4 traffic on port 80 to port 8080 on host 172.31.4.2 (masquerade should be active on the zone). firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2' -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/2019 14.44, Patrick Shanahan wrote:
* Patrick Shanahan <> [02-27-19 08:38]:
* Carlos E. R. <> [02-27-19 06:22]:
...
My setup is not simple.
My desktop firewall opens certain ports to only certain IPs, so that a visitor would not get automatic access. I don't see that feature in firewalld.
firewall-cmd --list-all-zones
firewall-cmd --zone=public --add-port=12345/tcp --permanent firewall-cmd --zone=public --remove-port=12345/tcp --permanent
https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-... https://firewalld.org/documentation/
perhaps you need to look further (cmds are single lines):
Deny IPv4 traffic over TCP from host 192.168.1.10 to port 22.
firewall-cmd --zone=public --add-rich-rule 'rule family="ipv4" source address="192.168.1.10" port port=22 protocol=tcp reject'
Yes, this is it - but in allow mode :-) Thanks for the find :-)
Allow IPv4 traffic over TCP from host 10.1.0.3 to port 80, and forward it locally to port 6532.
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'
Forward all IPv4 traffic on port 80 to port 8080 on host 172.31.4.2 (masquerade should be active on the zone).
firewall-cmd --zone=public --add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'
So, rich rules... -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 02/27/2019 03:12 AM, Anton Aylward wrote:
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. I was never enamoured with the idea of 'personal firewall' on each machine, since I'm a bit old school and agreed that the 'firewall as the networks response to poor host security', the quote some guru or other.
But that was then, this is now; many individuals at their workstations are either idiot or had a passing bout of idiocy that opened them to an attack. They too need to be either isolated or given a 'personal firewall'.
Then, too, there are the 'single machines on the net', users.
So not I think differently. Professionally. But here I have a number of layers before getting to my host, and a lot of my processing isn't done on my host.
Have you looked at https://software.opensuse.org/package/gufw
No, I didn't notice that one. Thanks for the link. I agree that host-based firewalls aren't needed in every situation, but if it's easy, why not? The environment at work has a couple of /16 networks behind a well-maintained security stack. So each host can be exposed to thousands of other machines, most of them Windows! Host-based firewalls make sense here. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 27/02/2019 17.25, Lew Wolfgang wrote:
On 02/27/2019 03:12 AM, Anton Aylward wrote:
...
Have you looked at https://software.opensuse.org/package/gufw
No, I didn't notice that one. Thanks for the link.
I agree that host-based firewalls aren't needed in every situation, but if it's easy, why not? The environment at work has a couple of /16 networks behind a well-maintained security stack. So each host can be exposed to thousands of other machines, most of them Windows! Host-based firewalls make sense here.
Yes! If one machine gets contaminated it doesn't need to contaminate the rest. -- Cheers / Saludos, Carlos E. R. (from 15.0 x86_64 at Telcontar)
On 2019-02-27 11:25 a.m., Lew Wolfgang wrote:
On 02/27/2019 03:12 AM, Anton Aylward wrote:
Yes there were certainly a number of systems that wrapped Shorewall into a very nice application for a dedicated box. [...]
Have you looked at https://software.opensuse.org/package/gufw
No, I didn't notice that one. Thanks for the link.
I agree that host-based firewalls aren't needed in every situation, but if it's easy, why not? The environment at work has a couple of /16 networks behind a well-maintained security stack. So each host can be exposed to thousands of other machines, most of them Windows! Host-based firewalls make sense here.
Indeed. The "most of them windows!" is the definitive indictment, isn't it? Hopefully many here are educate enough if firewall design and certified as such, but there are LOTS of books on firewalls. Too many, so lets go back to basics. The Chapma/Zwicky 'authority' from O'Reiley dates from 1995, the peak of the DotComBoom just before the Crash. https://www.oreilly.com/library/view/building-internet-firewalls/1565928717/... Bob Ziegler out of Nokia wrote the book on Linux Firewalls which was much better illustrated is a lot more digestible even if the low-level commands are about 'ipchains' :-) Is there an updated version? If there is I can recmmend it. There are others from O'Reilly with more amusing covers. "Firewalls and Internet Security: Repelling the Wily Hacker" Especially the first edition with "You must be this tall to storm castle" -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-27 12:30 PM, Anton Aylward wrote:
Bob Ziegler out of Nokia wrote the book on Linux Firewalls which was much better illustrated is a lot more digestible even if the low-level commands are about 'ipchains' :-) Is there an updated version? If there is I can recmmend it.
According to O'Reilly, there is a 3rd edition published in 2005. I only have access to the Table of Contents on their website, but it does make reference to ipchains. ISBN: 0672327716 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-27 7:40 p.m., Darryl Gregorash wrote:
On 2019-02-27 12:30 PM, Anton Aylward wrote:
Bob Ziegler out of Nokia wrote the book on Linux Firewalls which was much better illustrated is a lot more digestible even if the low-level commands are about 'ipchains' :-) Is there an updated version? If there is I can recmmend it.
According to O'Reilly, there is a 3rd edition published in 2005. I only have access to the Table of Contents on their website, but it does make reference to ipchains.
