Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,804
Rep:
Using recent Tumbleweed for firewall?
(Sorry if this has been done before. The search engine seems to have a problem with using small words that would narrow down a search to what I'm looking for.)
I have an older system--OK, it's ancient--that running an old version of Red Hat and has been acting as the firewall for our small network. Before the hardware gives up on us--I'm worried about the electolytic capacitors going bad as they have on some other systems--I'm building a system with newer hardware. I chose OpenSUSE Tumbleweed as the OS as I'm using it elsewhere for some servers. With systemd's penchant for assuming that it, and only it, will control what's running on the system, I'm wondering how difficult it's going to be to moving the scripts that define all the firewall rules we are currently using onto the Tumbleweed environment.
I'm hoping to implement these scripts in a wrapper that will run at system startup as it does on the current system: in an "rc.local" style script. I've heard some people have had a difficult time getting that sort of arrangement working with systemd.
Qs:
Has anyone migrated an older firewall setup into the new systemd world?
If so, how much trouble did you have?
What do I need to watch out for?
Should I just rebuild the new system with Slackware (and save myself some frustration)?
I don't have any direct experience with this, but, as all that a firewall does is pass traffic through (or not), I don't see how SystemD would come into play at all.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,804
Original Poster
Rep:
Quote:
Originally Posted by frankbell
I don't have any direct experience with this, but, as all that a firewall does is pass traffic through (or not), I don't see how SystemD would come into play at all.
Systemd purports to have a way to run "SysV init"-style service but I've heard more than one account of the difficulty in getting that to work.
There is an "rc.local" service but systemd doesn't seem to want to run it without writing additional crap:
Code:
# systemctl enable rc-local
The unit files have no installation config (WantedBy, RequiredBy, Also, Alias
settings in the [Install] section, and DefaultInstance for template units).
This means they are not meant to be enabled using systemctl.
So... after creating a basic /etc/rc.local script and companion file for rc.local (not sure why the OS doesn't ship with a basic one since after a stock install the rc-local service is listed in the system service status) to make systemd accept that it's a local rc script that you might want to run you can't just import a known-to-be-working SysV-style init script. (Any wonder why old UNIX hands hate systemd with the fire of a thousand white hot suns?) The existing script that sets up the firewall rules/logging already works so I'll be trying to invoke that from inside /etc/rc.local and pass start/stop arguments to it though I'm not sure how useful that'll wind up being. So far, the canned systemd rc.local service only receives "start" arguments which should be OK for my purposes but not so nice for someone who chooses to run their own software service that can't be shut down in an orderly fashion.
I do have a recent Slackware DVD laying around... :/
I'm hoping to make this hardware/OS/firewall switch on the 4th after an equipment move on the evening of the 3rd. I might need some luck to make this happen without a hitch.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,804
Original Poster
Rep:
Quote:
Originally Posted by rnturn
I do have a recent Slackware DVD laying around... :/
Which came in quite handy. Installed it over the Tumbleweed that wouldn't retain my iptables commands and had the existing script running in no time. Funny how moving from one version of OpenSUSE to another was so problematic while going back to a distribution I haven't used since the "Linux Unleashed" book came out (which included a Slackware 2.2.0 CD) turned out to get things done so much more smoothly. (Their installer has certainly improved in the last 20+ years.) Installed my existing script, tweaked a couple of files in /etc/rc.d, make another one executable, reboot, and BAM. I can't say I'd switch any of the other systems on the network to Slackware but I can see why some folks would throw up their hands while saying "screw this" and switch to FreeBSD or other UNIX-like OSs.
(BTW, John: I tried CentOS but their installer has a bug that doesn't recognize local drives under certain conditions and doesn't bother to tell you why. Maybe they'll fix that in 7.6.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.