That is normal. In a previous post I said:

[QUOTE]FYI, here’s a brief description how your firewall configuration is implemented.
[LIST]
[]When you use YaST Firewall, it saves the configuration in /etc/sysconfig/SEfirewall2.
[]If you prefer and if you know what you are doing, you can use a text editor to change /etc/sysconfig/SEfirewall2 yourself.
[]When you start the firewall (rcSuSEfirewall2 start) the configuration is read from /etc/sysconfig/SEfirewall2 and used to create a set of “iptables” rules.
[]These rules are what really control access to your system.
[]When you stop the firewall (rcSuSEfirewall2 stop) the rules are removed from “iptables”
[]
[/LIST][/QUOTE]

When troubleshooting, it is important to change only one thing at a time and observe how it affects everything!

Forget about iptables. I only mentioned it because it was an easy way to see what directives were in effect. If you need to configure your firewall, use YaST - Firewall.

Things are becoming way too complicated. I can’t follow what changes you are making and I don’t know which system you are changing.

In another post I suggested that we get things working from your SLED system first. That is your laptop, is it not? You said you can print when the firewall is disabled but not when it is enabled. That suggests it is a simple firewall issue.
[LIST]
[]Find out what ports need to be open to print to your HP printer. Please tell us.
[]Use YaST - Firewall to open the appropriate ports.
[/LIST]

Once you have this part working, we can continue looking at other issues.

The problem is: Sometimes printer work. It can happen i change w.g firewall and the printer works, but not next day with same setup.
It is not stable.

Further, the DELL printer prints always, in-dependent what I do. Only the HP printer is a problem.

I made several test in weekend. The printer itself mention in the display, the print file is not complete send.
I tested with and without firewall.
With different print driver
different setup.

All that is collected in a file to get a better description and systematic overview.
For me, it is quite confusing.
I made several dumps too showing the LAN traffic. I can load them up too - fitting to the document attached here.

I tested today morning.

Same PC as before, firewall on.
Used my KVM viortual machine on this PC and started WIN10 on it.
installed the HP laserjet automatically and printed from Win10 via SUSE on HP laserjet
successfully.

[QUOTE=hcp_dk;36880]I made several test in weekend. The printer itself mention in the display, the print file is not complete send.
I tested with and without firewall.[/QUOTE]

I looked at the PDF file you provided. On Page 3, I see this:

[QUOTE]linuxSLES:/home/hans-christoph # snmpwalk -Os -c public -v 1 10.0.25.26
1.3.6.1.4.1.11.2.3.9.1.1.7.0[/QUOTE]

Please answer these questions:
[LIST=1]
[]Is “LinuxSLES” your server?
[]I thought we were going to get this working on your SLED system first?
Are you able to print from SLED to the HP printer with your firewall enabled?
[*]Please confirm: SLED is running on your laptop?
[/LIST]

In another post, you said:

The firewall screen shots show both an internal and an external interface.
[LIST=5]
[]What system was this screen shot taken on?
[]Why does it have multiple interfaces when you said you are using an external firewall?
[]Please provide the IP addresses for each interface.
[]Did you run the five Tests from your SLES or your SLED system?
[/LIST]

On Page 3 of the PDF, where it says “open ports manuell:”, you show the Custom Allowed Rules. They are not configured correctly!
[LIST]
[]The source network should not be “0/0” (any network). Since your printing is between devices on your LAN, the source network should be your LAN. Example: 192.168.1.0/24.
[]Do not configure a Source Port. Source ports usually cannot be predicted. If you do configure one, all traffic will likely be blocked because the actual source port will not match the one you specified.
[/LIST]

Please correct your firewall configuration and provide the requested information.

Hi Kevin,
first of all thank for support and engagement.

I have SLED (Laptop) and SLES+Workstation Extension on a PC. SLES to see how that works. I agree, we stick to SLES since both systems, even very alike, seems to act different.
SLES is on LAN.
The Server is an Windows Server 2008 - Active Domain. SLES works as Desktop.

I tried and tested in the beginning from both systems, since they should be alike. I found out that it might work one day or hour once, but not later. Why I don’t know?
In general, I can’t print stable from Linux system on HP laserjet.
(Just as Note: I have another PC with Leap42.1 Here I can’t print too. )

The whole system is like: 100Mbits WAN - Modem - Trustgate (DHCP) - Asus WLAN accesspoint
from here WLAN and LAN to whole system.

Since all printer etc. are in the “internal system”, Trustgate firewall is not important.
All print screens are from SLES system, from the here called internal zone and external zone. The network card is on internal zone. The SUSE Firewall provide these zones default: internal zone and external zone.
All data and print screens come from SLES.

The trustgte has IP 10.0.25.1
Win Server IP 10.0.25.4
HP Laserjet IP 10.0.25.26
SLES has a dynamic adress obtained from DHCP server.

I made a check of all ports via nmap.
I made 7 tests (I send a link later where I showed I can print from virtual box KVM and Windows10 via SLES to HP laserjet.
I made for all test LAN dumps.
Printer shows: Not all data arrived the printer.

Custom rules:
On HPLIP website HP suggest open some ports manually to solve possible issues. I put the links too. I followed that. [QUOTE]http://hplipopensource.com/node/216 [/QUOTE] and [QUOTE]http://hplipopensource.com/node/375[/QUOTE]
Maybe you can help me to set these rules correctly?

I’ll try correct the port informations as mentiond.
thanks for support

I suggested you try to get printing working on your SLED desktop/laptop first.

You said that you can print to the HP printer from your laptop when the firewall is disabled so this should be a simple firewall configuration issue.

In my previous post I pointed out some firewall configuration issues which should be easy to correct. Printing should work once your firewall is configured correctly.

Once you can print from your laptop, you will know what the correct firewall settings are. You can then use the same settings on your SLES system. That may not be enough to let you print from your SLES system because I suspect there may be other configuration issues we will need to look at.

Are you okay with this approach?

Okay, for now we will ignore the Trustgate firewall.

Let’s look a little closer at this:
[LIST]
[]The external zone is considered unsafe. Traffic to and from this zone is blocked by default. Exceptions are needed to permit traffic.
[]The internal zone is considered safe. Traffic to and from this zone is permitted by default.
[*]
[/LIST]

You said:

To simplify the firewall configuration each interface, Network Interface Card (NIC), is assigned to a zone. While a zone can have multiple NICs assigned to it, if you only have one NIC, how can you have both an internal and an external zone?

Please refer to the SUSE Linux Enterprise Server 11 SP4 Security Guide
15.3. Firewalling Basics

I’m trying!:o

Hi Kevin,

acc. to documentation, in internal zone, all ports are open.
The NIC is in internal zone.
That means, all ports should be open.

Why can i print via KVM and Win10, not via SUSE?
Why is not the whole file send?

[QUOTE=hcp_dk;36957]Hi Kevin,

acc. to documentation, in internal zone, all ports are open.
The NIC is in internal zone.
That means, all ports should be open.[/QUOTE]

I agree with your conclusion!

[QUOTE]Why can i print via KVM and Win10, not via SUSE?
Why is not the whole file send?[/QUOTE]

That is what we are trying to find out.
[LIST]
[]You have two systems with printing issues: SLES (your server) and SLED (your laptop).
[]They both may or may not suffer from the same issue. That is still to be determined.
[]To simplify troubleshooting, we should not make assumptions. We need to verify everything.
[]When you provide additional information, please be sure to specify where the information was obtained (server or laptop).
[]Because you said you can print from your laptop when the firewall is disabled, it appears there is a firewall issue that should be easy to resolve. That is why I would like to resolve your laptop printing issue first.
[/LIST]
Please post the output from these commands:
[LIST]
[]Run them on your laptop.
[*]When posting the results, please use code tags: ("[SIZE=3]#[/SIZE]").
[/LIST]

cat /etc/*release ifconfig cat /etc/sysconfig/SuSEfirewall2

Hi Kevin,

These data are now from Laptop. Both SLES, SLED

cat /etc/*release

[CODE]NAME=“SLED”
VERSION=“12-SP2”
VERSION_ID=“12.2”
PRETTY_NAME=“SUSE Linux Enterprise Desktop 12 SP2”
ID=“sled”
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:suse:sled:12:sp2”
SUSE Linux Enterprise Desktop 12 (x86_64)
VERSION = 12
PATCHLEVEL = 2

This file is deprecated and will be removed in a future service pack or release.

Please check /etc/os-release for details about this release.

