YaST2 Developers Documentation: SuSEFirewall configuration

SuSEFirewall configuration

modules/SuSEFirewall.ycp
Interface manipulation of /etc/sysconfig/SuSEFirewall
  • Lukas Ocilka

This module has an unstable interface.

Copyright 2004, Novell, Inc. All rights reserved. Module for handling SuSEfirewall2.

Imports

  • Directory
  • FileUtils
  • Message
  • Mode
  • NetworkInterfaces
  • PackageSystem
  • PortAliases
  • PortRanges
  • Progress
  • Report
  • Service
  • Stage
  • SuSEFirewallServices

Structures

Global Variables

Global Functions

Local Variables

Local Functions

local configuration_has_been_read -> boolean

configuration hasn't been read for the default this should reduce the readings to only ONE

global special_all_interface_string -> string

String which includes all interfaces not-defined in any zone

global max_port_number -> integer

Maximal number of port number, they are in the interval 1-65535 included

global special_all_interface_zone -> string

Zone which works with the special_all_interface_string string

local WriteOneRecordPerLine (string key_name) -> boolean

Returns whether records in variable should be written one record on one line.

Parameters:
key_name
Return value:
if wolpr
global SetModified () -> void

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".

global ResetModified () -> void

Do not use this function. Only for firewall installation proposal.

global GetKnownFirewallZones () -> list <string>

Function returns list of known firewall zones (shortnames)

Return value:
of firewall zones
Example
 GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]
local report_only_once -> list <string>

Variable for ReportOnlyOnce() function

local ReportOnlyOnce (string what_to_report) -> boolean

Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.

Parameters:
what_to_report
Return value:
whether the message should be reported or not
Example

	string error = sformat("Port number %1 is invalid.", port_nr);
	if (ReportOnlyOnce(error)) y2error(error);
global IsAnyNetworkInterfaceSupported () -> boolean

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

Return value:
is_supported whether the feature is supported or not
local GetListOfSuSEFirewallVariables () -> list <string>

Function return list of variables needed for SuSEFirewall's settings.

Return value:
of names of variables
local IncreaseVerbosity () -> void

Local function for increasing the verbosity level.

local DecreaseVerbosity () -> void

Local function for decreasing the verbosity level.

local IsVerbose () -> boolean

Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.

Return value:
is_verbose
local GetDefaultValue (string variable) -> string

Local function for returning default values (if defined) for sysconfig variables.

Parameters:
variable
Return value:
default value
local ReadSysconfigSuSEFirewall (list<string> variables) -> void

Local function for reading list of sysconfig variables into internal variables.

Parameters:
variables
local ResetSysconfigSuSEFirewall (list<string> variables) -> void

Local function for reseting list of sysconfig variables in internal variables.

Parameters:
variables
local WriteSysconfigSuSEFirewall (list<string> variables) -> boolean

Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use `nil` as the last list item.

Parameters:
variables
Return value:
if successful
local IsSupportedProtocol (string protocol) -> boolean

Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.

Parameters:
protocol
Return value:
if protocol is supported
local IsKnownZone (string zone) -> boolean

Local function returns if zone (shortname like "EXT") is supported by firewall. Undefined zones are, for sure, unsupported.

Parameters:
zone
Return value:
if zone is known and supported.
local GetZoneConfigurationString (string zone) -> string

Local function returns configuration string used in configuration for zone. For instance "ext" for "EXT" zone.

Parameters:
zone
Return value:
zone configuration string
local GetConfigurationStringZone (string zone_string) -> string

Local function returns zone name (shortname) for configuration string. For instance "EXT" for "ext" zone.

Parameters:
zone_string
Return value:
zone shortname
local GetAllowedServicesForZoneProto (string zone, string protocol) -> list <string>

Function returns list of allowed services for zone and protocol

Parameters:
zone
protocol
Return value:
of allowed services/ports
local SetAllowedServicesForZoneProto (list <string> allowed_services, string zone, string protocol) -> void

Function sets list of services as allowed ports for zone and protocol

Parameters:
allowed_services
zone
protocol
local GetBroadcastConfiguration (string zone) -> string

Local function returns configuration string for broadcast packets.

Parameters:
zone
Return value:
with broadcast configuration
local SetBroadcastConfiguration (string zone, string broadcast_configuration) -> void

Local function saves configuration string for broadcast packets.

