Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: [opensuse-factory] firewalld migration (was: Tumbleweed - Review of the week 2018/03)
Citeren Matthias Gerstner <mgerstner@xxxxxxx>:

Hello,

On Mon, Jan 22, 2018 at 12:34:35PM +0200, Robert Munteanu wrote:
Is there a plan or some guidance for packages that drop files in
/etc/sysconfig/SuSEfirewall2.d/services/ ?

$ ls -1 /etc/sysconfig/SuSEfirewall2.d/services/ | grep -v TEMPLATE | wc -l
33

With firewalld these files are no longer needed. Firewalld ships builtin
service definitions which can be listed via

$ firwall-cmd --get-services

You can get the definition of a single service like this

$ firewall-cmd --info-service=samba-client

These service names can then be used for opening them in a certain zone:

$ firewall-cmd --add-service=samba-client --zone=internal [--permanent]

You can also find the XML definitions of the services in
/usr/lib/firewalld/services.

I think the SuSEfirewall2 service files should stay around until the
migration to the new default firewall is complete. We can get rid of
these files only after SuSEfirewall2 has been completely removed from
openSUSE. It's unconvenient that these files are spread across many
different packages so it will probably take a while until they're all
cleaned up.

If anybody thinks that a service definition is missing in firewalld then
please tell me so we can see what to do about it. The correct way in
such cases would probably be to contribute suitable files to firewalld
upstream. New firewalld services can also be added dynamically during
runtime. Here is some upstream documentation on adding services:

http://www.firewalld.org/documentation/howto/add-a-service.html

So there's /etc/firewalld/services for custom services but dropping
service files into /usr/lib/firewalld/services seems also to be
supported.

One thing that seems to be missing in firewalld is the equivalent of SuSEfirewall2-custom. I use some modules from the xtables-addons-kmp-default package. By nature, these are fragile and tend to break occasionally when the kernel changes. Right now, the xt_geoip module is present, but broken. When including an iptables rule that relies on these modules, this will stop SuSEfirewall2 from loading. This has locked me out several times in the past. So I now use something like the following to prevent this from happening in SuSEfirewall2-custom:

fw_custom_before_port_handling() {
if modprobe --quiet xt_geoip; then
iptables -A input_ext -p tcp -m tcp --dport 443 -m geoip --source-country NL -j ACCEPT
else
iptables -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT
fi
}

I have not found a similar way of conditional loading of rules, depending on the ability to load a module. Did I miss something?

Should many additional service files be needed (what I don't hope) then
we could also think about introducing a separate package that holds all
those custom service files. This would make maintaining them easier from
the firewall perspective. But adds some burden to packagers that need
changes to them.

Regards

Matthias



--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >