[plug] firewall on SuSE SLES9

Bernd Felsche bernie at innovative.iinet.net.au
Wed May 10 16:35:52 WST 2006 

Denis Brown <dsbrown at cyllene.uwa.edu.au> writes:

>Had a slight "oops" in regards to a SuSE SLES9-based server.   Did
>an upgrade and one of the patches applied was for firewall.
>Testing revealed that after the patching my nice shiny ruleset was
>toast - server pretty much open to the World.   Ouch.

>No worries I thought... just iptables-restore < previous-saved-ruleset

That's not the way in which SuSE's firewalling works. At least not
with SuSE 8.2 and later.

YaST maintains /etc/sysconfig/SuSEfirewall which has the text rules
for building iptables. The rules are 'satisfactory' for most
installations. Further tamper^Wtuning can be done withing
/etc/sysconfig/scripts/, usually in SuSEfirewall2-custom which NEVER
gets trashed by an update.

When you do an update of the system that affects SuSEfirewall
default configuration, the new configuration file is created, called
SuSEfirewall.rpmnew ... SuSE updates always preserve configuration
files that have changed from the default.

The update doesn't trash your previous configuration.

SuSEfirewall is by default; *closed*. You get SFA traffic through it.

If you set up your own rules outside of the SuSEfirewall regime,
then you should every update affecting the network has the potential
to trash the rules.

I've run *thousands* of updates on SuSE-powered firewalls and not
once has it lost the configuration through an update.

>But the firewall upgrade must have been more extensive, or it cannot read 
>previous format because now the ruleset is blank (when do iptables -L)

>Is there somewhere a fresh ruleset that I can just iptables-restore from 
>and then start cutting my rules again?

>Supplementary question... what are people using to manage firewalls
>- pref.  ncurses-based because I remotely admin this one and do not
>want to run a gui on it if at all possible.   Would be open to
>running Apache though so I suppose this opens the way for webmin
>and allies?

vi /etc/sysconfig/SuSEfirewall   :-)
-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "Laws do not persuade just because
 X   against HTML mail     |  they threaten."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.

More information about the plug mailing list