SuSEfirewall2 is a script that reads the
variables set in /etc/sysconfig/SuSEfirewall2 to
generate a set of iptables rules.
It defines three security zones, although
only the first and the second one are considered in the following sample
- External Zone
Given that there is no way to control what is happening on the external
network, the host needs to be protected from it. In most cases, the
external network is the Internet, but it could be
another insecure network, such as a WLAN.
- Internal Zone
This refers to the private network, in most cases the LAN. If the hosts on
this network use IP addresses from the private range (see
Netmasks and Routing), enable network address
translation (NAT), so hosts on the internal network can access the
- Demilitarized Zone (DMZ)
While hosts located in this zone can be reached both from the external
and the internal network, they cannot access the internal network
themselves. This setup can be used to put an additional line of defense
in front of the internal network, because the DMZ systems are isolated from
the internal network.
Any kind of network traffic not explicitly allowed by the filtering
is suppressed by iptables. Therefore, each of
the interfaces with incoming traffic must be placed into one of the three
zones. For each of the zones, define the services or
protocols allowed. The rule set is only applied to packets
originating from remote hosts. Locally generated packets are not captured
by the firewall.
The configuration can be performed with YaST (see Section 38.4.1,
Configuring the Firewall with YaST). It can also be made
manually in the file
/etc/sysconfig/SuSEfirewall2, which is well commented.
Additionally, a number of example scenarios are available in
38.4.1 Configuring the Firewall with YaST
IMPORTANT: Automatic Firewall Configuration
After the installation, YaST automatically starts a firewall on all
configured interfaces. If a server is configured
and activated on the system, YaST can modify the
automatically-generated firewall configuration
with the options or in the
server configuration modules. Some server module
dialogs include a button
for activating additional services and ports.
The YaST firewall configuration module can
be used to activate, deactivate, or
reconfigure the firewall.
The YaST dialogs for the graphical configuration can be accessed from the
YaST Control Center. Select . The configuration is divided
into seven sections that can be accessed directly from the
tree structure on the left side.
Set the start-up behavior in this dialog. In a default
installation, SuSEfirewall2 is started automatically. You can
also start and stop the firewall here.
To implement your new settings in a running firewall, use .
All known network interfaces are listed here. To remove an
interface from a zone, select the interface, press
, and choose
. To add an interface to a zone,
select the interface, press and
choose any of the available zones. You may also create a
special interface with your own settings by using
- Allowed Services
You need this option to offer services from your system to a
zone from which it is protected. By default, the system is only
protected from external zones.
Explicitly allow the services that should be
available to external hosts. Activate the services
after selecting the desired zone in
Masquerading hides your internal network from external
networks, such as the Internet, while enabling hosts in the
internal network to
access the external network transparently. Requests from the
external network to the internal one are blocked and
requests from the internal network seem to be issued by the
masquerading server when seen externally.
If special services of an internal machine need to be available
to the external network, add special redirect rules for
In this dialog, configure the UDP ports that allow
broadcasts. Add the required port numbers or services
to the appropriate zone, separated by spaces. See also
the file /etc/services.
The logging of broadcasts that are not accepted can be enabled
may be problematic, because Windows hosts use broadcasts to
know about each other and so generate many packets that are not
- IPsec Support
Configure whether the IPsec service should be available to the
external network in this dialog. Configure
which packets are trusted under
- Logging Level
There are two rules for the logging: accepted and not accepted
packets. Packets that are not accepted are DROPPED or
REJECTED. Select from ,
, or for both of them.
When completed with the firewall configuration, exit this dialog with
. A zone-oriented
summary of your firewall configuration then opens. In it, check
all settings. All services, ports, and protocols that have
been allowed are
listed in this summary. To modify the
configuration, use . Press
to save your configuration.
38.4.2 Configuring Manually
The following paragraphs provide step-by-step instructions for a successful
configuration. Each configuration item is marked as to
whether it is relevant to firewalling or masquerading. Aspects related to
the DMZ (demilitarized zone) as mentioned in the configuration file are not
covered here. They are applicable only to a more complex network
infrastructure found in larger organizations (corporate networks), which
require extensive configuration and in-depth knowledge about the
First, use the YaST module System Services (Runlevel) to enable SuSEfirewall2 in your
runlevel (3 or 5 most likely). It sets the symlinks for the
SuSEfirewall2_* scripts in the /etc/init.d/rc?.d/ directories.
FW_DEV_EXT (firewall, masquerading)
The device linked
to the Internet. For a modem connection, enter
ppp0. For an ISDN link, use ippp0.
DSL connections use dsl0.
Specify auto to use the interface that
corresponds to the default route.
FW_DEV_INT (firewall, masquerading)
The device linked
to the internal, private network (such as eth0).
Leave this blank if there is no internal network and the firewall
protects only the host on which it runs.
FW_ROUTE (firewall, masquerading)
If you need the
masquerading function, set this to yes.
Your internal hosts will not be visible to the outside, because their
private network addresses (e.g., 192.168.x.x)
are ignored by Internet routers.
For a firewall without masquerading, only set this to
yes if you want to allow access to the internal
network. Your internal hosts need to use officially registered IPs in
this case. Normally, however, you should not allow
access to your internal network from the outside.
Set this to yes if you need the masquerading function.
This provides a virtually direct connection to the Internet for
the internal hosts. It
is more secure to have a proxy server between the hosts of the internal
network and the Internet. Masquerading is not needed for
services a proxy server provides.
Specify the hosts or
networks to masquerade, leaving a space between the individual entries.
Set this to
yes to protect your firewall host from attacks
originating in your internal network. Services are only available to
the internal network if explicitly enabled. Also see
Enter the TCP ports
that should be made available. Leave this blank for a normal workstation
at home that should not offer any services.
Leave this blank unless
you run a UDP service and want to make it available to the outside.
The services that use UDP include include DNS servers, IPSec,
TFTP, DHCP and others.
In that case, enter the UDP ports to use.
With this variable, define the services available for the internal
network. The notation is the same as for
FW_SERVICES_EXT_TCP, but the settings are applied to
the internal network. The variable only needs to be
set if FW_PROTECT_FROM_INT is set to
After configuring the firewall, test your setup.
The firewall rule sets are created by entering SuSEfirewall2
start as root. Then use
telnet, for example, from an external host to
see whether the connection is actually denied. After that, review
/var/log/messages, where you should see something like
Mar 15 13:21:38 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0
OUT= MAC=00:80:c8:94:c3:e7:00:a0:c9:4d:27:56:08:00 SRC=192.168.10.0
DST=192.168.10.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=15330 DF PROTO=TCP
SPT=48091 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
Other packages to test your firewall setup are nmap or nessus.
The documentation of nmap is found at
/usr/share/doc/packages/nmap and the
documentation of nessus resides in the directory
installing the respective package.