SuSEfirewall2: HowTo open Ports for Services in the Suse / openSUSE Firewall
Versions: openSUSE 11.x
Here are in-page links to the focus areas:
↑↑↑↑Put Network Interfaces in the External Zone
You take the attitude that everyting outside your workstation is hostile and deny all communications by default excepting only what you specifically allow. SuSEfirewall2 is designed to do exactly that for interfaces that are placed in the External Zone. So you place your network interfaces in the External Zone and then set about allowing the services that you need.
GoTo Yast --> Security and Users --> Firewall --> Interfaces. Your network interfaces should be listed as External. If not, highlight and click Change --> External. You should see an extra interface labelled "any" in labelled fro Extrenal. That simply means any interface that's not specifically assigned will default to the External Zone. If any is set to a different zone, change it to External unless you have a reason not to.
About Ports: You allow services to operate through firewalls by opening one or more ports for each service. You can find a comprehensive listing of ports and services on the IANA site (IANA = Internet Assigned Numbers Authority). The rest of this tutorial focuses mainly on ports.
↑↑↑↑Services that are Pre-Listed in the Firewall Allowed Services Module
The openSUSE developers have gathered a non-exhaustive list of common services into a list in Yast to facilitate easy activation. If you GoTo Yast --> Security and Users --> Firewall --> Services, you find a drop-down list that allows you to include Services to allow through SuSEfirewall2. You can see the complete list there but here are some of the more common ones:
| Service | TCP Ports | UDP Ports | Comments |
| CUPS (aka IPP) | 631 | 631 | Internet Printing Protocol see tutorial |
| http | 80 | Apache web server | |
| https | 443 | 443 | Apache-ssl secure web server |
| Samba server | 139 445 | 139=netbios-ssn 445=microsft-ds | |
| netbios server | 137 138 | 137=netbios-ns 138=netbios-dgm | |
| Samba client | 137 related | nf_conntrack_netbios_ns | |
| ssh | 22 | Secure shell (remote login) | |
| rdp (xrdp) | 3389 | Windows terminal services see xrdp tutorial |
|
| vnc server | 5900-5999 | Xinetd xvnc & TightVNC | |
| vnc mini http server | 5800-5899 | Xinetd xvnc & TightVNC | |
| vnc (xorg-x11-vnc) | 5901 | Yast Remote Administration (VNC) | |
| mysql | 3306 |
If you want to quickly check which services you have allowed using Yast's Firewall Allowed Services module, issue this command in a console and they will be listed:
Advanced users will find the complete properties of the services in files in the directory /etc/sysconfig/SuSEfirewall2.d/services.
Notes - All "Allowed Services": The number of services included in the drop-down list available in the Firewall Allowed Services Module has increased slowly with each new openSUSE release since 11.0. For port assignments check the table above -or- the files in directory /etc/sysconfig/SuSEfirewall2.d/services -or- the IANA site.
Notes - VNC: Don't be confused by the overlap between the two services in the table labelled "vnc server" and " vnc (xorg-x11-vnc)". The first opens 100 ports, the second only one port. There's no conflict if they're both opened.
Notes - Samba: The openSUSE Devs have struggled with Samba and SuSEfirewall2 since Suse Linux 10.0 through to openSUSE 11.2. I've included an easy pictorial guide for the 11.x openSUSE series in the Appendix.
↑↑↑↑Services that are NOT Pre-Listed in the Firewall Allowed Services Module
There are thousands of Services, so if you want to include one that isn't in the drop-down list from the paragraphs above, you can add the relevant ports in the so-called Advanced mode of the Firewall Allowed Services module. GoTo Yast --> Security & Users --> Firewall --> Allowed Services --> Advanced. Add your ports as space delimeted/separated lists in the appropriate row (TCP, UDP and so on). Ranges are designated by a colon; e.g. ten VNC ports from 5905 to 5914 would be 5905:5914. You may use service names insted of numerical ports; e.g. http and 80 are the same.
The following references will help you find the correct assignments:
- • Ports for Services
- • IP Protocols list
- • Services are listed in the file /etc/services
Here are just two examples to show you the sorts of things you can add under the Advanced button in the Firewall Allowed Services Module:
| Service | TCP Ports | UDP Ports | Comments |
| ktorrent | 6881 | 4444 | See Ktorrent Tutorial |
| lpd (AKA lpr) | 515 | 515 | Line Printer Daemon Protocol |
Many of these services will be associated with transmission over the Internet. So far we have been discussing passage of packets via ports through SuSEfirewall2 on workstations. There will usually also be an extra overarching firewall for the LAN where it connects to the Internet, frequently by a hardware router containing the overarching firewall. You need to arrange passage through these devices too. Packets are forwarded from the IP address on the Internet side of the router, via the associated ports to the IP address of the target workstation on the LAN side of the router. There's an example on this site that gives a good overview of Port Forwarding through a hardware router. It's a tutorial for allowing Ktorrent through the router and firewall protecting a home LAN, including screenshots, and could be used as a model for most simple cases of Port Forwarding.
I Hope this Tutorial makes life a bit easier for you.
Swerdna: December 05 2006; last updated 22 May 2010
↑↑↑↑APPENDIX: Opening the Firewall for Samba
There are several GUI tools in Yast for the firewall. Some are better than others. The following methods are the best in my experience. It's a two step process for openSUSE 11.1 and 11.2 and three steps for openSUSE 11.0.
Step 1: Place the network interfaces in the External Zone
You treat your interfaces as if everything external to an individual workstation is suspect, including your local LAN. Consequently you prevent all contacts except those that you specifically authorise. Hence the interfaces are placed into the External Zone. Go to Yast --> Security and Users --> Firewall --> Interfaces. Check and if necessary change zones for your network interfaces to External Zone.
Step 2: "Allowed Services" for Samba
Open Yast --> Security and Users --> Firewall. Select Allowed Services from the list in the left column. Make sure the panel is set to External Zone in the drop-down list in the top portion.
Now look at the drop-down list under the heading Service to Allow. Select Samba Server. Click the Add button and it will appear in the panel below the heading Service to Allow. Repeat the procedure to insert Netbios Server as a service in the panel. Repeat the procedure once again for openSUSE 11.1 and 11.2 and insert Samba Client in the panel [Note that 'Samba Client' is not available in openSUSE 11.0 and a different procedure is used for 11.0 (see next para)].
Step 3: Samba Client for openSUSE 11.0 alone (not for openSUSE 11.1 or 11.2)
Open Yast --> Security and Users --> Firewall. Select Broadcast from the list in the left column. The Broadcast configurator in the screenshot opens.
You set for Broadcast replies in the lower part titled Accepting the Broadcast Reply. There are three possible configurations, listed below:
Type 1: No entry, the panel is empty
Type 2: External Zone | Samba Browsing | All networks
Type 3: External Zone | Samba Browsing | e.g. 192.168.1.0/24
Type 1 is where the firewall is closed to Broadcast replies. It must be changed.
Type 2 accept Broadcasts from all networks. See the screenshot to the right. This allows Samba and is acceptable in most cases. It's recommended for normal users. If there's an entry different from the screenshot, highlight it and select the button to delete it. If/when it's empty, click the Add button. 0/0 will appear in a network dialogue. Click Add again and the panel will appear as in the screenshot. Click Next to exit.
Type 3 accepts broadcast replies only from the IP range of your LAN (e.g. 192.168.1.0/24). It is the highest security and is implemented by experts and administrators. I've linked an example screenshot for completeness.