[/CODE]

ifconfig

[CODE]SLEDLaptop:/home/hans-christoph # ifconfig
eth0 Link encap:Ethernet HWaddr C4:7D:46:1E:6A:67
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:16 Memory:b1200000-b1220000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:237 errors:0 dropped:0 overruns:0 frame:0
TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:42224 (41.2 Kb) TX bytes:42224 (41.2 Kb)

virbr0 Link encap:Ethernet HWaddr 52:54:00:94:74:BC
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

wlan0 Link encap:Ethernet HWaddr A4:34:D9:D7:ED:71
inet addr:10.0.25.147 Bcast:10.0.25.255 Mask:255.255.255.0
inet6 addr: fe80::a634:d9ff:fed7:ed71/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107089 errors:0 dropped:0 overruns:0 frame:0
TX packets:46230 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:147963529 (141.1 Mb) TX bytes:5659802 (5.3 Mb)
[/CODE]
I have installed KVM (virtual machine) on Laptop too because I use WIN10 for special engineering software within SUSE. VIBR is the LAN bridge to virtual machine

[CODE]SLEDLaptop:/home/hans-christoph # cat /etc/sysconfig/SuSEfirewall2

Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany

Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany

Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany

Author: Marc Heuse, 2002

Ludwig Nussel, 2004-2011

/etc/sysconfig/SuSEfirewall2

for use with /sbin/SuSEfirewall2 version 3.6

------------------------------------------------------------------------

Note that running a packet filter/firewall is no panacea against

network security threats. Make sure to

- expose only actually needed services

- assign different zones to express different levels of trust.

Opening ports for LAN services in the external zone defeats the

purpose of the firewall!

- use software that is designed with security in mind (such as

postfix, vsftpd, openssh)

- install security updates regularly

------------------------------------------------------------------------

Configuration Hints:

Note that while this file looks like a shell script and is parsed

by a shell script it actually is not a shell script itself. More

information about sysconfig files can be found here:

http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig

It’s generally a good idea to avoid using shell variable

substitution (foo="$bar") and multi line values.

If you have any problems configuring this file, take a look at

/usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST

For end user systems that are only connected to one network

FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need

to be modified. The defaults for all other settings are usually

fine.

For firewalls that should perform routing or masquerading between

networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,

FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,

FW_FORWARD_MASQ

Please note that if you use service names, they have to exist in

/etc/services. There is for example no service “dns”, it’s called

“domain”; email is called “smtp” etc.

------------------------------------------------------------------------

Path: Network/Firewall/SuSEfirewall2

Description: SuSEfirewall2 configuration

Type: string

Which are the interfaces that point to the internet/untrusted

networks?

Enter all untrusted network devices here

Format: space separated list of interface or configuration names

The special keyword “any” means that packets arriving on interfaces not

explicitly configured as int, ext or dmz will be considered external. Note:

this setting only works for packets destined for the local machine. If you

want forwarding or masquerading you still have to add the external interfaces

individually. “any” can be mixed with other interface names.

Examples: “wlan0”, “ippp0 ippp1”, “any dsl0”

Note: alias interfaces (like eth0:1) are ignored

FW_DEV_EXT=""

Type: string

Which are the interfaces that point to the internal network?

Enter all trusted network interfaces here. If you are not

connected to a trusted network (e.g. you have just a dialup) leave

this empty.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_INT=“eth0 wlan0 wwan0”

Type: string

Which are the interfaces that point to the dmz or dialup network?

Enter all the network devices here which point to the dmz/dialups.

A “dmz” is a special, seperated network, which is only connected

to the firewall, and should be reachable from the internet to

provide services, e.g. WWW, Mail, etc. and hence is at risk from

attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an

example.

Note: You have to configure FW_FORWARD to define the services

which should be available to the internet and set FW_ROUTE to yes.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_DMZ=""

Type: yesno

Should routing between the internet, dmz and internal network be

activated?

Set this to “yes” if you either want to masquerade internal

machines or allow access to the dmz (or internal machines, but

this is not a good idea).

This option overrides IP_FORWARD from /etc/sysconfig/sysctl and

net.ipv4.ip_forward settings in /etc/sysctl.conf

Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on

manually.

Setting this option one alone doesn’t do anything. Either activate

masquerading with FW_MASQUERADE below if you want to masquerade

your internal network to the internet, or configure FW_FORWARD to

define what is allowed to be forwarded. You also need to define

internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.

defaults to “no” if not set

FW_ROUTE=“no”

Type: yesno

Do you want to masquerade internal networks to the outside?

Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV

“Masquerading” means that all your internal machines which use

services on the internet seem to come from your firewall. Please

note that it is more secure to communicate via proxies to the

internet than to use masquerading.

This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.

defaults to “no” if not set

FW_MASQUERADE=“no”

Type: string

You also have to define on which interfaces to masquerade on.

Those are usually the same as the external interfaces. Most users

can leave the default.

The special string “zone:” concatenated with the name of a zone

means to take all interfaces in the specified zone.

Note: Old version of SuSEfirewall2 used a shell variable

($FW_DEV_EXT) here. That method is deprecated as it breaks auto

detection of interfaces. Please use zone:ext instead.

Examples: “ippp0”, “zone:dmz”

defaults to “zone:ext” if not set

FW_MASQ_DEV=""

Type: string

Which internal computers/networks are allowed to access the

internet via masquerading (not via proxys on the firewall)?

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0” unrestricted access to the internet

This is also the default if you leave FW_MASQ_NETS empty.

- “10.0.0.0/8” allows the whole 10.0.0.0 network with

unrestricted access.

- “10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21” allows

the 10.0.1.0 network to use www/ftp to the internet. -

- “10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24” the

10.0.1.0/24 network is allowed to access unprivileged

ports whereas 10.0.2.0/24 is granted unrestricted

access.

- “0/0,!10.0.0.0/8” unrestricted access to the internet

with the exception of 10.0.0.8 which will not be

masqueraded.

FW_MASQ_NETS=""

Type: string

Which computers/networks to exclude from masquerading.

Note that this only affects the POSTROUTING chain of the nat

table. Ie the forwarding rules installed by FW_MASQ_NETS do not

include the listed exceptions.

*** Since you may use FW_NOMASQ_NETS together with IPsec make sure

that the policy database is loaded even when the tunnel is not up

yet. Otherwise packets to the listed networks will be forwarded to

the internet unencrypted! ***

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0,10.0.0.0/8” do not masquerade packets from

anywhere to the 10.0.0.0/8 network

FW_NOMASQ_NETS=""

Type: list(yes,no,notrack,)

Do you want to protect the firewall from the internal network?

Requires: FW_DEV_INT

If you set this to “yes”, internal machines may only access

services on the firewall you explicitly allow. If you set this to

“no”, any internal user can connect (and attack) any service on

the firewall.

The value “notrack” acts similar to “no” but additionally

connection tracking is switched off for interfaces in the zone.

This is useful to gain better performance on high speed

interfaces.

defaults to “no” if not set

see also FW_REJECT_INT

FW_PROTECT_FROM_INT=“no”

Type: string

Which TCP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Examples: “ssh”, “123 514”, “3200:3299”, “ftp 22 telnet 512:514”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_TCP=""

Type: string

Which UDP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Example: “53”, “syslog”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_UDP=“427 5353”

Type: string

Which IP services on the firewall should be accessible from

untrusted networks?

Usually for VPN/Routing services that END at the firewall like

IPsec, GRE, PPTP or OSPF

Format: space separated list of ports, port ranges or well known

protocol names (see /etc/protocols)

Example: “esp”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_IP=""

Type: string

Which RPC services on the firewall should be accessible from

untrusted networks?

Port numbers of RPC services are dynamically assigned by the

portmapper. Therefore “rpcinfo -p localhost” has to be used to

automatically determine the currently assigned port for the

services specified here.

USE WITH CAUTION!

regular users can register rpc services and therefore may be able

to have SuSEfirewall2 open arbitrary ports

Example: “mountd nfs”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_RPC=""

Type: string

Which services on the firewall should be accessible from

untrusted networks?

Packages can drop a configuration file that specifies all required

ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for

services that require multiple ports or protocols. Enter the space

separated list of configuration files you want to load.

The content of those files is merged into

FW_SERVICES_$zone_$protocol, ie has precedence over

FW_SERVICES_ACCEPT_*

Example: “samba-server nfs-kernel-server”

FW_CONFIGURATIONS_EXT=“avahi netbios-server samba-client samba-server”

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_DMZ_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_DMZ_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_DMZ_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_DMZ_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_DMZ=""

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_INT_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_INT_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_INT_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_INT_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_INT=“netbios-server samba-client samba-server”

Type: string

Packets to drop.

Format: space separated list of net,protocol[,port][,sport]

Example: “0/0,tcp,445 0/0,udp,4662”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_DROP_EXT=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_DMZ=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_INT=""

Type: string

Default:

Packets to reject. Common usage is TCP port 113 which if dropped

would cause long timeouts when sending mail or connecting to IRC

servers.

Format: space separated list of net,protocol[,dport][,sport]

Example: “0/0,tcp,113”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_REJECT_EXT=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_DMZ=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_INT=""

Type: string

Default:

Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}

and more specific than FW_TRUSTED_NETS

Format: space separated list of net,protocol[,dport[,sport[,flags]]]

Example: “0/0,tcp,22”

Supported flags are

hitcount=NUMBER : ipt_recent --hitcount parameter

blockseconds=NUMBER : ipt_recent --seconds parameter

recentname=NAME : ipt_recent --name parameter

Example:

Allow max three ssh connects per minute from the same IP address:

“0/0,tcp,22,hitcount=3,blockseconds=60,recentname=ssh”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP

take precedence over FW_SERVICES_ACCEPT_EXT so don’t open the same

port with both options.

Note2: the iptables recent module may not be available for ipv6. To

avoid an error message use 0.0.0.0/0 instead of 0/0. This will

install the rule for ipv4 only.

