SuSEfirewall2: HowTo open Ports for Services in the Suse / openSUSE Firewall
Versions: openSUSE 10.2, 10.3, 11.x
Here are in-page links to the focus areas:
↑↑↑↑Put Network Interfaces in the External Zone
You take the attitude that everyting outside your workstation is hostile and deny all communications by default excepting only what you specifically allow. SuSEfirewall2 is designed to do exactly that for interfaces that are placed in the External Zone. So you place your network interfaces in the External Zone and then set about allowing the services that you need.
GoTo Yast --> Security and Users --> Firewall --> Interfaces. Your network interfaces should be listed as External. If not, highlight and click Change --> External. You should see an extra interface labelled "any" in labelled fro Extrenal. That simply means any interface that's not specifically assigned will default to the External Zone. If any is set to a different zone, change it to External unless you have a reason not to.
About Ports: You allow services to operate through firewalls by opening one or more ports for each service. You can find a comprehensive listing of ports and services on the IANA site (IANA = Internet Assigned Numbers Authority). The rest of this tutorial focuses mainly on ports.
↑↑↑↑Services that are Pre-Listed in the Firewall Allowed Services Module
The openSUSE developers have gathered a non-exhaustive list of common services into a list in Yast to facilitate easy activation. If you GoTo Yast --> Security and Users --> Firewall --> Services, you find a drop-down list that allows you to include Services to allow through SuSEfirewall2. You can see the complete list there but here are some of the more common ones:
If you want to quickly check which services have been allowed via Yast's Firewall Allowed Services module, issue this command in a console and they will be listed:
Notes - All "Allowed Services": The number of services included in the drop-down list available in the Firewall Allowed Services Module has increased over time. For 11.1 it was: apache2, apache2-ssl, avahi, dhcp-server, dnsmasq-dns, netbios-server, ntp, samba-server, vnc-server, xorg-x11-server, cups, dnsmasq-dhcp, mysql, nfs-client, postfix, sshd, vnc-httpd, xdmcp, ypbind. For port assignments check the table above or the files in directory /etc/sysconfig/SuSEfirewall2.d/services or the IANA site.
Notes - VNC: Don't be confused by the overlap between the two services in the table labelled "VNC" and "VNC Server". The first opens 100 ports, the second only one port. There's no conflict if they're both opened.
Notes - Samba: This segment is for Tecno-geeks who don't have a life outside Linux. For the rest of us, I show in pictorial detail how to open the firewall for Samba in the Appendix.
For Geeks, Nerds and other Ne'er-do-wells: Prior to openSUSE 11.0, the four ports 137, 138, 139 and 445 were opened by the "Samba Server" function in the drop-down list. In 11.0 a new feature, Netbios Server, was introduced and now Netbios Server takes care of 137 & 138 while Samba Server takes care of 139 & 445.
But that's not all: The Netbios Server service in 11.x now opens these broadcast ports: 137 & 138. In addition, from openSUSE 11.0 a connection tracking module was included in SuSEfirewall2. You activate this in terms of an IP range over which UDP 137 connections are tracked (stop worrying). Prior to 11.0, the "conntrack" functionality didn't exist and was worked around by defining a trusted network for UDP highports (I said stop worrying).
The upshot of all of this progress is that in addition to Samba Server and (from 11.0 inclusive) Netbios Server, you also open SuSEfirewall2 for Broadcast Replies. This is really easy and is covered in the Appendix.
↑↑↑↑Services that are NOT Pre-Listed in the Firewall Allowed Services Module
There are thousands of Services, so if you want to include one that isn't in the drop-down list from the paragraphs above, you can add the relevant ports in the so-called Advanced mode of the Firewall Allowed Services module. GoTo Yast --> Security & Users --> Firewall --> Allowed Services --> Advanced. Add your ports as space delimeted/separated lists in the appropriate row (TCP, UDP and so on). Ranges are designated by a colon; e.g. ten VNC ports from 5905 to 5914 would be 5905:5914. You may use service names insted of numerical ports; e.g. http and 80 are the same.
The following references will help you find the correct assignments:
- • Ports for Services
- • IP Protocols list
- • Services are listed in the file /etc/services
Here are a few examples to show you the sorts of things you can add under the Advanced button in the Firewall Allowed Services Module:
Many of these services will be associated with transmission over the Internet. So far we have been discussing passage of packets via ports through SuSEfirewall2 on workstations. There will usually also be an extra overarching firewall for the LAN where it connects to the Internet, frequently by a hardware router containing the overarching firewall. You need to arrange passage through these devices too. Packets are forwarded from the IP address on the Internet side of the router, via the associated ports to the IP address of the target workstation on the LAN side of the router. There's an example on this site that gives a good overview of Port Forwarding through a hardware router. It's a tutorial for allowing Ktorrent through the router and firewall protecting a home LAN, including screenshots, and could be used as a model for most simple cases of Port Forwarding.
I Hope this Tutorial makes life a bit easier for you.
Swerdna: December 05 2006; last updated 07 February 2009
↑↑↑↑APPENDIX: Opening the Firewall for Samba
There are several GUI tools in Yast for the firewall. Some are better than others. The following methods are the best in my experience. It's a two step process for openSUSE 11.1 and 11.2 and three steps for openSUSE 11.0.
Step 1: Place the network interfaces in the External Zone
You treat your interfaces as if everything external to an individual workstation is suspect, including your local LAN. Consequently you prevent all contacts except those that you specifically authorise. Hence the interfaces are placed into the External Zone. Go to Yast --> Security and Users --> Firewall --> Interfaces. Check and if necessary change zones for your network interfaces to External Zone.
Step 2: "Allowed Services" for Samba
Open Yast --> Security and Users --> Firewall. Select Allowed Services from the list in the left column. Make sure the panel is set to External Zone in the drop-down list in the top portion.
Now look at the drop-down list under the heading Service to Allow. Select Samba Server. Click the Add button and it will appear in the panel below the heading Service to Allow. Repeat the procedure to insert Netbios Server as a service in the panel. Repeat the procedure once again for openSUSE 11.1 and 11.2 and insert Samba Client in the panel [Note that 'Samba Client' is not available in openSUSE 11.0 and a different procedure is used for 11.0 (see next para)].
Step 3: Samba Client for openSUSE 11.0 alone (not for openSUSE 11.1 or 11.2)
Open Yast --> Security and Users --> Firewall. Select Broadcast from the list in the left column. The Broadcast configurator in the screenshot opens.
You set for Broadcast replies in the lower part titled Accepting the Broadcast Reply. There are three possible configurations, listed below:
Type 1: No entry, the panel is empty
Type 2: External Zone | Samba Browsing | All networks
Type 3: External Zone | Samba Browsing | e.g. 192.168.1.0/24
Type 1 is where the firewall is closed to Broadcast replies. It must be changed.
Type 2 accept Broadcasts from all networks. See the screenshot to the right. This allows Samba and is acceptable in most cases. It's recommended for normal users. If there's an entry different from the screenshot, highlight it and select the button to delete it. If/when it's empty, click the Add button. 0/0 will appear in a network dialogue. Click Add again and the panel will appear as in the screenshot. Click Next to exit.
Type 3 accepts broadcast replies only from the IP range of your LAN (e.g. 192.168.1.0/24). It is the highest security and is implemented by experts and administrators. I've linked an example screenshot for completeness.
