YaST is managing SuSEfirewall2 on SLE 12 and it seems iptables module of salts is trying to do the same. But anyway it's better to check if it works with no any issues, as I already described there are some issues with using `save` option itself. I had a positive feedback from the customer using it, but the usecase could be different. Regards, Victor On Wed, 2021-06-23 at 14:43 +0000, Allen Beddingfield wrote: Is there not a SUSE-specific way of doing it? Something that actually uses the OS-provided mechanism to do it, instead of managing the config files, etc...? The one for firewalld does. Is there not something that will the equivalent of "yast firewall services add tcpport=443, zone=EXT"? Allen B. -- Allen Beddingfield Systems Engineer Office of Information Technology The University of Alabama Office 205-348-2251 allen@ua.edu<mailto:allen@ua.edu> ________________________________________ From: Victor Zhestkov <Victor.Zhestkov@suse.com<mailto:Victor.Zhestkov@suse.com>> Sent: Wednesday, June 23, 2021 9:09 AM To: Allen Beddingfield; uyuni-users@opensuse.org<mailto:uyuni-users@opensuse.org> Subject: [EXTERNAL] Re: Salt state for SLES 12 firewall. Use salt.states.iptables? Try to use `save: True` argument for `iptables` state module. In case if the boolean value is specified for `save` the module shuld save the rule in the default file. There is a rule selecting file to save the rules based on the OS family: https://github.com/saltstack/salt/blob/6d454bf9342dee2507a5e50af79782592698e... But please note that it could fail for some of the functions as the save parameter is not passing correct way for some of them. Regards, Victor On Wed, 2021-06-23 at 14:03 +0000, Allen Beddingfield wrote: I'm just asking how is the "correct" way in a salt state to ensure that a port is open on a SLES 12 system. SLES 15 uses firewalld, so I use "firewalld.present" Allen B. -- Allen Beddingfield Systems Engineer Office of Information Technology The University of Alabama Office 205-348-2251 allen@ua.edu<mailto:allen@ua.edu><mailto:allen@ua.edu<mailto:allen@ua.edu>> ________________________________________ From: Victor Zhestkov <Victor.Zhestkov@suse.com<mailto:Victor.Zhestkov@suse.com><mailto:Victor.Zhestkov@suse.com<mailto:Victor.Zhestkov@suse.com>>> Sent: Wednesday, June 23, 2021 9:01 AM To: Allen Beddingfield; uyuni-users@opensuse.org<mailto:uyuni-users@opensuse.org><mailto:uyuni-users@opensuse.org<mailto:uyuni-users@opensuse.org>> Subject: [EXTERNAL] Re: Salt state for SLES 12 firewall. Use salt.states.iptables? Hi Allen. Not sure if I understood the idea right, but there is an issue related to saving rules for iptables, the fix was tested, but not yet published in the latest package. Here is the upstream PR. https://github.com/saltstack/salt/pull/60358 Anyway saving the rules to the file need to be tested for each distro. Regards, Victor On Wed, 2021-06-23 at 13:56 +0000, Allen Beddingfield wrote: I have been using the firewalld state module for SLES 15 successfully, but I'm now trying to write a state for SLES 12, which uses the older SuSEfirewall2. Is the salt.states.iptables module the correct approach for this? Wondering if directly inserting iptables rules with that is going to cause any issues if someone opens the yast firewall module later? Allen B. -- Allen Beddingfield Systems Engineer Office of Information Technology The University of Alabama Office 205-348-2251 allen@ua.edu<mailto:allen@ua.edu><mailto:allen@ua.edu<mailto:allen@ua.edu>><mailto:allen@ua.edu<mailto:allen@ua.edu><mailto:allen@ua.edu<mailto:allen@ua.edu>>>