FW_SERVICES_ACCEPT_EXT=""

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_INT=“0/0,udp,5353,5353
0/0,udp,427,427”

Type: string

Default:

Services to allow that are considered RELATED by the connection tracking

engine.

Format: space separated list of net,protocol[,sport[,dport]]

Example:

Allow samba broadcast replies marked as related by

nf_conntrack_netbios_ns from a certain network:

“192.168.1.0/24,udp,137”

See also FW_LOAD_MODULES

FW_SERVICES_ACCEPT_RELATED_EXT=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_INT=""

Type: string

Which services should be accessible from ‘trusted’ hosts or nets?

Define trusted hosts or networks (doesn’t matter whether they are internal or

external) and the services (tcp,udp,icmp) they are allowed to use. This can

be used instead of FW_SERVICES_* for further access restriction. Please note

that this is no replacement for authentication since IP addresses can be

spoofed. Also note that trusted hosts/nets are not allowed to ping the

firewall until you also permit icmp.

Format: space separated list of network[,protocol[,port]]

in case of icmp, port means the icmp type

Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”

FW_TRUSTED_NETS=""

Type: string

Which services or networks are allowed to be routed through the

firewall, no matter which zone they are in?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must have valid, non-private, IP addresses which were

assigned to you by your ISP. This opens a direct link to the

specified network, so please think twice befor using this option!

Format: space separated list of

,[,protocol[,destination port[,flags]]]

If the protocol is icmp then port is interpreted as icmp type

flags, separated by comma:

ipsec:

match packets that originate from an IPsec tunnel

zonein=ZONE, zoneout=ZONE:

match only packets coming in/going out on interfaces from

the specified zone.

Examples: - “1.1.1.1,2.2.2.2” allow the host 1.1.1.1 to access any

service on the host 2.2.2.2

- “3.3.3.3/16,4.4.4.4/24” allow the network 3.3.3.3/16

to access any service in the network 4.4.4.4/24

- “5.5.5.5,6.6.6.6,igmp” allow routing of IGMP messages

from 5.5.5.5 to 6.6.6.6

- “0/0,0/0,udp,514” always permit udp port 514 to pass

the firewall

- "192.168.1.0/24,10.10.0.0/16,ipsec \

10.10.0.0/16,192.168.1.0/24,ipsec" permit traffic

from 192.168.1.0/24 to 10.10.0.0/16 and vice versa

provided that both networks are connected via an

IPsec tunnel.

- “fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh”

allow ssh from one IPv6 network to another

FW_FORWARD=""

Type: string

same as FW_FORWARD but packages are rejected instead of accepted

Requires: FW_ROUTE

FW_FORWARD_REJECT=""

Type: string

same as FW_FORWARD but packages are dropped instead of accepted

Requires: FW_ROUTE

FW_FORWARD_DROP=""

Type: string

Which services accessed from the internet should be allowed to masqueraded

servers (on the internal network or dmz)?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must be in a masqueraded segment and may not have public

IP addesses! Hint: if FW_DEV_MASQ is set to the external interface

you have to set FW_FORWARD from internal to DMZ for the service as

well to allow access from internal!

Please note that this should not be used for security reasons!

You are opening a hole to your precious internal network. If e.g.

the webserver there is compromised - your full internal network is

compromised!

Format: space separated list of

,,,[,redirect port,[destination ip]]

Protocol must be either tcp or udp

Examples: - “4.0.0.0/8,10.0.0.10,tcp,80” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10

- “4.0.0.0/8,10.0.0.10,tcp,80,81” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10 on port 81

- “200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202”

the network 200.200.200.0/24 trying to access the

address 202.202.202.202 on port 80 will be forwarded

to the internal server 10.0.0.10 on port 81

Note: du to inconsistent iptables behaviour only port numbers are possible

but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)

FW_FORWARD_MASQ=""

Type: string

Which accesses to services should be redirected to a local port on

the firewall machine?

This option can be used to force all internal users to surf via

your squid proxy, or transparently redirect incoming webtraffic to

a secure webserver.

Format: list of [,,[,dport[:lport]]

Where protocol is either tcp or udp. dport is the original

destination port and lport the port on the local machine to

redirect the traffic to

An exclamation mark in front of source or destination network

means everything EXCEPT the specified network

Example: “10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080”

Note: contrary to previous SuSEfirewall2 versions it is no longer necessary

to additionally open the local port

FW_REDIRECT=""

Type: yesno

Which kind of packets should be logged?

When set to “yes”, packages that got dropped and are considered

‘critical’ will be logged. Such packets include for example

spoofed packets, tcp connection requests and certain icmp types.

defaults to “yes” if not set

FW_LOG_DROP_CRIT=“yes”

Type: yesno

whether all dropped packets should be logged

Note: for broadcasts to be logged you also need to set

FW_IGNORE_FW_BROADCAST_* to ‘no’

defaults to “no” if not set

FW_LOG_DROP_ALL=“no”

Type: yesno

When set to “yes”, packages that got accepted and are considered

‘critical’ will be logged. Such packets include for example tcp

connection requests, rpc connection requests and forwarded pakets.

Set to “no” for on systems with high traffic

defaults to “no” if not set

FW_LOG_ACCEPT_CRIT=“yes”

Type: yesno

whether all accepted packets should be logged

Note: setting this to ‘yes’ causes LOTS of log entries and may

fill your disk quickly. It also disables FW_LOG_LIMIT

defaults to “no” if not set

FW_LOG_ACCEPT_ALL=“no”

Type: string

How many packets per time unit get logged for each logging rule.

When empty a default of 3/minute is used to prevent port scans

flooding your log files. For desktop usage it’s a good idea to

have the limit, if you are using logfile analysis tools however

you might want to disable it.

Set to ‘no’ to disable the rate limit. Setting FW_LOG_ACCEPT_ALL

to ‘yes’ disables this option as well.

Format: a digit and suffix /second, /minute, /hour or /day

FW_LOG_LIMIT=""

Type: string

iptables logging option. Must end with --log-prefix and some prefix

characters

You may specify an alternative logging target by starting the

string with "-j ". E.g. “-j ULOG --ulog-prefix SFW2”

Note that ULOG doesn’t work with IPv6

only change this if you know what you are doing!

FW_LOG=""

Type: yesno

Do you want to enable additional kernel TCP/IP security features?

If set to yes, some obscure kernel options are set.

(icmp_ignore_bogus_error_responses, icmp_echoreply_rate,

icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,

ip_local_port_range, log_martians, rp_filter, routing flush,

bootp_relay, proxy_arp, secure_redirects, accept_source_route

icmp_echo_ignore_broadcasts, ipfrag_time)

Tip: Set this to “no” until you have verified that you have got a

configuration which works for you. Then set this to “yes” and keep it

if everything still works. (It should!)

Choice: “yes” or “no”, if not set defaults to “yes”

FW_KERNEL_SECURITY=""

Type: yesno

Whether ip routing should be disabled when the firewall is shut

down.

Note: IPv4 only, IPv6 sysctls are left untouched

Requires: FW_ROUTE

defaults to “no” if not set

FW_STOP_KEEP_ROUTING_STATE=“no”

Type: yesno

Allow the firewall to reply to icmp echo requests

defaults to “yes” if not set

FW_ALLOW_PING_FW=""

Type: yesno

Allow hosts in the dmz to be pinged from hosts in other zones even

if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_DMZ=""

Type: yesno

Allow hosts in the external zone to be pinged from hosts in other

zones even if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_EXT=""

Type: yesno

Allow ICMP sourcequench from your ISP?

If set to yes, the firewall will notice when connection is choking, however

this opens yourself to a denial of service attack. Choose your poison.

Defaults to “yes” if not set

FW_ALLOW_FW_SOURCEQUENCH=""

Type: string(yes,no)

Allow IP Broadcasts?

Whether the firewall allows broadcasts packets.

Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.

If you want to drop broadcasts however ignore the annoying log entries, set

FW_IGNORE_FW_BROADCAST_* to yes.

Note that if you allow specifc ports here it just means that broadcast

packets for that port are not dropped. You still need to set

FW_SERVICES_*_UDP to actually allow regular unicast packets to

reach the applications.

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” allow broadcast packets on port 631 and 137

to enter the machine but drop any other broadcasts

- “yes” do not install any extra drop rules for

broadcast packets. They’ll be treated just as unicast

packets in this case.

- “no” drop all broadcast packets before other filtering

rules

defaults to “no” if not set

FW_ALLOW_FW_BROADCAST_EXT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_DMZ=“no”

Type: string(yes,no)

Suppress logging of dropped broadcast packets. Useful if you don’t allow

broadcasts on a LAN interface.

This setting only affects packets that are not allowed according

to FW_ALLOW_FW_BROADCAST_*

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” silently drop broadcast packets on port 631 and 137

- “yes” do not log dropped broadcast packets

- “no” log all dropped broadcast packets

defaults to “no” if not set

FW_IGNORE_FW_BROADCAST_EXT=“yes”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_DMZ=“no”

Type: list(yes,no,int,ext,dmz,)

Specifies whether routing between interfaces of the same zone should be allowed

Requires: FW_ROUTE=“yes”

Set this to allow routing between interfaces in the same zone,

e.g. between all internet interfaces, or all internal network

interfaces.

