ACC SHELL
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div class="titlepage"><div><div><h2 class="title"><a id="id301529"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div class="qandaset" title="Frequently Asked Questions"><a id="id301543"></a><dl><dt>1. <a href="#id301545">
Why is communication between two interfaces in the same zone not working?
</a></dt><dt>2. <a href="#id265830">Some service does not work when the firewall is enabled. How do I find out what's wrong?
</a></dt><dt>3. <a href="#id297412">
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
</a></dt><dt>4. <a href="#id304338">
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
</a></dt><dt>5. <a href="#id305185">
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
</a></dt><dt>6. <a href="#id292467">
The ipsec0 interface I had with kernel 2.4 is
gone. How do I assign IPsec traffic to a different zone now?
</a></dt><dt>7. <a href="#id300867">
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
</a></dt><dt>8. <a href="#id283911">
Enabling drbd blocks the boot process. How to get around that?
</a></dt><dt>9. <a href="#id265332">
My wireless LAN network interface is configured for the
external zone. Sometimes I need to connect to trusted
networks that offer e.g. printing or file sharing. How can
I solve that without opening ports in the external zone?
</a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="id301545"></a><a id="id301547"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
Why is communication between two interfaces in the same zone not working?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
For security reasons, no network may communicate to another until
configured otherwise. Even if both are "trusted" internal networks.
You can allow full traffic with
<code class="varname">FW_ALLOW_CLASS_ROUTING</code> or specifying all allowed
traffic with <code class="varname">FW_FORWARD</code>. Keep in mind that this
affects all interfaces in all zones.
</p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="id265830"></a><a id="id265832"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Enable logging of all dropped packets and disable the log limit in
<code class="filename">/etc/sysconfig/SuSEfirewall2</code>:
</p><div class="informalexample"><pre class="programlisting">FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_LIMIT="no"</pre></div><p>
Run <span class="command"><strong>SuSEfirewall2</strong></span> again.
<code class="filename">/var/log/messages</code> will now quickly fill up with
log messages about dropped packets when you try to use the not
working service. Those messages tell you the protocol and port you
need to open.
</p><p>
You may also run SuSEfirewall2 in test mode:
<span class="command"><strong>SuSEfirewall2 test</strong></span>. Then try to connect to the
service in a way which failed before. It will work
because SuSEfirewall2 does <span class="emphasis"><em>not</em></span> actually filter any
packets this time. However, it will still log all packets it normally
would have dropped.
</p><p>
If everything works again don't forget to set the log options back to
normal to not fill up you log files.
</p></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="id297412"></a><a id="id291503"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
ICMP echo requests are harmless however they are a fundametal means
to determine whether hosts are still reachable. Blocking them would
seriously impact the ability to track down network problems. It is
therefore not considered nice behaviour for an internet citizen to
drop pings.
</p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="id304338"></a><a id="id292572"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Yes but they can detect that anyways. The router at your provider
behaves different depending on whether someone is dialed in or not.
</p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="id305185"></a><a id="id302781"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
You machine is never fully invisible, see previous question. The
purpose of dropping packets is not to hide your machine but to slow
down port scans.
</p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="id292467"></a><a id="id293084"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
The <code class="literal">ipsec0</code> interface I had with kernel 2.4 is
gone. How do I assign IPsec traffic to a different zone now?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Set the variable <code class="varname">FW_IPSEC_TRUST</code> to the zone you
would have put the <code class="literal">ipsec0</code> into before. For example
if your IPsec tunnel is set up on the external interface but you want
to grant the <span class="emphasis"><em>decrypted</em></span> traffic access to all
your services as if it was in the internal zone:
</p><div class="informalexample"><pre class="programlisting">FW_IPSEC_TRUST="int"
FW_SERVICES_EXT_IP="esp"
FW_SERVICES_EXT_UDP="isakmp"
FW_PROTECT_FROM_INT="no"</pre></div><p>
</p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="id300867"></a><a id="id292485"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
<code class="literal">SuSEfirewall2</code> is implemented in bourne shell which is not exactly the
fastest thing on earth especially if it has that much work to do as
<code class="literal">SuSEfirewall2</code>. Administrators still prefer bourne shell scripts
because of readability <span class="emphasis"><em>*cough*</em></span>.
</p><p>
<code class="literal">SuSEfirewall2</code> already uses a method
similar to <code class="literal">iptables-restore</code> to apply
as much filter rules as possible at once.
<code class="literal">SuSEfirewall2</code> doesn't use
<code class="literal">iptables-restore</code> natively to be able to
easily fall back to individual <code class="literal">iptables</code>
calls in case of error.
</p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a id="id283911"></a><a id="id283913"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>
Enabling drbd blocks the boot process. How to get around that?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
During boot process all incoming traffic is blocked
unconditionally. The very last boot script then sets up
the configured firewall rules. The problem is that drbd
blocks the boot process while waiting for incoming
connection from other nodes. Therefore configuring the
drbd port in <code class="literal">SuSEfirewall2</code> has no
effect.
</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
SLES10
</p><p>
Add a manual iptables call to
<code class="literal">/etc/init.d/boot.local</code>:
</p><div class="informalexample"><pre class="programlisting">iptables -A INPUT -p tcp --dport 7788 -j ACCEPT</pre></div><p>
</p></li><li class="listitem"><p>
SLES11, openSUSE <= 11.2
</p><p>
On SLES11 SuSEfirewall2_init is called after
boot.local, therefore the method for SLES10
doesn't work anymore. It's possible to modify the
dependencies of the SuSEfirewall2_setup script to run
before drbd though:
</p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>
Create the directory
<code class="filename">/etc/insserv/overrides</code>
</p></li><li class="listitem"><p>
Create a new file
<code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
</p></li><li class="listitem"><p>
Copy the the LSB header (the part between and
including the lines "<code class="literal">### BEGIN INIT
INFO</code>" and "<code class="literal">### END INIT
INFO</code>") from
<code class="filename">/etc/init.d/SuSEfirewall2_setup</code>
to
<code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
</p></li><li class="listitem"><p>
Replace <code class="literal">$ALL</code> with
<code class="literal">$null</code> and add the following
line:
</p><div class="informalexample"><pre class="programlisting"># X-Start-Before: drbd</pre></div><p>
</p></li><li class="listitem"><p>
run <span class="command"><strong>/sbin/insserv</strong></span>
</p></li></ul></div><p>
</p></li><li class="listitem"><p>
openSUSE >= 11.3
</p><p>
Configure the open ports for <code class="literal">drbd</code> and set
</p><div class="informalexample"><pre class="programlisting">FW_BOOT_FULL_INIT="yes"</pre></div><p>
</p></li></ul></div></td></tr><tr class="question" title="9."><td align="left" valign="top"><a id="id265332"></a><a id="id265334"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
My wireless LAN network interface is configured for the
external zone. Sometimes I need to connect to trusted
networks that offer e.g. printing or file sharing. How can
I solve that without opening ports in the external zone?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
The <a class="ulink" href="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/" target="_top">Firewall
Zone Switcher applet</a> allows desktop users to
switch zones with only few mouse clicks. It's included in
openSUSE since version 11.2.
</p></td></tr></tbody></table></div></div></body></html>
ACC SHELL 2018