Parameters:
zone
broadcast_configuration
global GetBroadcastAllowedPorts () -> map <string, list <string> >

Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

Structure $[

   "ZONE1" : [ "port1", "port2" ],
   "ZONE2" : [ "port3", "port4" ],
   "ZONE3" : [ ]
 ]
Return value:
strings are allowed ports or port ranges
global SetBroadcastAllowedPorts (map <string, list <string> > broadcast) -> void

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Parameters:
broadcast
See
GetBroadcastAllowedPorts() for an example of data
local IsBroadcastAllowed (list <string> needed_ports, string zone) -> boolean

Function returns if broadcast is allowed for needed ports in zone.

Parameters:
needed_ports
zone
Return value:
if is allowed
Example
 IsBroadcastAllowed (["port-xyz", "53"], "EXT") -> true
local RemoveAllowedBroadcast (list <string> needed_ports, string zone) -> void

Local function removes list of ports from port allowing broadcast packets in zone.

Parameters:
needed_ports
zone
local AddAllowedBroadcast (list <string> needed_ports, string zone) -> void

Local function adds list of ports to ports accepting broadcast

Parameters:
needed_ports
zone
local RemoveServiceFromProtocolZone (string remove_service, string protocol, string zone) -> boolean

Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.

Parameters:
remove_service
protocol
zone
Return value:
success
local RemoveAllowedPortsOrServices (list <string> remove_ports, string protocol, string zone, boolean check_for_aliases) -> void

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:
remove_ports
protocol
zone
check_for_aliases
local AddAllowedPortsOrServices (list <string> add_ports, string protocol, string zone) -> void

Local function allows ports for requested protocol and zone.

Parameters:
add_ports
protocol
zone
local RemoveServiceDefinedByPackageFromZone (string service, string zone) -> void

Removes service defined by package (FATE #300687) from enabled services.

Parameters:
service
zone
Example

	RemoveServiceDefinedByPackageFromZone ("service:irc-server", "EXT");
local AddServiceDefinedByPackageIntoZone (string service, string zone) -> void

Adds service defined by package (FATE #300687) into list of enabled services.

Parameters:
service
zone
Example

	AddServiceDefinedByPackageIntoZone ("service:irc-server", "EXT");
local RemoveServiceSupportFromZone (string service, string zone) -> void

Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.

Parameters:
service
zone
local AddServiceSupportIntoZone (string service, string zone) -> void

Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.

Parameters:
service
zone
global SetInstallPackagesIfMissing (boolean new_status) -> void

By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

Parameters:
new_status
global SuSEFirewallIsInstalled () -> boolean

Returns whether all needed packages are installed.

Return value:
whether SuSEfirewall2 is installed
global GetModified () -> boolean

Functions returns whether any firewall's configuration was modified.

Return value:
if the configuration was modified
global ResetReadFlag () -> void

Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.

global GetZoneFullName (string zone) -> string

Function returns localized name of the zone identified by zone shortname.

Parameters:
zone
Return value:
zone name
Example

  LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
  LANG=cs_CZ GetZoneFullName ("EXT") -> "Externí Zóna"
global SetProtectFromInternalZone (boolean set_protect) -> void

Function sets if firewall should be protected from internal zone.

Parameters:
set_protect
global GetProtectFromInternalZone () -> boolean

Function returns if firewall is protected from internal zone.

Return value:
if protected from internal
global SetSupportRoute (boolean set_route) -> void

Function sets if firewall should support routing.

Parameters:
set_route
global GetSupportRoute () -> boolean

Function returns if firewall supports routing.

Return value:
if route is supported
global SetTrustIPsecAs (string zone) -> void

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Parameters:
zone
global GetTrustIPsecAs () -> string

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Return value:
zone or "no"
global GetStartService () -> boolean

Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

Return value:
if the firewall should start
global SetStartService (boolean start_service) -> void

Function which sets if SuSEfirewall should start in Write process.

