how to use SuSEfirewall 'FW_REDIRECT' smartly

SUSE Linux Enterprise Server SLES Networking
1

for FW_REDIRECT, in /etc/sysconfig/SuSEfirewall configuration file, may we use a file as an argument, e.g currently FW_REDIRECT is set as:

FW_REDIRECT=" 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,80,8080 0/0,0/0,tcp,289,1289 172.20.17.101/32,0/0,udp,514,1714 172.20.17.102/32,0/0,udp,514,1714 172.20.17.103/32,0/0,udp
,514,1714 172.20.17.105/32,0/0,udp,514,1714 172.20.17.106/32,0/0,udp,514,1714 172.20.17.11/32,0/0,udp,514,1614 172.20.17.12/32,0/0,udp,514,1614 172.20.18.12/32,0/0,udp,
514,1614 172.20.25.35/32,0/0,udp,514,1614 172.20.18.104/32,0/0,udp,514,1814 0/0,0/0,udp,514,1514"

I would rather like to use:
FW_REDIRECT=/etc/sysconfig/SuSEfirewall.d/aix-servers.txt, /etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt, /etc/sysconfig/SuSEfirewall.d/solaris.txt

is it possible ??

Regards,

2

Hi sharfuddin,

[QUOTE=sharfuddin;29939]for FW_REDIRECT, in /etc/sysconfig/SuSEfirewall configuration file, may we use a file as an argument, e.g currently FW_REDIRECT is set as:

FW_REDIRECT=" 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,80,8080 0/0,0/0,tcp,289,1289 172.20.17.101/32,0/0,udp,514,1714 172.20.17.102/32,0/0,udp,514,1714 172.20.17.103/32,0/0,udp
,514,1714 172.20.17.105/32,0/0,udp,514,1714 172.20.17.106/32,0/0,udp,514,1714 172.20.17.11/32,0/0,udp,514,1614 172.20.17.12/32,0/0,udp,514,1614 172.20.18.12/32,0/0,udp,
514,1614 172.20.25.35/32,0/0,udp,514,1614 172.20.18.104/32,0/0,udp,514,1814 0/0,0/0,udp,514,1514"

I would rather like to use:
FW_REDIRECT=/etc/sysconfig/SuSEfirewall.d/aix-servers.txt, /etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt, /etc/sysconfig/SuSEfirewall.d/solaris.txt

is it possible ??[/QUOTE]

Since that file is actually a bash script, you’re free to use any form of command to fill that variable, i.e. "

FW_REDIRECT="$(cat /etc/sysconfig/SuSEfirewall.d/aix-servers.txt /etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt /etc/sysconfig/SuSEfirewall.d/solaris.txt )"

Regards,
Jens

3

No, not like that at least. You can create files that follow the rest of
the loading to do custom things with iptables commands directly, so you
could probably put your commands into those files and have them run, but
that’s not exactly what you requested, though it may give you the same
functionality.

It may help to understand the purpose of your desired change.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

4

Its a Sentinel box. We are running multiple Syslog Servers(udp) each on a unique port. for AIX we have syslog server listening on udp 1614 and for cisco we have syslog server listening on udp 1714 etc.
As, AIX, Cisco, Solaris etc are sending their logs to udp 514, so to redirect them to their dedicated Syslog Server I have set the FW_REDIRECT variable:

FW_REDIRECT=172.20.17.101/32,0/0,udp,514,1714   172.30.18.34/32,0/0,udp,514,1614   172.120.88.12/32,0/0,udp,514,1614

Regards,

5

Thanks a lot Jens, you made my day :wink:

6

Hi sharfuddin,

glad to help. Please note that setting such a “value” will likely break YaST integration - IOW calling YaST to show/edit firewall values will probably result in errors and/or mis-filled fields… and potentially results in a borked /etc/sysconfig/SuSEfirewall file as well!

I strongly recommend to create a backup of your config file and try the YaST route once, to actually see the impact.

Regards,
Jens