Caution: Keep in mind that “yes” affects all zones. ie even if you

need inter-zone routing only in the internal zone setting this

parameter to “yes” would allow routing between all external

interfaces as well. It’s better to use

FW_ALLOW_CLASS_ROUTING=“int” in this case.

Choice: “yes”, “no”, or space separate list of zone names

Defaults to “no” if not set

FW_ALLOW_CLASS_ROUTING=""

Type: string

Do you want to load customary rules from a file?

This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!

READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

Type: yesno

Do you want to REJECT packets instead of DROPing?

DROPing (which is the default) will make portscans and attacks much

slower, as no replies to the packets will be sent. REJECTing means, that

for every illegal packet, a connection reject packet is sent to the

sender.

Choice: “yes” or “no”, if not set defaults to “no”

Defaults to “no” if not set

You may override this value on a per zone basis by using a zone

specific variable, e.g. FW_REJECT_DMZ=“yes”

FW_REJECT=""

Type: yesno

see FW_REJECT for description

default config file setting is “yes” assuming that slowing down

portscans is not strictly required in the internal zone even if

you protect yourself from the internal zone

FW_REJECT_INT=""

Type: string

Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)

for more information about HTB see http://www.lartc.org

If your download collapses while you have a parallel upload,

this parameter might be an option for you. It manages your

upload stream and reserves bandwidth for special packets like

TCP ACK packets or interactive SSH.

It’s a list of devices and maximum bandwidth in kbit.

For example, the german TDSL account, provides 128kbit/s upstream

and 768kbit/s downstream. We can only tune the upstream.

Example:

If you want to tune a 128kbit/s upstream DSL device like german TDSL set

the following values:

FW_HTB_TUNE_DEV=“dsl0,125”

where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream

you might wonder why 125kbit/s and not 128kbit/s. Well practically you’ll

get a better performance if you keep the value a few percent under your

real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in

it’s own buffers because queing is done by us now.

So for a 256kbit upstream

FW_HTB_TUNE_DEV=“dsl0,250”

might be a better value than “dsl0,256”. There is no perfect value for a

special kind of modem. The perfect value depends on what kind of traffic you

have on your line but 5% under your maximum upstream might be a good start.

Everthing else is special fine tuning.

If you want to know more about the technical background,

http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/

is a good start

FW_HTB_TUNE_DEV=""

Type: list(no,drop,reject)

Default: drop

What to do with IPv6 Packets?

On older kernels ip6tables was not stateful so it’s not possible to implement

the same features as for IPv4 on such machines. For these there are three

choices:

- no: do not set any IPv6 rules at all. Your Host will allow any IPv6

traffic unless you setup your own rules.

- drop: drop all IPv6 packets.

- reject: reject all IPv6 packets. This is the default if stateful matching is

not available.

Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6

Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.

Leave empty to automatically detect whether ip6tables supports stateful matching.

FW_IPv6=""

Type: yesno

Default: yes

Reject outgoing IPv6 Packets?

Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option

does only make sense with FW_IPv6 != no

Defaults to “yes” if not set

FW_IPv6_REJECT_OUTGOING=""

Type: list(yes,no,int,ext,dmz,)

Default: no

Trust level of IPsec packets.

You do not need to change this if you do not intend to run

services that should only be available trough an IPsec tunnel.

The value specifies how much IPsec packets are trusted. ‘int’, ‘ext’ or ‘dmz’

are the respective zones. ‘yes’ is the same as 'int. ‘no’ means that IPsec

packets belong to the same zone as the interface they arrive on.

Note: you still need to explicitely allow IPsec traffic.

Example:

FW_IPSEC_TRUST=“int”

FW_SERVICES_EXT_IP=“esp”

FW_SERVICES_EXT_UDP=“isakmp”

FW_PROTECT_FROM_INT=“no”

Defaults to “no” if not set

FW_IPSEC_TRUST=“no”

Type: string

Define additional firewall zones

The built-in zones INT, EXT and DMZ must not be listed here. Names

of additional zones must only contain lowercase ascii characters.

To define rules for the additional zone, take the approriate

variable for a built-in zone and substitute INT/EXT/DMZ with the

name of the additional zone.

Example:

FW_ZONES=“wlan”

FW_DEV_wlan=“wlan0”

FW_SERVICES_wlan_TCP=“80”

FW_ALLOW_FW_BROADCAST_wlan=“yes”

FW_ZONES=""

Type: string(no,auto)

Set default firewall zone

Format: ‘auto’, ‘no’ or name of zone.

When set to ‘no’ no firewall rules will be installed for unknown

or unconfigured interfaces. That means traffic on such interfaces

hits the default drop rules.

When left empty or when set to ‘auto’ the zone that has the

interface string ‘any’ configured is used for all unconfigured

interfaces (see FW_DEV_EXT). If no ‘any’ string was found the

external zone is used.

When a default zone is defined a catch all rule redirects traffic

from interfaces that were not present at the time SuSEfirewall2

was run to the default zone. Normally SuSEfirewall2 needs to be

run if new interfaces appear to avoid such unknown interfaces.

Defaults to ‘auto’ if not set

FW_ZONE_DEFAULT=’’

Type: list(yes,no,auto,)

Default:

Whether to use iptables-batch

iptables-batch commits all rules in an almost atomic way similar

to iptables-restore. This avoids excessive iptables calls and race

conditions.

Choice:

- yes: use iptables-batch if available and warn if it isn’t

- no: don’t use iptables-batch

- auto: use iptables-batch if available, silently fall back to

iptables if it isn’t

Defaults to “auto” if not set

FW_USE_IPTABLES_BATCH=""

Type: string

Which additional kernel modules to load at startup

Example:

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

See also FW_SERVICES_ACCEPT_RELATED_EXT

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

Type: string

Default:

Bridge interfaces without IP address

Traffic on bridge interfaces like the one used by xen appears to

enter and leave on the same interface. Add such interfaces here in

order to install special permitting rules for them.

Format: list of interface names separated by space

Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead

Example:

FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”

FW_FORWARD_ALWAYS_INOUT_DEV=""

Type: string

Whether traffic that is only bridged but not routed should be

allowed. Such packets appear to pass though the forward chain so

normally they would be dropped.

Note: it is not possible to configure SuSEfirewall2 as bridging

firewall. This option merely controls whether SuSEfirewall2 should

try to not interfere with bridges.

Choice:

- yes: always install a rule to allow bridge traffic

- no: don’t install a rule to allow bridge traffic

- auto: install rule only if there are bridge interfaces

Defaults to “auto” if not set

FW_FORWARD_ALLOW_BRIDGING=""

Type: yesno

Write status information to /var/run/SuSEfirewall2/status for use

by e.g. graphical user interfaces. Can safely be disabled on

servers.

Defaults to “yes” if not set

FW_WRITE_STATUS=""

Type: yesno

Allow dynamic configuration overrides in

/var/run/SuSEfirewall2/override for use by e.g. graphical user

interfaces. Can safely be disabled on servers.

Defaults to “yes” if not set

FW_RUNTIME_OVERRIDE=""

Type: yesno

Install NOTRACK target for interface lo in the raw table. Doing so

speeds up packet processing on the loopback interface. This breaks

certain firewall setups that need to e.g. redirect outgoing

packets via custom rules on the local machine.

Defaults to “yes” if not set

FW_LO_NOTRACK=""

Type: yesno

Specifies whether /etc/init.d/SuSEfirewall2_init should install the

full rule set already. Default is to just install minimum rules

that block incoming traffic. Set to “yes” if you use services

such as drbd that require open ports during boot already.

Defaults to “no” if not set

FW_BOOT_FULL_INIT=“no”
SLEDLaptop:/home/hans-christoph #
[/CODE]

Here a prnt screen of setup firewall in YAST.

[QUOTE=hcp_dk;36967]Hi Kevin,

These data are now from Laptop. Both SLES, SLED[/QUOTE]

The output you provided appears to be from SLED. How is it from both SLES and SLED?

I know you want to get your printer working but here are some things to consider about your firewall:

Your laptop is currently connected to your LAN. If all your interfaces are assigned to the Internal Zone you are saying you trust everything and you do not need to configure special rules to allow communication with devices on your LAN. But what happens when your laptop is not connected to your LAN? If you are connected to a public Wi-Fi hotspot your firewall still treats it as an Internal zone and provides no protection at all. That is not good!

When you only have one zone, it should be the External zone and you should configure rules for all the services you need. This requires a bit more work but you want to keep your laptop secure. Normally, your firewall does not require special configuration to allow outgoing packets or to allow responses to them and there should only be a few cases where you want to allow unsolicited incoming packets.

I see this in your /etc/sysconfig/SuSEfirewall2 configuration:

FW_SERVICES_ACCEPT_INT="0/0,udp,5353,5353 0/0,udp,427,427"
It tells me you didn’t make the changes I asked in a previous post:

[QUOTE]On Page 3 of the PDF, where it says “open ports manuell:”, you show the Custom Allowed Rules. They are not configured correctly!
The source network should not be “0/0” (any network). Since your printing is between devices on your LAN, the source network should be your LAN. Example: 192.168.1.0/24.
Do not configure a Source Port. Source ports usually cannot be predicted. If you do configure one, all traffic will likely be blocked because the actual source port will not match the one you specified.[/QUOTE]
Also, the ports shown in this output from your laptop are different from those shown in the PDF. Make sure you have included all the necessary ports.