Parameters:
start_service
See
GetStartService()
global GetEnableService () -> boolean

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Return value:
if the firewall should start
See
Write() EnableServices()
global SetEnableService (boolean enable_service) -> void

Function which sets if SuSEfirewall should start in Write process

Parameters:
enable_service
global StartServices () -> boolean

Functions starts services needed for SuSEFirewall

Return value:
result
global StopServices () -> boolean

Functions stops services needed for SuSEFirewall

Return value:
result
global EnableServices () -> boolean

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Return value:
result
global DisableServices () -> boolean

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Return value:
result
global IsEnabled () -> boolean

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Return value:
if enabled
global IsStarted () -> boolean

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Return value:
if started
global Export () -> map <string, any>

Function for getting exported SuSEFirewall configuration

Return value:
with configuration
global Import (map <string, any> import_settings) -> void

Function for setting SuSEFirewall configuration from input

Parameters:
import_settings
global IsInterfaceInZone (string interface, string zone) -> boolean

Function returns if the interface is in zone.

Parameters:
interface
zone
Return value:
is in zone
Example
 IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false
global GetZoneOfInterface (string interface) -> string

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Parameters:
interface
Return value:
zone
Example
 GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"
global GetZonesOfInterfaces (list<string> interfaces) -> list<string>

Function returns list of zones of requested interfaces

Parameters:
interfaces
Return value:
firewall zones
Example

	GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]
global GetZonesOfInterfacesWithAnyFeatureSupported (list<string> interfaces) -> list<string>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Parameters:
interfaces
Return value:
firewall zones
Example

	GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]
global GetAllKnownInterfaces () -> list <map <string, string> >

Function returns list of maps of known interfaces.

Structure [ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]


   
Return value:
of all interfaces
global GetAllNonDialUpInterfaces () -> list <string>

Function returns list of non-dial-up interfaces.

Return value:
of non-dial-up interface names
Example
 GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]
global GetAllDialUpInterfaces () -> list <string>

Function returns list of dial-up interfaces.

Return value:
of dial-up interface names
Example
 GetAllDialUpInterfaces() -> ["modem0", "dsl5"]
global GetListOfKnownInterfaces () -> list <string>

Function returns list of all known interfaces.

Return value:
of interfaces
Example
 GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]
global RemoveInterfaceFromZone (string interface, string zone) -> void

Function removes interface from defined zone.

Parameters:
interface
zone
Example
 RemoveInterfaceFromZone ("modem0", "EXT")
global AddInterfaceIntoZone (string interface, string zone) -> void

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Parameters:
interface
zone
Example
 AddInterfaceIntoZone ("eth5", "DMZ")
global GetInterfacesInZone (string zone) -> list<string>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Parameters:
zone
Return value:
of interfaces
Example
 GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]
global GetFirewallInterfaces () -> list<string>

Function returns all interfaces already configured in firewall.

Return value:
of configured interfaces
global InterfacesSupportedByAnyFeature (string zone) -> list<string>

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

Parameters:
zone
Return value:
of interfaces covered by special string 'any'
See
IsAnyNetworkInterfaceSupported()
global GetInterfacesInZoneSupportingAnyFeature (string zone) -> list<string>

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Parameters:
zone
Return value:
of interfaces
global HaveService (string service, string protocol, string interface) -> boolean

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

Parameters:
service
protocol TCP, UDP, RCP or IP
interface name (like modem0), firewall zone (like "EXT") or "any" for all zones.
Return value:
if service is allowed
Example

	HaveService ("ssh", "TCP", "EXT") -> true
	HaveService ("ssh", "TCP", "modem0") -> false
	HaveService ("53", "UDP", "dsl") -> false
global AddService (string service, string protocol, string interface) -> boolean

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Parameters:
service
protocol
interface
Return value:
success
Example

	AddService ("ssh", "TCP", "EXT")
	AddService ("ssh", "TCP", "dsl0")
global RemoveService (string service, string protocol, string interface) -> boolean

Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

Parameters:
service
protocol
interface
Return value:
success
Example

	RemoveService ("22", "TCP", "DMZ") -> true
  is the same as
	RemoveService ("ssh", "TCP", "DMZ") -> true
local ArePortsOrServicesAllowed (list <string> needed_ports, string protocol, string zone, boolean check_for_aliases) -> boolean

Function returns if needed services are all allowed (or not) in the firewall. Last parameter sets if it also should check for port-aliases, what makes sense for TCP and UDP ports. Protocols and Zones aren't checked for existency. It's on you to do it.

