SUSE / openSUSEThis Forum is for the discussion of Suse Linux.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
I have to use the YaST firewall as my, well, firewall.
The standard settings and everything that I change in the setup tool, add or change quite a lot of iptables settings. It's impractical to change setting afterwards with iptables, since YaST adds large amounts of lines to it, making even reading it somewhat complicated.
What I'm missing is some sort of file, where those settings are saved. I'm used to Debian systems, where those files are loaded with iptables-restore from a file that was usually generated by iptables-save.
Is there such a file on SuSE SLES? And if yes, where is it?
And where does SLES save those settings?
On Debian, I've got the following settings in one of my iface definitions in /etc/network/interfaces:
Both rules files were generated with iptables-save.
I assume there is something similar on SLES, but I couldn't find where it is.
iptables-save and iptables-restore work as you are used to on any other system (covered in the man pages, but, short of things that change with version changes, I'm sure it will all be the same...you'll already be aware that there is no default file to which iptables-save writes; it writes to stdout, oddly); the problem that you actually have is that yast believes that it is managing the firewall and you are fighting with it. There seem to be several possibilities
you could let yast carry on managing things and modify the entries from the GUI
you could let yast carry on thinking that it is managing things and use something else (-save and -restore, if that's what you are happy with, but a firewall gui could be made to work, too). This means after yast has run you clear all its rules and instantiate your own (if using -save and -restore, you just have to make sure that it all happens after yast has wasted its time doing its own thing). This doesn't sound like a particularly clean way of doing things, but you do get a firewall all through the boot process (except for the very brief periods of instantiation - the paranoid can turn off the interfaces while that's happening)
you could tell yast not to do anything with the firewall and do it all yourself in pretty much the way that you are used to. Under SuSE, I don't think the 'interfaces' works as you are used to, but you just put the -restore in the appropriate places in the startup and shutdown processes. As yast runs the firewall in two phases (one early 'just block stuff, with a few exceptions, while we are booting' phase, and a later phase when booting is pretty much done), you might still want to run a similar ruleset to that generated by phase 1 early on, and then run your full ruleset as your ph2. Once you have the two rulesets, -save and -restore will do it for you instead of yast. (Although I don't know of anyone else who does this 'two phase' stuff, so you might find that unduly paranoid. Paranoid, is good when dealing with security, though.)
I just spent a day try to get openSUSE11.0 to load some custom iptables settings in conjunction with the SUSEfirewall at boot. I've got it working now so I thought I'd share:
1. forget about trying to set up a script to run like a service with chkconfig. It just won't work (even with S99!). I suspect the firewall flushes the settings later, after these rc.d scripts are executed, it's not clear how or why the settings get ignored but trust me - they will be ignored.
2. You'll need to edit /etc/sysconfig/scripts/SuSEfirewall2-custom. Put the custom iptables commands where appropriate, details are given in the file itself. Do read what is in the file because there is no man page for this.
What I wanted this for was to get postfix to listen on another port as well as 25. Fiddling with postfix itself can produce an open relay and so is not advised. A more elegant solution is to use iptables with the following command: