SuSEFirewall configuration |
modules/SuSEFirewall.ycp |
Interface manipulation of /etc/sysconfig/SuSEFirewall | |
|
|
This module has an unstable interface. |
configuration hasn't been read for the default this should reduce the readings to only ONE
String which includes all interfaces not-defined in any zone
Maximal number of port number, they are in the interval 1-65535 included
Zone which works with the special_all_interface_string string
Returns whether records in variable should be written one record on one line.
- Parameters:
-
key_name
- Return value:
-
if wolpr
Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".
Do not use this function. Only for firewall installation proposal.
Function returns list of known firewall zones (shortnames)
- Return value:
-
of firewall zones
- Example
-
GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]
Variable for ReportOnlyOnce() function
Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.
- Parameters:
-
what_to_report
- Return value:
-
whether the message should be reported or not
- Example
-
string error = sformat("Port number %1 is invalid.", port_nr); if (ReportOnlyOnce(error)) y2error(error);
Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.
- Return value:
-
is_supported whether the feature is supported or not
Function return list of variables needed for SuSEFirewall's settings.
- Return value:
-
of names of variables
Local function for increasing the verbosity level.
Local function for decreasing the verbosity level.
Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.
- Return value:
-
is_verbose
Local function for returning default values (if defined) for sysconfig variables.
- Parameters:
-
variable
- Return value:
-
default value
Local function for reading list of sysconfig variables into internal variables.
- Parameters:
-
variables
Local function for reseting list of sysconfig variables in internal variables.
- Parameters:
-
variables
Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use `nil` as the last list item.
- Parameters:
-
variables
- Return value:
-
if successful
Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.
- Parameters:
-
protocol
- Return value:
-
if protocol is supported
Local function returns if zone (shortname like "EXT") is supported by firewall. Undefined zones are, for sure, unsupported.
- Parameters:
-
zone
- Return value:
-
if zone is known and supported.
Local function returns configuration string used in configuration for zone. For instance "ext" for "EXT" zone.
- Parameters:
-
zone
- Return value:
-
zone configuration string
Local function returns zone name (shortname) for configuration string. For instance "EXT" for "ext" zone.
- Parameters:
-
zone_string
- Return value:
-
zone shortname
Function returns list of allowed services for zone and protocol
- Parameters:
-
zone protocol
- Return value:
-
of allowed services/ports
Function sets list of services as allowed ports for zone and protocol
- Parameters:
-
allowed_services zone protocol
Local function returns configuration string for broadcast packets.
- Parameters:
-
zone
- Return value:
-
with broadcast configuration
Local function saves configuration string for broadcast packets.
- Parameters:
-
zone broadcast_configuration
Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.
Structure $[
"ZONE1" : [ "port1", "port2" ], "ZONE2" : [ "port3", "port4" ], "ZONE3" : [ ] ]
- Return value:
-
strings are allowed ports or port ranges
Function creates allowed-broadcast-ports string from broadcast map and saves it.
- Parameters:
-
broadcast
Function returns if broadcast is allowed for needed ports in zone.
- Parameters:
-
needed_ports zone
- Return value:
-
if is allowed
- Example
-
IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true
Local function removes list of ports from port allowing broadcast packets in zone.
- Parameters:
-
needed_ports zone
Local function adds list of ports to ports accepting broadcast
- Parameters:
-
needed_ports zone
Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.
- Parameters:
-
remove_service protocol zone
- Return value:
-
success
Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.
- Parameters:
-
remove_ports protocol zone check_for_aliases
Local function allows ports for requested protocol and zone.
- Parameters:
-
add_ports protocol zone
Removes service defined by package (FATE #300687) from enabled services.
- Parameters:
-
service zone
- Example
-
RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");
Adds service defined by package (FATE #300687) into list of enabled services.
- Parameters:
-
service zone
- Example
-
AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");
Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.
- Parameters:
-
service zone
Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.
- Parameters:
-
service zone
By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.
- Parameters:
-
new_status
Returns whether all needed packages are installed.
- Return value:
-
whether SuSEfirewall2 is installed
Functions returns whether any firewall's configuration was modified.
- Return value:
-
if the configuration was modified
Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.
Function returns localized name of the zone identified by zone shortname.
- Parameters:
-
zone
- Return value:
-
zone name
- Example
-
LANG=en_US GetZoneFullName ("EXT") -> "External Zone" LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"
Function sets if firewall should be protected from internal zone.
- Parameters:
-
set_protect
Function returns if firewall is protected from internal zone.
- Return value:
-
if protected from internal
Function sets if firewall should support routing.
- Parameters:
-
set_route
Function returns if firewall supports routing.
- Return value:
-
if route is supported
Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.
- Parameters:
-
zone
Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.
- Return value:
-
zone or "no"
Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.
- Return value:
-
if the firewall should start
Function which sets if SuSEfirewall should start in Write process.
- Parameters:
-
start_service
Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process
- Return value:
-
if the firewall should start
Function which sets if SuSEfirewall should start in Write process
- Parameters:
-
enable_service
Functions starts services needed for SuSEFirewall
- Return value:
-
result
Functions stops services needed for SuSEFirewall
- Return value:
-
result
Functions enables services needed for SuSEFirewall in /etc/inet.d/
- Return value:
-
result
Functions disables services needed for SuSEFirewall in /etc/inet.d/
- Return value:
-
result
Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().
- Return value:
-
if enabled
Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().
- Return value:
-
if started
Function for getting exported SuSEFirewall configuration
- Return value:
-
with configuration
Function for setting SuSEFirewall configuration from input
- Parameters:
-
import_settings
Function returns if the interface is in zone.
- Parameters:
-
interface zone
- Return value:
-
is in zone
- Example
-
IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false
Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.
- Parameters:
-
interface
- Return value:
-
zone
- Example
-
GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"
Function returns list of zones of requested interfaces
- Parameters:
-
interfaces
- Return value:
-
firewall zones
- Example
-
GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]
Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.
- Parameters:
-
interfaces
- Return value:
-
firewall zones
- Example
-
GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]
Function returns list of maps of known interfaces.
Structure [ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]
- Return value:
-
of all interfaces
Function returns list of non-dial-up interfaces.
- Return value:
-
of non-dial-up interface names
- Example
-
GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]
Function returns list of dial-up interfaces.
- Return value:
-
of dial-up interface names
- Example
-
GetAllDialUpInterfaces() -> ["modem0", "dsl5"]
Function returns list of all known interfaces.
- Return value:
-
of interfaces
- Example
-
GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]
Function removes interface from defined zone.
- Parameters:
-
interface zone
- Example
-
RemoveInterfaceFromZone ("modem0", "EXT")
Functions adds interface into defined zone. All appearances of interface in other zones are removed.
- Parameters:
-
interface zone
- Example
-
AddInterfaceIntoZone ("eth5", "DMZ")
Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.
- Parameters:
-
zone
- Return value:
-
of interfaces
- Example
-
GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]
Function returns all interfaces already configured in firewall.
- Return value:
-
of configured interfaces
Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.
- Parameters:
-
zone
- Return value:
-
of interfaces covered by special string 'any'
Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.
- Parameters:
-
zone
- Return value:
-
of interfaces
Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.
- Parameters:
-
service protocol TCP, UDP, RCP or IP interface name (like modem0), firewall zone (like "EXT") or "any" for all zones.
- Return value:
-
if service is allowed
- Example
-
HaveService ("ssh", "TCP", "EXT") -> true HaveService ("ssh", "TCP", "modem0") -> false HaveService ("53", "UDP", "dsl") -> false
Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.
- Parameters:
-
service protocol interface
- Return value:
-
success
- Example
-
AddService ("ssh", "TCP", "EXT") AddService ("ssh", "TCP", "dsl0")
Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.
- Parameters:
-
service protocol interface
- Return value:
-
success
- Example
-
RemoveService ("22", "TCP", "DMZ") -> true is the same as RemoveService ("ssh", "TCP", "DMZ") -> true
Function returns if needed services are all allowed (or not) in the firewall. Last parameter sets if it also should check for port-aliases, what makes sense for TCP and UDP ports. Protocols and Zones aren't checked for existency. It's on you to do it.
- Parameters:
-
needed_ports protocol zone name like EXT check_for_aliases
- Return value:
-
if all ports are allowed
- Example
-
ArePortsOrServicesAllowed (["53", "54"], "UDP", "INT", true) -> true
Returns whether a service is mentioned in FW_CONFIGURATIONS_[EXT|INT|DMZ]. These services are defined by random packages.
- Parameters:
-
service zone
- Return value:
-
if service is supported in zone
- Example
-
IsServiceDefinedByPackageSupportedInZone ("service:sshd", "EXT") -> true
Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.
- Parameters:
-
service zone
- Return value:
-
if supported
- Example
-
// All ports defined by dns-server service in SuSEFirewallServices module // are enabled in the respective zone IsServiceSupportedInZone ("dns-server", "EXT") -> true // irc-server definition exists on the system and the irc-server // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2 IsServiceSupportedInZone ("service:irc-server", "EXT") -> true
Function returns map of supported services all network interfaces.
Structure Returns $[service : $[ interface : supported_status ]]
- Parameters:
-
services
- Return value:
-
- Example
-
GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]] // No such service "something" GetServicesInZones (["something"])) -> $["something":$["eth1":nil]] GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]
Function returns map of supported services in all firewall zones.