Parameters:
needed_ports
protocol
zone name like EXT
check_for_aliases
Return value:
if all ports are allowed
Example

	ArePortsOrServicesAllowed (["53", "54"], "UDP", "INT", true) -> true
local IsServiceDefinedByPackageSupportedInZone (string service, string zone) -> boolean

Returns whether a service is mentioned in FW_CONFIGURATIONS_[EXT|INT|DMZ]. These services are defined by random packages.

Parameters:
service
zone
Return value:
if service is supported in zone
Example

	IsServiceDefinedByPackageSupportedInZone ("service:sshd", "EXT") -> true
global IsServiceSupportedInZone (string service, string zone) -> boolean

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.

Parameters:
service
zone
Return value:
if supported
Example

	// All ports defined by dns-server service in SuSEFirewallServices module
	// are enabled in the respective zone
	IsServiceSupportedInZone ("dns-server", "EXT") -> true
  // irc-server definition exists on the system and the irc-server
  // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2
  IsServiceSupportedInZone ("service:irc-server", "EXT") -> true
See
YCP Module SuSEFirewallServices
global GetServicesInZones (list<string> services) -> map <string, map <string, boolean> >

Function returns map of supported services all network interfaces.

Structure Returns $[service : $[ interface : supported_status ]]


   
Parameters:
services
Return value:
Example

	GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
  // No such service "something"
	GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
  GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]
global GetServices (list<string> services) -> map <string, map <string, boolean> >

Function returns map of supported services in all firewall zones.

Structure Returns $[service : $[ zone_name : supported_status]]


   
Parameters:
services
Return value:
Example

  // Firewall in not protected from internal zone, that's why
  // all services report that they are enabled in INT zone
  GetServices (["samba-server", "service:irc-server"]) -> $[
    "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
    "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
  ]
global SetServicesForZones (list<string> services_ids, list<string> firewall_zones, boolean new_status) -> boolean

Function sets status for several services in several firewall zones.

Parameters:
services_ids
firewall_zones
new_status
Return value:
if successfull
Example

	SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
	SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);
See
GetServicesInZones() GetServices()
global SetServices (list<string> services_ids, list<string> interfaces, boolean new_status) -> boolean

Function sets status for several services on several network interfaces.

Parameters:
services_ids
interfaces
new_status
Return value:
if successfull
Example

  // Disabling services
	SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false)
  // Enabling services
  SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)
See
SetServicesForZones()
local ReadDefaultConfiguration () -> void

Local function sets the default configuration and fills internal values.

local ReadCurrentConfiguration () -> void

Local function reads current configuration and fills internal values.

local FillUpEmptyConfig () -> void

Fills the configuration with default settings, adjusts internal variables that firewall cannot be configured.

global Read () -> boolean

Function for reading SuSEFirewall configuration. Fills internal variables only.

Return value:
if successful
local AnyRPCServiceInConfiguration () -> boolean

Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.

Return value:
some_RPC_service_used
global ActivateConfiguration () -> boolean

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Return value:
if successful
global WriteConfiguration () -> boolean

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Return value:
if successful
global WriteOnly () -> boolean

Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

Return value:
if succesful
global Write () -> boolean

Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

Return value:
if succesfull
global SaveAndRestartService () -> boolean

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Return value:
if successful
global GetAdditionalServices (string protocol, string zone) -> list <string>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.

Parameters:
protocol
zone
Return value:
of additional (unassigned) services
Example

	GetAdditionalServices("TCP", "EXT") -> ["53", "128"]
global SetAdditionalServices (string protocol, string zone, list <string> new_list_services) -> void

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

Parameters:
protocol
zone
new_list_services
Example

	SetAdditionalServices ("TCP", "EXT", ["53", "128"])
See
GetAdditionalServices()
global IsOtherFirewallRunning () -> boolean

Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

Return value:
if other firewall is running
global GetFirewallInterfacesMap () -> map <string, list <string> >

Function returns map of `interfaces in zones`.

Structure map $[zone : [list of interfaces]]


   
Return value:
interface in zones
Example

	GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]
global GetSpecialInterfacesInZone (string zone) -> list <string>

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Parameters:
zone
Return value:
special strings or unknown interfaces
Example

	GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]
global RemoveSpecialInterfaceFromZone (string interface, string zone) -> void

Function removes special string from defined zone.

Parameters:
interface
zone
global AddSpecialInterfaceIntoZone (string interface, string zone) -> void

Functions adds special string into defined zone.