Okay, let’s try to get this working.
[LIST]
[]Make a backup copy of /etc/sysconfig/SuSEfirewall2
[]Use YaST Firewall to make these changes:
[/LIST][INDENT][LIST=1]
[]Assign all interfaces to the External Zone.
[]Remove from the Internal Zone all the Custom Allowed Rules
[]Setup the External Zone with all the Custom Allowed Rules shown on Page 3 of the PDF
[]When setting up the rules, the network should be 10.0.25.0/24
[*]When setting up the rules, the Source Port should blank.
[/LIST][/INDENT]

When you have finished, restart your firewall then test your printing from SLED.

If you still can’t print, please post the output from:

cat /etc/sysconfig/SuSEfirewall2

Good luck!

Hi Kevin,

the data I send are from laptop with SLED as I wrote.
I mentioned that both SLES and SLED have same architecture. So they act same.

It is correct. Actual in my system the laptop is save. I wrote somewhere in documentation, I think about get SUSE on an AD Windows network, the Firewall need to be internal.
I probably need to switch when I’m not home? But you have a point there. I can try that later. It might be not too easy due to network.

The open port was on Laptop, I have not changed it. it comes from HPLIP trouble shooting…

Ok. I try as you describe it now…

[QUOTE=hcp_dk;36985]I wrote somewhere in documentation, I think about get SUSE on an AD Windows network, the Firewall need to be internal.
I probably need to switch when I’m not home? But you have a point there. I can try that later.[/QUOTE]

If you only have one interface,
and it is assigned to the Internal Zone,
and the Internal Zone is a trusted network
then your firewall will not filter any traffic: it will allow everything.

If this is what you really want, there is a simple solution: disable your firewall!

I don’t recommend this.

The correct solution is to run a firewall and setup the necessary rules. There are many workstations on Windows AD networks running correctly configured firewalls.

Hi Kevin,

I tried that - miracle. I C to external firewall and opened the ports 161, 162, 427, 5353, 9100 and reboot.
Now I could print pictures. But I couldn’t print a Libre document.
All prints take long time - for picures. Libre document came now first page - after 5 min.

[CODE]hans-christoph@SLEDLaptop:~> cat /etc/sysconfig/SuSEfirewall2

Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany

Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany

Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany

Author: Marc Heuse, 2002

Ludwig Nussel, 2004-2011

/etc/sysconfig/SuSEfirewall2

for use with /sbin/SuSEfirewall2 version 3.6

------------------------------------------------------------------------

Note that running a packet filter/firewall is no panacea against

network security threats. Make sure to

- expose only actually needed services

- assign different zones to express different levels of trust.

Opening ports for LAN services in the external zone defeats the

purpose of the firewall!

- use software that is designed with security in mind (such as

postfix, vsftpd, openssh)

- install security updates regularly

------------------------------------------------------------------------

Configuration Hints:

Note that while this file looks like a shell script and is parsed

by a shell script it actually is not a shell script itself. More

information about sysconfig files can be found here:

http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig

It’s generally a good idea to avoid using shell variable

substitution (foo="$bar") and multi line values.

If you have any problems configuring this file, take a look at

/usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST

For end user systems that are only connected to one network

FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need

to be modified. The defaults for all other settings are usually

fine.

For firewalls that should perform routing or masquerading between

networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,

FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,

FW_FORWARD_MASQ

Please note that if you use service names, they have to exist in

/etc/services. There is for example no service “dns”, it’s called

“domain”; email is called “smtp” etc.

------------------------------------------------------------------------

Path: Network/Firewall/SuSEfirewall2

Description: SuSEfirewall2 configuration

Type: string

Which are the interfaces that point to the internet/untrusted

networks?

Enter all untrusted network devices here

Format: space separated list of interface or configuration names

The special keyword “any” means that packets arriving on interfaces not

explicitly configured as int, ext or dmz will be considered external. Note:

this setting only works for packets destined for the local machine. If you

want forwarding or masquerading you still have to add the external interfaces

individually. “any” can be mixed with other interface names.

Examples: “wlan0”, “ippp0 ippp1”, “any dsl0”

Note: alias interfaces (like eth0:1) are ignored

FW_DEV_EXT=“eth0 wlan0 wwan0”

Type: string

Which are the interfaces that point to the internal network?

Enter all trusted network interfaces here. If you are not

connected to a trusted network (e.g. you have just a dialup) leave

this empty.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_INT=""

Type: string

Which are the interfaces that point to the dmz or dialup network?

Enter all the network devices here which point to the dmz/dialups.

A “dmz” is a special, seperated network, which is only connected

to the firewall, and should be reachable from the internet to

provide services, e.g. WWW, Mail, etc. and hence is at risk from

attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an

example.

Note: You have to configure FW_FORWARD to define the services

which should be available to the internet and set FW_ROUTE to yes.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_DMZ=""

Type: yesno

Should routing between the internet, dmz and internal network be

activated?

Set this to “yes” if you either want to masquerade internal

machines or allow access to the dmz (or internal machines, but

this is not a good idea).

This option overrides IP_FORWARD from /etc/sysconfig/sysctl and

net.ipv4.ip_forward settings in /etc/sysctl.conf

Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on

manually.

Setting this option one alone doesn’t do anything. Either activate

masquerading with FW_MASQUERADE below if you want to masquerade

your internal network to the internet, or configure FW_FORWARD to

define what is allowed to be forwarded. You also need to define

internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.

defaults to “no” if not set

FW_ROUTE=“no”

Type: yesno

Do you want to masquerade internal networks to the outside?

Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV

“Masquerading” means that all your internal machines which use

services on the internet seem to come from your firewall. Please

note that it is more secure to communicate via proxies to the

internet than to use masquerading.

This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.

defaults to “no” if not set

FW_MASQUERADE=“no”

Type: string

You also have to define on which interfaces to masquerade on.

Those are usually the same as the external interfaces. Most users

can leave the default.

The special string “zone:” concatenated with the name of a zone

means to take all interfaces in the specified zone.

Note: Old version of SuSEfirewall2 used a shell variable

($FW_DEV_EXT) here. That method is deprecated as it breaks auto

detection of interfaces. Please use zone:ext instead.

Examples: “ippp0”, “zone:dmz”

defaults to “zone:ext” if not set

FW_MASQ_DEV=""

Type: string

Which internal computers/networks are allowed to access the

internet via masquerading (not via proxys on the firewall)?

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0” unrestricted access to the internet

This is also the default if you leave FW_MASQ_NETS empty.

- “10.0.0.0/8” allows the whole 10.0.0.0 network with

unrestricted access.

- “10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21” allows

the 10.0.1.0 network to use www/ftp to the internet. -

- “10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24” the

10.0.1.0/24 network is allowed to access unprivileged

ports whereas 10.0.2.0/24 is granted unrestricted

access.

- “0/0,!10.0.0.0/8” unrestricted access to the internet

with the exception of 10.0.0.8 which will not be

masqueraded.

FW_MASQ_NETS=""

Type: string

Which computers/networks to exclude from masquerading.

Note that this only affects the POSTROUTING chain of the nat

table. Ie the forwarding rules installed by FW_MASQ_NETS do not

include the listed exceptions.

*** Since you may use FW_NOMASQ_NETS together with IPsec make sure

that the policy database is loaded even when the tunnel is not up

yet. Otherwise packets to the listed networks will be forwarded to

the internet unencrypted! ***

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0,10.0.0.0/8” do not masquerade packets from

anywhere to the 10.0.0.0/8 network

FW_NOMASQ_NETS=""

Type: list(yes,no,notrack,)

Do you want to protect the firewall from the internal network?

Requires: FW_DEV_INT

If you set this to “yes”, internal machines may only access

services on the firewall you explicitly allow. If you set this to

“no”, any internal user can connect (and attack) any service on

the firewall.

The value “notrack” acts similar to “no” but additionally

connection tracking is switched off for interfaces in the zone.

This is useful to gain better performance on high speed

interfaces.

defaults to “no” if not set

see also FW_REJECT_INT

FW_PROTECT_FROM_INT=“no”

Type: string

Which TCP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Examples: “ssh”, “123 514”, “3200:3299”, “ftp 22 telnet 512:514”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_TCP=""

Type: string

Which UDP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Example: “53”, “syslog”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_UDP=“5353”

Type: string

Which IP services on the firewall should be accessible from

untrusted networks?

Usually for VPN/Routing services that END at the firewall like

IPsec, GRE, PPTP or OSPF

Format: space separated list of ports, port ranges or well known

protocol names (see /etc/protocols)

Example: “esp”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_IP=""

Type: string

Which RPC services on the firewall should be accessible from

untrusted networks?

Port numbers of RPC services are dynamically assigned by the

portmapper. Therefore “rpcinfo -p localhost” has to be used to

automatically determine the currently assigned port for the

services specified here.