Structure Returns $[service : $[ zone_name : supported_status]]
- Parameters:
-
services
- Return value:
-
- Example
-
// Firewall in not protected from internal zone, that's why // all services report that they are enabled in INT zone GetServices (["samba-server", "service:irc-server"]) -> $[ "samba-server" : $["DMZ":false, "EXT":false, "INT":true], "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true] ]
Function sets status for several services in several firewall zones.
- Parameters:
-
services_ids firewall_zones new_status
- Return value:
-
if successfull
- Example
-
SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false); SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);
Function sets status for several services on several network interfaces.
- Parameters:
-
services_ids interfaces new_status
- Return value:
-
if successfull
- Example
-
// Disabling services SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false) // Enabling services SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)
Local function sets the default configuration and fills internal values.
Local function reads current configuration and fills internal values.
Fills the configuration with default settings, adjusts internal variables that firewall cannot be configured.
Function for reading SuSEFirewall configuration. Fills internal variables only.
- Return value:
-
if successful
Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.
- Return value:
-
some_RPC_service_used
Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).
- Return value:
-
if successful
Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.
- Return value:
-
if successful
Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.
- Return value:
-
if succesful
Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().
- Return value:
-
if succesfull
Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.
- Return value:
-
if successful
This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.
- Parameters:
-
protocol zone
- Return value:
-
of additional (unassigned) services
- Example
-
GetAdditionalServices("TCP", "EXT") -> ["53", "128"]
Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.
- Parameters:
-
protocol zone new_list_services
- Example
-
SetAdditionalServices ("TCP", "EXT", ["53", "128"])
Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.
- Return value:
-
if other firewall is running
Function returns map of `interfaces in zones`.
Structure map $[zone : [list of interfaces]]
- Return value:
-
interface in zones
- Example
-
GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]
Function returns list of special strings like 'any' or 'auto' and uknown interfaces.
- Parameters:
-
zone
- Return value:
-
special strings or unknown interfaces
- Example
-
GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]
Function removes special string from defined zone.
- Parameters:
-
interface zone
Functions adds special string into defined zone.
- Parameters:
-
interface zone
Function returns actual state of Masquerading support.
- Return value:
-
if supported
Function sets Masquerade support.
- Parameters:
-
enable
Function returns list of rules of forwarding ports to masqueraded IPs.
Structure list [$[ key: value ]]
- Return value:
-
list of rules
- Example
-
GetListOfForwardsIntoMasquerade() -> [ $[ "forward_to":"172.24.233.1", "protocol":"tcp", "req_ip":"192.168.0.3", "req_port":"355", "source_net":"192.168.0.0/20", "to_port":"533"], ... ]
Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().
- Parameters:
-
remove_item
Adds forward into masquerade rule.
- Parameters:
-
source_net forward_to_ip protocol req_port redirect_to_port requested_ip
- Example
-
AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")
Function returns actual state of logging for rule taken as parameter.
- Parameters:
-
rule
- Return value:
-
'ALL', 'CRIT', or 'NONE'
- Example
-
GetLoggingSettings("ACCEPT") -> "CRIT" GetLoggingSettings("DROP") -> "CRIT"
Function sets state of logging for rule taken as parameter.
- Parameters:
-
rule state
- Example
-
SetLoggingSettings ("ACCEPT", "ALL") SetLoggingSettings ("DROP", "NONE")
Function returns yes/no - ingoring broadcast for zone
- Parameters:
-
zone
- Return value:
-
"yes" or "no"
- Example
-
// Does not logg ignored broadcast packets GetIgnoreLoggingBroadcast ("EXT") -> "yes"
Function sets yes/no - ingoring broadcast for zone
- Parameters:
-
zone bcast
- Example
-
// Do not log broadcast packetes from DMZ SetIgnoreLoggingBroadcast ("DMZ", "yes")
Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.
- See
-
https://bugzilla.novell.com/show_bug.cgi?id=154133 https://bugzilla.novell.com/show_bug.cgi?id=233934 https://bugzilla.novell.com/show_bug.cgi?id=375482
Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.
- Parameters:
-
zone
- Return value:
-
with rules
Sets expert allow rules for zone.
- Parameters:
-
zone expert_rules
- Return value:
-
if successful
Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.
- Return value:
-
of kernel modules
Sets list of additional kernel modules to be loaded by firewall on startup.
- Parameters:
-
k_modules
- Example
-
SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);
Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.
- Parameters:
-
protocol
- Return value:
-
translated string (e.g., RPC)
Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
- Parameters:
-
zone
- Return value:
-
list of definitions
- Example
-
GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]
Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
- Parameters:
-
zone ruleset
- Example
-
SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])
Checks whether any Accept-Related rules have been defined. If true, required kernel modules are added.
Removes old-service definitions before they are added as services defined by packages.
- Parameters:
-
old_service_def zone
Converts old built-in service definitions to services defined by packages.
- See
-
bnc 399217