Parameters:
interface
zone
global GetMasquerade () -> boolean

Function returns actual state of Masquerading support.

Return value:
if supported
global SetMasquerade (boolean enable) -> void

Function sets Masquerade support.

Parameters:
enable
global GetListOfForwardsIntoMasquerade () -> list <map <string, string> >

Function returns list of rules of forwarding ports to masqueraded IPs.

Structure list [$[ key: value ]]


   
Return value:
list of rules
Example

	GetListOfForwardsIntoMasquerade() -> [
 $[
   "forward_to":"172.24.233.1",
   "protocol":"tcp",
   "req_ip":"192.168.0.3",
   "req_port":"355",
   "source_net":"192.168.0.0/20",
   "to_port":"533"],
   ...
 ]
global RemoveForwardIntoMasqueradeRule (integer remove_item) -> void

Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

Parameters:
remove_item
See
GetListOfForwardsIntoMasquerade()
global AddForwardIntoMasqueradeRule (string source_net, string forward_to_ip, string protocol, string req_port, string redirect_to_port, string requested_ip) -> void

Adds forward into masquerade rule.

Parameters:
source_net
forward_to_ip
protocol
req_port
redirect_to_port
requested_ip
Example

	AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")
global GetLoggingSettings (string rule) -> string

Function returns actual state of logging for rule taken as parameter.

Parameters:
rule
Return value:
'ALL', 'CRIT', or 'NONE'
Example

	GetLoggingSettings("ACCEPT") -> "CRIT"
	GetLoggingSettings("DROP") -> "CRIT"
global SetLoggingSettings (string rule, string state) -> void

Function sets state of logging for rule taken as parameter.

Parameters:
rule
state
Example

	SetLoggingSettings ("ACCEPT", "ALL")
	SetLoggingSettings ("DROP", "NONE")
global GetIgnoreLoggingBroadcast (string zone) -> string

Function returns yes/no - ingoring broadcast for zone

Parameters:
zone
Return value:
"yes" or "no"
Example

	// Does not logg ignored broadcast packets
	GetIgnoreLoggingBroadcast ("EXT") -> "yes"
global SetIgnoreLoggingBroadcast (string zone, string bcast) -> void

Function sets yes/no - ingoring broadcast for zone

Parameters:
zone
bcast
Example

	// Do not log broadcast packetes from DMZ
	SetIgnoreLoggingBroadcast ("DMZ", "yes")
global AddXenSupport () -> void

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.

See
https://bugzilla.novell.com/show_bug.cgi?id=154133 https://bugzilla.novell.com/show_bug.cgi?id=233934 https://bugzilla.novell.com/show_bug.cgi?id=375482
global GetAcceptExpertRules (string zone) -> string

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

Parameters:
zone
Return value:
with rules
global SetAcceptExpertRules (string zone, string expert_rules) -> boolean

Sets expert allow rules for zone.

Parameters:
zone
expert_rules
Return value:
if successful
global GetFirewallKernelModules () -> list <string>

Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.

Return value:
of kernel modules
See
/etc/sysconfig/SuSEfirewall2 option nr. 32 (FW_LOAD_MODULES)
global SetFirewallKernelModules (list <string> k_modules) -> void

Sets list of additional kernel modules to be loaded by firewall on startup.

Parameters:
k_modules
Example
 SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);
See
/etc/sysconfig/SuSEfirewall2 option nr. 32
global GetProtocolTranslatedName (string protocol) -> string

Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.

Parameters:
protocol
Return value:
translated string (e.g., RPC)
global GetServicesAcceptRelated (string zone) -> list <string>

Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Parameters:
zone
Return value:
list of definitions
Example

 GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]
See
SetServicesAcceptRelated()
global SetServicesAcceptRelated (string zone, list <string> ruleset) -> void

Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Parameters:
zone
ruleset
Example

 SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])
See
GetServicesAcceptRelated()
local CheckKernelModules () -> void

Checks whether any Accept-Related rules have been defined. If true, required kernel modules are added.

local RemoveOldAllowedServiceFromZone (map <string, any> old_service_def, string zone) -> void

Removes old-service definitions before they are added as services defined by packages.

Parameters:
old_service_def
zone
global ConvertToServicesDefinedByPackages () -> void

Converts old built-in service definitions to services defined by packages.

See
bnc 399217