[SOLVED] Using recent Tumbleweed for firewall?

rnturn · 06-30-2018, 12:54 PM

(Sorry if this has been done before. The search engine seems to have a problem with using small words that would narrow down a search to what I'm looking for.)

I have an older system--OK, it's ancient--that running an old version of Red Hat and has been acting as the firewall for our small network. Before the hardware gives up on us--I'm worried about the electolytic capacitors going bad as they have on some other systems--I'm building a system with newer hardware. I chose OpenSUSE Tumbleweed as the OS as I'm using it elsewhere for some servers. With systemd's penchant for assuming that it, and only it, will control what's running on the system, I'm wondering how difficult it's going to be to moving the scripts that define all the firewall rules we are currently using onto the Tumbleweed environment.

I'm hoping to implement these scripts in a wrapper that will run at system startup as it does on the current system: in an "rc.local" style script. I've heard some people have had a difficult time getting that sort of arrangement working with systemd.

Qs:

Has anyone migrated an older firewall setup into the new systemd world?
If so, how much trouble did you have?
What do I need to watch out for?
Should I just rebuild the new system with Slackware (and save myself some frustration)?

Any tips are welcome.

TIA...

--
Rick

frankbell · 07-01-2018, 08:02 PM

I don't have any direct experience with this, but, as all that a firewall does is pass traffic through (or not), I don't see how SystemD would come into play at all.

John VV · 07-02-2018, 03:42 PM

opensuse tumbleweed WILL!!!!!!! reset settings on almost every "zypper dup" and i have had 4000+ updates in one week

12 one day then over 4000 the next day

this can be a pain in the rear end on custom settings

reformat and install CentOS 7.5 on the machine being used as the firewall box

rnturn · 07-02-2018, 04:21 PM

Quote:

Originally Posted by frankbell

I don't have any direct experience with this, but, as all that a firewall does is pass traffic through (or not), I don't see how SystemD would come into play at all.

Systemd purports to have a way to run "SysV init"-style service but I've heard more than one account of the difficulty in getting that to work.

There is an "rc.local" service but systemd doesn't seem to want to run it without writing additional crap:

Code:

# systemctl enable rc-local
The unit files have no installation config (WantedBy, RequiredBy, Also, Alias
settings in the [Install] section, and DefaultInstance for template units).
This means they are not meant to be enabled using systemctl.

So... after creating a basic /etc/rc.local script and companion file for rc.local (not sure why the OS doesn't ship with a basic one since after a stock install the rc-local service is listed in the system service status) to make systemd accept that it's a local rc script that you might want to run you can't just import a known-to-be-working SysV-style init script. (Any wonder why old UNIX hands hate systemd with the fire of a thousand white hot suns?) The existing script that sets up the firewall rules/logging already works so I'll be trying to invoke that from inside /etc/rc.local and pass start/stop arguments to it though I'm not sure how useful that'll wind up being. So far, the canned systemd rc.local service only receives "start" arguments which should be OK for my purposes but not so nice for someone who chooses to run their own software service that can't be shut down in an orderly fashion.

I do have a recent Slackware DVD laying around... :/

I'm hoping to make this hardware/OS/firewall switch on the 4th after an equipment move on the evening of the 3rd. I might need some luck to make this happen without a hitch.

rnturn · 07-07-2018, 08:58 PM

Quote:

Originally Posted by rnturn

I do have a recent Slackware DVD laying around... :/

Which came in quite handy. Installed it over the Tumbleweed that wouldn't retain my iptables commands and had the existing script running in no time. Funny how moving from one version of OpenSUSE to another was so problematic while going back to a distribution I haven't used since the "Linux Unleashed" book came out (which included a Slackware 2.2.0 CD) turned out to get things done so much more smoothly. (Their installer has certainly improved in the last 20+ years.) Installed my existing script, tweaked a couple of files in /etc/rc.d, make another one executable, reboot, and BAM. I can't say I'd switch any of the other systems on the network to Slackware but I can see why some folks would throw up their hands while saying "screw this" and switch to FreeBSD or other UNIX-like OSs.

(BTW, John: I tried CentOS but their installer has a bug that doesn't recognize local drives under certain conditions and doesn't bother to tell you why. Maybe they'll fix that in 7.6.)

Marking this one "Solved".