USE WITH CAUTION!

regular users can register rpc services and therefore may be able

to have SuSEfirewall2 open arbitrary ports

Example: “mountd nfs”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_RPC=""

Type: string

Which services on the firewall should be accessible from

untrusted networks?

Packages can drop a configuration file that specifies all required

ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for

services that require multiple ports or protocols. Enter the space

separated list of configuration files you want to load.

The content of those files is merged into

FW_SERVICES_$zone_$protocol, ie has precedence over

FW_SERVICES_ACCEPT_*

Example: “samba-server nfs-kernel-server”

FW_CONFIGURATIONS_EXT=“avahi netbios-server samba-client samba-server”

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_DMZ_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_DMZ_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_DMZ_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_DMZ_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_DMZ=""

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_INT_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_INT_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_INT_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_INT_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_INT=“netbios-server samba-client samba-server”

Type: string

Packets to drop.

Format: space separated list of net,protocol[,port][,sport]

Example: “0/0,tcp,445 0/0,udp,4662”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_DROP_EXT=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_DMZ=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_INT=""

Type: string

Default:

Packets to reject. Common usage is TCP port 113 which if dropped

would cause long timeouts when sending mail or connecting to IRC

servers.

Format: space separated list of net,protocol[,dport][,sport]

Example: “0/0,tcp,113”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_REJECT_EXT=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_DMZ=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_INT=""

Type: string

Default:

Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}

and more specific than FW_TRUSTED_NETS

Format: space separated list of net,protocol[,dport[,sport[,flags]]]

Example: “0/0,tcp,22”

Supported flags are

hitcount=NUMBER : ipt_recent --hitcount parameter

blockseconds=NUMBER : ipt_recent --seconds parameter

recentname=NAME : ipt_recent --name parameter

Example:

Allow max three ssh connects per minute from the same IP address:

“0/0,tcp,22,hitcount=3,blockseconds=60,recentname=ssh”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP

take precedence over FW_SERVICES_ACCEPT_EXT so don’t open the same

port with both options.

Note2: the iptables recent module may not be available for ipv6. To

avoid an error message use 0.0.0.0/0 instead of 0/0. This will

install the rule for ipv4 only.

FW_SERVICES_ACCEPT_EXT=“10.0.25.0/24,tcp,161
10.0.25.0/24,udp,161
10.0.25.0/24,tcp,162
10.0.25.0/24,udp,162
10.0.25.0/24,udp,5353
10.0.25.0/24,tcp,9100
10.0.25.0/24,udp,9100
10.0.25.0/24,udp,427”

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_INT=""

Type: string

Default:

Services to allow that are considered RELATED by the connection tracking

engine.

Format: space separated list of net,protocol[,sport[,dport]]

Example:

Allow samba broadcast replies marked as related by

nf_conntrack_netbios_ns from a certain network:

“192.168.1.0/24,udp,137”

See also FW_LOAD_MODULES

FW_SERVICES_ACCEPT_RELATED_EXT=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_INT=""

Type: string

Which services should be accessible from ‘trusted’ hosts or nets?

Define trusted hosts or networks (doesn’t matter whether they are internal or

external) and the services (tcp,udp,icmp) they are allowed to use. This can

be used instead of FW_SERVICES_* for further access restriction. Please note

that this is no replacement for authentication since IP addresses can be

spoofed. Also note that trusted hosts/nets are not allowed to ping the

firewall until you also permit icmp.

Format: space separated list of network[,protocol[,port]]

in case of icmp, port means the icmp type

Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”

FW_TRUSTED_NETS=""

Type: string

Which services or networks are allowed to be routed through the

firewall, no matter which zone they are in?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must have valid, non-private, IP addresses which were

assigned to you by your ISP. This opens a direct link to the

specified network, so please think twice befor using this option!

Format: space separated list of

,[,protocol[,destination port[,flags]]]

If the protocol is icmp then port is interpreted as icmp type

flags, separated by comma:

ipsec:

match packets that originate from an IPsec tunnel

zonein=ZONE, zoneout=ZONE:

match only packets coming in/going out on interfaces from

the specified zone.

Examples: - “1.1.1.1,2.2.2.2” allow the host 1.1.1.1 to access any

service on the host 2.2.2.2

- “3.3.3.3/16,4.4.4.4/24” allow the network 3.3.3.3/16

to access any service in the network 4.4.4.4/24

- “5.5.5.5,6.6.6.6,igmp” allow routing of IGMP messages

from 5.5.5.5 to 6.6.6.6

- “0/0,0/0,udp,514” always permit udp port 514 to pass

the firewall

- "192.168.1.0/24,10.10.0.0/16,ipsec \

10.10.0.0/16,192.168.1.0/24,ipsec" permit traffic

from 192.168.1.0/24 to 10.10.0.0/16 and vice versa

provided that both networks are connected via an

IPsec tunnel.

- “fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh”

allow ssh from one IPv6 network to another

FW_FORWARD=""

Type: string

same as FW_FORWARD but packages are rejected instead of accepted

Requires: FW_ROUTE

FW_FORWARD_REJECT=""

Type: string

same as FW_FORWARD but packages are dropped instead of accepted

Requires: FW_ROUTE

FW_FORWARD_DROP=""

Type: string

Which services accessed from the internet should be allowed to masqueraded

servers (on the internal network or dmz)?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must be in a masqueraded segment and may not have public

IP addesses! Hint: if FW_DEV_MASQ is set to the external interface

you have to set FW_FORWARD from internal to DMZ for the service as

well to allow access from internal!

Please note that this should not be used for security reasons!

You are opening a hole to your precious internal network. If e.g.

the webserver there is compromised - your full internal network is

compromised!

Format: space separated list of

,,,[,redirect port,[destination ip]]

Protocol must be either tcp or udp

Examples: - “4.0.0.0/8,10.0.0.10,tcp,80” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10

- “4.0.0.0/8,10.0.0.10,tcp,80,81” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10 on port 81

- “200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202”

the network 200.200.200.0/24 trying to access the

address 202.202.202.202 on port 80 will be forwarded

to the internal server 10.0.0.10 on port 81

Note: du to inconsistent iptables behaviour only port numbers are possible

but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)

FW_FORWARD_MASQ=""

Type: string

Which accesses to services should be redirected to a local port on

the firewall machine?

This option can be used to force all internal users to surf via

your squid proxy, or transparently redirect incoming webtraffic to

a secure webserver.

Format: list of [,,[,dport[:lport]]

Where protocol is either tcp or udp. dport is the original

destination port and lport the port on the local machine to

redirect the traffic to

An exclamation mark in front of source or destination network

means everything EXCEPT the specified network

Example: “10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080”

Note: contrary to previous SuSEfirewall2 versions it is no longer necessary

to additionally open the local port

FW_REDIRECT=""

Type: yesno

Which kind of packets should be logged?

When set to “yes”, packages that got dropped and are considered

‘critical’ will be logged. Such packets include for example

spoofed packets, tcp connection requests and certain icmp types.

defaults to “yes” if not set

FW_LOG_DROP_CRIT=“yes”

Type: yesno

whether all dropped packets should be logged

Note: for broadcasts to be logged you also need to set

FW_IGNORE_FW_BROADCAST_* to ‘no’

defaults to “no” if not set

FW_LOG_DROP_ALL=“no”

Type: yesno

When set to “yes”, packages that got accepted and are considered

‘critical’ will be logged. Such packets include for example tcp

connection requests, rpc connection requests and forwarded pakets.

Set to “no” for on systems with high traffic

defaults to “no” if not set

FW_LOG_ACCEPT_CRIT=“yes”

Type: yesno

whether all accepted packets should be logged

Note: setting this to ‘yes’ causes LOTS of log entries and may

fill your disk quickly. It also disables FW_LOG_LIMIT

defaults to “no” if not set

FW_LOG_ACCEPT_ALL=“no”

Type: string

How many packets per time unit get logged for each logging rule.

When empty a default of 3/minute is used to prevent port scans

flooding your log files. For desktop usage it’s a good idea to

have the limit, if you are using logfile analysis tools however

you might want to disable it.

Set to ‘no’ to disable the rate limit. Setting FW_LOG_ACCEPT_ALL

to ‘yes’ disables this option as well.

Format: a digit and suffix /second, /minute, /hour or /day

FW_LOG_LIMIT=""

Type: string

iptables logging option. Must end with --log-prefix and some prefix

characters

You may specify an alternative logging target by starting the

string with "-j ". E.g. “-j ULOG --ulog-prefix SFW2”

Note that ULOG doesn’t work with IPv6

only change this if you know what you are doing!

FW_LOG=""

Type: yesno

Do you want to enable additional kernel TCP/IP security features?

If set to yes, some obscure kernel options are set.

(icmp_ignore_bogus_error_responses, icmp_echoreply_rate,

icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,

ip_local_port_range, log_martians, rp_filter, routing flush,

bootp_relay, proxy_arp, secure_redirects, accept_source_route

icmp_echo_ignore_broadcasts, ipfrag_time)

Tip: Set this to “no” until you have verified that you have got a

configuration which works for you. Then set this to “yes” and keep it

if everything still works. (It should!)