ISBN: 0672327716
Well DUH There does seem to be an O'Reilly of that title but the version I have was published by New Riders in 2000 and the 3rd edition I see, co-authored with Steve Suehring https://www.amazon.ca/dp/B000RH0EQ6 And it seems Steve has done a 4th edition by himself with Addison-Wesley. "Linux Firewalls: Enhancing Security with nftables and Beyond 4th Edition" If you google for books on Linux and firewalls you are going to get a LOT of hits. Everybody claiming to be a 'security expert' seems to have written one. Hey! Anyone here written one? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2019-02-27 07:22 PM, Anton Aylward wrote:
On 2019-02-27 7:40 p.m., Darryl Gregorash wrote:
On 2019-02-27 12:30 PM, Anton Aylward wrote:
Bob Ziegler out of Nokia wrote the book on Linux Firewalls which was much better illustrated is a lot more digestible even if the low-level commands are about 'ipchains' :-) Is there an updated version? If there is I can recmmend it. According to O'Reilly, there is a 3rd edition published in 2005. I only have access to the Table of Contents on their website, but it does make reference to ipchains.
ISBN: 0672327716
Well DUH There does seem to be an O'Reilly of that title but the version I have was published by New Riders in 2000 and the 3rd edition I see, co-authored with Steve Suehring https://www.amazon.ca/dp/B000RH0EQ6 And it seems Steve has done a 4th edition by himself with Addison-Wesley. "Linux Firewalls: Enhancing Security with nftables and Beyond 4th Edition" I did note that book in my meandering. My first question was, "What the <bleep> is nftables?" But please, no one hijack the thread on my account -- if I'm really interested, I'll open another one :D
If you google for books on Linux and firewalls you are going to get a LOT of hits. Everybody claiming to be a 'security expert' seems to have written one. Hey! Anyone here written one?
No; you can be first ;) But I'd be far more satisfied if someone would write a decent GUI interface to at least one of these things. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Darryl Gregorash <raven@accesscomm.ca> [02-27-19 21:18]:
On 2019-02-27 07:22 PM, Anton Aylward wrote:
On 2019-02-27 7:40 p.m., Darryl Gregorash wrote:
On 2019-02-27 12:30 PM, Anton Aylward wrote:
Bob Ziegler out of Nokia wrote the book on Linux Firewalls which was much better illustrated is a lot more digestible even if the low-level commands are about 'ipchains' :-) Is there an updated version? If there is I can recmmend it. According to O'Reilly, there is a 3rd edition published in 2005. I only have access to the Table of Contents on their website, but it does make reference to ipchains.
ISBN: 0672327716
Well DUH There does seem to be an O'Reilly of that title but the version I have was published by New Riders in 2000 and the 3rd edition I see, co-authored with Steve Suehring https://www.amazon.ca/dp/B000RH0EQ6 And it seems Steve has done a 4th edition by himself with Addison-Wesley. "Linux Firewalls: Enhancing Security with nftables and Beyond 4th Edition" I did note that book in my meandering. My first question was, "What the <bleep> is nftables?" But please, no one hijack the thread on my account -- if I'm really interested, I'll open another one :D
or you could just search on google -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/21/2019 08:44 PM, Lew Wolfgang wrote:
Hi Folks,
I've finally started to move 42.3 systems to Leap 15 and have run into some issues with firewalld. The basic install works okay on this dual-stack v4/v6 network, but when I try to configure two interfaces (exterior/interior) I lose my v6 address assignment. Stopping the firewall allows dhcpv6 to work, starting the firewall breaks it again. I've explicitly tried to enable the dhcpv6 service, and to enable logging for troubleshooting, all to no avail. The GUI interface is confusing at best, and I've got direct experience with ipchains and iptables, so I didn't just fall off of the turnip truck.
Does anyone have experience with Shorewall as a replacement for firewalld? I'm tempted to try it before I get too far into the weeds with firewalld. Any suggestions?
I used to use SuSEFirewall2, including with IPv6, back when I used a 6in4 tunnel to get IPv6. However, when my ISP provided IPv6, with DHCPv6-PD, I had to switch to another firewall that supported it. I went with pfSense, which works very well. It can be run in either a stand alone computer or in a virtual machine. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 02/22/2019 05:55 AM, James Knott wrote:
On 02/21/2019 08:44 PM, Lew Wolfgang wrote:
Hi Folks,
I've finally started to move 42.3 systems to Leap 15 and have run into some issues with firewalld. The basic install works okay on this dual-stack v4/v6 network, but when I try to configure two interfaces (exterior/interior) I lose my v6 address assignment. Stopping the firewall allows dhcpv6 to work, starting the firewall breaks it again. I've explicitly tried to enable the dhcpv6 service, and to enable logging for troubleshooting, all to no avail. The GUI interface is confusing at best, and I've got direct experience with ipchains and iptables, so I didn't just fall off of the turnip truck.
Does anyone have experience with Shorewall as a replacement for firewalld? I'm tempted to try it before I get too far into the weeds with firewalld. Any suggestions? I used to use SuSEFirewall2, including with IPv6, back when I used a 6in4 tunnel to get IPv6. However, when my ISP provided IPv6, with DHCPv6-PD, I had to switch to another firewall that supported it. I went with pfSense, which works very well. It can be run in either a stand alone computer or in a virtual machine.
Yes, we've been using SuSEFirewall2 in this dual-stacked environment without any issues, and firewalld worked okay until I tried to configure a box with two interfaces. I've also heard good things about pfSense, but we're really interested in maintaining host-based firewalls, in addition to the external ones maintained by management. Shorewall seemed attractive since it's supported and easily installed via zypper. It can serve as a host-based firewall and router, right? Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Anton Aylward -
Carlos E. R. -
Darryl Gregorash -
Dave Howorth -
James Knott -
Lew Wolfgang -
Mathias Homann -
Patrick Shanahan