Choice: “yes” or “no”, if not set defaults to “yes”

FW_KERNEL_SECURITY=""

Type: yesno

Whether ip routing should be disabled when the firewall is shut

down.

Note: IPv4 only, IPv6 sysctls are left untouched

Requires: FW_ROUTE

defaults to “no” if not set

FW_STOP_KEEP_ROUTING_STATE=“no”

Type: yesno

Allow the firewall to reply to icmp echo requests

defaults to “yes” if not set

FW_ALLOW_PING_FW=""

Type: yesno

Allow hosts in the dmz to be pinged from hosts in other zones even

if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_DMZ=""

Type: yesno

Allow hosts in the external zone to be pinged from hosts in other

zones even if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_EXT=""

Type: yesno

Allow ICMP sourcequench from your ISP?

If set to yes, the firewall will notice when connection is choking, however

this opens yourself to a denial of service attack. Choose your poison.

Defaults to “yes” if not set

FW_ALLOW_FW_SOURCEQUENCH=""

Type: string(yes,no)

Allow IP Broadcasts?

Whether the firewall allows broadcasts packets.

Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.

If you want to drop broadcasts however ignore the annoying log entries, set

FW_IGNORE_FW_BROADCAST_* to yes.

Note that if you allow specifc ports here it just means that broadcast

packets for that port are not dropped. You still need to set

FW_SERVICES_*_UDP to actually allow regular unicast packets to

reach the applications.

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” allow broadcast packets on port 631 and 137

to enter the machine but drop any other broadcasts

- “yes” do not install any extra drop rules for

broadcast packets. They’ll be treated just as unicast

packets in this case.

- “no” drop all broadcast packets before other filtering

rules

defaults to “no” if not set

FW_ALLOW_FW_BROADCAST_EXT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_DMZ=“no”

Type: string(yes,no)

Suppress logging of dropped broadcast packets. Useful if you don’t allow

broadcasts on a LAN interface.

This setting only affects packets that are not allowed according

to FW_ALLOW_FW_BROADCAST_*

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” silently drop broadcast packets on port 631 and 137

- “yes” do not log dropped broadcast packets

- “no” log all dropped broadcast packets

defaults to “no” if not set

FW_IGNORE_FW_BROADCAST_EXT=“yes”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_DMZ=“no”

Type: list(yes,no,int,ext,dmz,)

Specifies whether routing between interfaces of the same zone should be allowed

Requires: FW_ROUTE=“yes”

Set this to allow routing between interfaces in the same zone,

e.g. between all internet interfaces, or all internal network

interfaces.

Caution: Keep in mind that “yes” affects all zones. ie even if you

need inter-zone routing only in the internal zone setting this

parameter to “yes” would allow routing between all external

interfaces as well. It’s better to use

FW_ALLOW_CLASS_ROUTING=“int” in this case.

Choice: “yes”, “no”, or space separate list of zone names

Defaults to “no” if not set

FW_ALLOW_CLASS_ROUTING=""

Type: string

Do you want to load customary rules from a file?

This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!

READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

Type: yesno

Do you want to REJECT packets instead of DROPing?

DROPing (which is the default) will make portscans and attacks much

slower, as no replies to the packets will be sent. REJECTing means, that

for every illegal packet, a connection reject packet is sent to the

sender.

Choice: “yes” or “no”, if not set defaults to “no”

Defaults to “no” if not set

You may override this value on a per zone basis by using a zone

specific variable, e.g. FW_REJECT_DMZ=“yes”

FW_REJECT=""

Type: yesno

see FW_REJECT for description

default config file setting is “yes” assuming that slowing down

portscans is not strictly required in the internal zone even if

you protect yourself from the internal zone

FW_REJECT_INT=""

Type: string

Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)

for more information about HTB see http://www.lartc.org

If your download collapses while you have a parallel upload,

this parameter might be an option for you. It manages your

upload stream and reserves bandwidth for special packets like

TCP ACK packets or interactive SSH.

It’s a list of devices and maximum bandwidth in kbit.

For example, the german TDSL account, provides 128kbit/s upstream

and 768kbit/s downstream. We can only tune the upstream.

Example:

If you want to tune a 128kbit/s upstream DSL device like german TDSL set

the following values:

FW_HTB_TUNE_DEV=“dsl0,125”

where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream

you might wonder why 125kbit/s and not 128kbit/s. Well practically you’ll

get a better performance if you keep the value a few percent under your

real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in

it’s own buffers because queing is done by us now.

So for a 256kbit upstream

FW_HTB_TUNE_DEV=“dsl0,250”

might be a better value than “dsl0,256”. There is no perfect value for a

special kind of modem. The perfect value depends on what kind of traffic you

have on your line but 5% under your maximum upstream might be a good start.

Everthing else is special fine tuning.

If you want to know more about the technical background,

http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/

is a good start

FW_HTB_TUNE_DEV=""

Type: list(no,drop,reject)

Default: drop

What to do with IPv6 Packets?

On older kernels ip6tables was not stateful so it’s not possible to implement

the same features as for IPv4 on such machines. For these there are three

choices:

- no: do not set any IPv6 rules at all. Your Host will allow any IPv6

traffic unless you setup your own rules.

- drop: drop all IPv6 packets.

- reject: reject all IPv6 packets. This is the default if stateful matching is

not available.

Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6

Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.

Leave empty to automatically detect whether ip6tables supports stateful matching.

FW_IPv6=""

Type: yesno

Default: yes

Reject outgoing IPv6 Packets?

Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option

does only make sense with FW_IPv6 != no

Defaults to “yes” if not set

FW_IPv6_REJECT_OUTGOING=""

Type: list(yes,no,int,ext,dmz,)

Default: no

Trust level of IPsec packets.

You do not need to change this if you do not intend to run

services that should only be available trough an IPsec tunnel.

The value specifies how much IPsec packets are trusted. ‘int’, ‘ext’ or ‘dmz’

are the respective zones. ‘yes’ is the same as 'int. ‘no’ means that IPsec

packets belong to the same zone as the interface they arrive on.

Note: you still need to explicitely allow IPsec traffic.

Example:

FW_IPSEC_TRUST=“int”

FW_SERVICES_EXT_IP=“esp”

FW_SERVICES_EXT_UDP=“isakmp”

FW_PROTECT_FROM_INT=“no”

Defaults to “no” if not set

FW_IPSEC_TRUST=“no”

Type: string

Define additional firewall zones

The built-in zones INT, EXT and DMZ must not be listed here. Names

of additional zones must only contain lowercase ascii characters.

To define rules for the additional zone, take the approriate

variable for a built-in zone and substitute INT/EXT/DMZ with the

name of the additional zone.

Example:

FW_ZONES=“wlan”

FW_DEV_wlan=“wlan0”

FW_SERVICES_wlan_TCP=“80”

FW_ALLOW_FW_BROADCAST_wlan=“yes”

FW_ZONES=""

Type: string(no,auto)

Set default firewall zone

Format: ‘auto’, ‘no’ or name of zone.

When set to ‘no’ no firewall rules will be installed for unknown

or unconfigured interfaces. That means traffic on such interfaces

hits the default drop rules.

When left empty or when set to ‘auto’ the zone that has the

interface string ‘any’ configured is used for all unconfigured

interfaces (see FW_DEV_EXT). If no ‘any’ string was found the

external zone is used.

When a default zone is defined a catch all rule redirects traffic

from interfaces that were not present at the time SuSEfirewall2

was run to the default zone. Normally SuSEfirewall2 needs to be

run if new interfaces appear to avoid such unknown interfaces.

Defaults to ‘auto’ if not set

FW_ZONE_DEFAULT=’’

Type: list(yes,no,auto,)

Default:

Whether to use iptables-batch

iptables-batch commits all rules in an almost atomic way similar

to iptables-restore. This avoids excessive iptables calls and race

conditions.

Choice:

- yes: use iptables-batch if available and warn if it isn’t

- no: don’t use iptables-batch

- auto: use iptables-batch if available, silently fall back to

iptables if it isn’t

Defaults to “auto” if not set

FW_USE_IPTABLES_BATCH=""

Type: string

Which additional kernel modules to load at startup

Example:

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

See also FW_SERVICES_ACCEPT_RELATED_EXT

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

Type: string

Default:

Bridge interfaces without IP address

Traffic on bridge interfaces like the one used by xen appears to

enter and leave on the same interface. Add such interfaces here in

order to install special permitting rules for them.

Format: list of interface names separated by space

Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead

Example:

FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”

FW_FORWARD_ALWAYS_INOUT_DEV=""

Type: string

Whether traffic that is only bridged but not routed should be

allowed. Such packets appear to pass though the forward chain so

normally they would be dropped.

Note: it is not possible to configure SuSEfirewall2 as bridging

firewall. This option merely controls whether SuSEfirewall2 should

try to not interfere with bridges.

Choice:

- yes: always install a rule to allow bridge traffic

- no: don’t install a rule to allow bridge traffic

- auto: install rule only if there are bridge interfaces

Defaults to “auto” if not set

FW_FORWARD_ALLOW_BRIDGING=""

Type: yesno

Write status information to /var/run/SuSEfirewall2/status for use

by e.g. graphical user interfaces. Can safely be disabled on

servers.

Defaults to “yes” if not set

FW_WRITE_STATUS=""

Type: yesno

Allow dynamic configuration overrides in

/var/run/SuSEfirewall2/override for use by e.g. graphical user

interfaces. Can safely be disabled on servers.

Defaults to “yes” if not set

FW_RUNTIME_OVERRIDE=""

Type: yesno

Install NOTRACK target for interface lo in the raw table. Doing so

speeds up packet processing on the loopback interface. This breaks

certain firewall setups that need to e.g. redirect outgoing

packets via custom rules on the local machine.

Defaults to “yes” if not set

FW_LO_NOTRACK=""

Type: yesno

Specifies whether /etc/init.d/SuSEfirewall2_init should install the

full rule set already. Default is to just install minimum rules

that block incoming traffic. Set to “yes” if you use services

such as drbd that require open ports during boot already.

Defaults to “no” if not set

FW_BOOT_FULL_INIT=“no”
hans-christoph@SLEDLaptop:~>[/CODE]

[QUOTE=hcp_dk;36987]Hi Kevin,

I tried that - miracle. I C to external firewall and opened the ports 161, 162, 427, 5353, 9100 and reboot.
Now I could print pictures. But I couldn’t print a Libre document.
All prints take long time - for picures. Libre document came now first page - after 5 min.[/QUOTE]

That is good news.

I have reviewed your /etc/sysconfig/SuSEfirewall2. It looks much better. You did a good job re-configuring the firewall.

There are several reasons why printing can be slow. To see if the firewall is contributing to the problem, just disable the firewall and try to print the same documents.
Please let us know if it makes a difference.

When printing a document, the amount of data sent to the printer depends on many things:
[LIST]
[]The type of document: A large picture can take a long time.
[]The printer driver you are using.
[]The print settings (e.g. resolution)
[]Your network: a 1Gb network will provide better performance than 10/100 network, if your printer has a 1Gb interface.
[/LIST]
You may want to experiment with these settings and compare print times using a USB connection to identify any bottlenecks.

Hi Kevin,

the document has standard few pictures, text, all in all 670 kB.
the internet is 1BGbit speed over whole system
the WLAN has 2 Frequences, 6 Antennas and runs on 1300 Mbits.
The NIC runs up to 600 Mbits.
Print from Windows will take less than 1 minute.

I have disabled the firewall.
The print is still slow. maybe 15min for 9 pages. This makes no difference.

I have now disabled firewall. When done that and open YAST - Firewall I get this picture:

I have not installed another firewall. SAMBA runs for access to AD windows network.
There is Apparmor, but disabled in Services. I have not touched it.

[QUOTE=hcp_dk;36992]Hi Kevin,
the document has standard few pictures, text, all in all 670 kB.
[/QUOTE]
That does not appear to be a very large document.

That tells me the firewall is good. It is not affecting performance.

That should be adequate, assuming there are no network issues.

You won’t get 1,300 Mb even if you have a 1 Gb LAN connecton.
You might get 600 Mb.

15 minutes for 9 pages does appear to be slow but it depends on the amount of data that is sent to the printer. For example, you could be printing several 72 dpi images at 1200 dpi so you could be sending much more than 670 KB to the printer.

I’m curious if it takes just as long if you print via your Ethernet connection instead of your WLAN.

Now, this is interesting. Assuming…
[LIST]
[]you’re doing this on your laptop (SLED)
[]and Windows is a KVM virtual machine
[*]and you’re printing via your WLAN connection
[/LIST]
It would suggest the bottleneck is related to the Linux print driver or perhaps cups. Have a look at /var/log/messages. Are there any errors or other messages that might point to the cause?

[QUOTE]
I have now disabled firewall. When done that and open YAST - Firewall I get this picture:
I have not installed another firewall. SAMBA runs for access to AD windows network.
There is Apparmor, but disabled in Services. I have not touched it.[/QUOTE]
Again, have a look at /var/log/messages. Are there any errors or other messages that might point to the cause?

From an earlier post, I thought that message came from your SLES system. Do you see that message on SLES, SLED, or both?

Try this to see if it resolves the error message:

rcSuSEfirewall2 stop iptables --flush INPUT iptables --flush FORWARD iptables --flush OUTPUT

Now, open YaST Firewall. Do you still get the same message?

Hi Kevin,

all this is now from SLED. So we are on one system.
Usually I print files of several Megabites or hundred of pages without a problem. It must be a problem of data transfer. I think, driver can be an issue since:

• I can print on DELL 3100CN printer
• I can print out of KVM from WINDOWS

I can see in Forums other has problems with LaserJet printer too.

I enable now the firewall again since it is not the main problem.

Firewall:

[QUOTE]rcSuSEfirewall2 stop
iptables --flush INPUT
iptables --flush FORWARD
iptables --flush OUTPUT
Now,[/QUOTE]

This commands removed the error massage. But when I’m reboot, the error massage come again. I can so type commands again and the error message disappear

Error messags print related from “message”

[QUOTE]2017-03-11T15:29:39.184983+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-11T15:29:39.190958+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-11T15:29:39.259424+01:00 SLEDLaptop hpps: [8156]: error: Failed to create /var/spool/cups/tmp/.hplip

2017-03-11T15:25:45.475455+01:00 SLEDLaptop smbd[3341]: [2017/03/11 15:25:45.475114, 0] …/source3/printing/nt_printing.c:187(nt_printing_init)
2017-03-11T15:25:45.477961+01:00 SLEDLaptop smbd[3341]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

2017-03-12T09:39:51.359111+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-12T09:40:51.582060+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-12T09:41:22.795608+01:00 SLEDLaptop systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
2017-03-12T09:42:06.057051+01:00 SLEDLaptop hp[12763]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26[/QUOTE]

They are from different days. Today I really stared up and tested print to get the message. Last row is from today.

When I’m searching for printer, I find following:

[QUOTE]2017-03-10T20:01:27.746970+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-10T20:01:58.671676+01:00 SLEDLaptop systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
2017-03-10T20:02:09.638228+01:00 SLEDLaptop hplip.desktop[5095]: #033[01mHP Linux Imaging and Printing System (ver. 3.16.11)#033[0m
2017-03-10T20:02:09.638439+01:00 SLEDLaptop hplip.desktop[5095]: #033[01mHP Device Manager ver. 15.0#033[0m
2017-03-10T20:02:09.638568+01:00 SLEDLaptop hplip.desktop[5095]: Copyright (c) 2001-15 HP Development Company, LP
2017-03-10T20:02:09.638684+01:00 SLEDLaptop hplip.desktop[5095]: This software comes with ABSOLUTELY NO WARRANTY.
2017-03-10T20:02:09.638793+01:00 SLEDLaptop hplip.desktop[5095]: This is free software, and you are welcome to distribute it
2017-03-10T20:02:09.639058+01:00 SLEDLaptop hplip.desktop[5095]: under certain conditions. See COPYING file for more details.
2017-03-10T20:02:09.821970+01:00 SLEDLaptop hplip.desktop[5095]: #033[35;01mwarning: Reportlab not installed. Fax coverpages disabled.#033[0m
2017-03-10T20:02:09.822174+01:00 SLEDLaptop hp-toolbox: hp-toolbox[5095]: warning: Reportlab not installed. Fax coverpages disabled.
2017-03-10T20:02:09.822296+01:00 SLEDLaptop hp-toolbox: hp-toolbox[5095]: warning: Please install version 2.0+ of Reportlab for coverpage support.
2017-03-10T20:02:09.822397+01:00 SLEDLaptop hplip.desktop[5095]: #033[35;01mwarning: Please install version 2.0+ of Reportlab for coverpage support.#033[0m
2017-03-10T20:02:10.342409+01:00 SLEDLaptop python: io/hpmud/hpmud.c 246: invalid channel_open state, current io_mode=raw/uni service=HP-MESSAGE hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:02:10.355569+01:00 SLEDLaptop python: io/hpmud/hpmud.c 702: invalid channel_close state
2017-03-10T20:02:10.358240+01:00 SLEDLaptop python: io/hpmud/hpmud.c 246: invalid channel_open state, current io_mode=raw/uni service=HP-MESSAGE hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:02:17.395836+01:00 SLEDLaptop python: io/hpmud/hpmud.c 702: invalid channel_close state
2017-03-10T20:03:14.448918+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:04:18.160318+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:04:32.440692+01:00 SLEDLaptop laptop-mode: Laptop mode
[/QUOTE]

[QUOTE]2017-03-10T20:04:32.442945+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-10T20:05:03.170041+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:08:41.982023+01:00 SLEDLaptop hp[5083]: message repeated 4 times: [ io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26]
2017-03-10T20:08:53.374794+01:00 SLEDLaptop laptop-mode: Laptop mode
2017-03-10T20:08:53.376903+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-10T20:09:27.032899+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:10:00.657708+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-10T20:10:12.080126+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
[/QUOTE]

These messages seems to come when I use the selv check of HPLIP running.

I’m not an expert in error messages and can send the file if this makes sense?

This is from CUPS log

Firewall related messages:

[QUOTE]2017-03-12T09:44:52.509180+01:00 SLEDLaptop cron[3267]: (CRON) INFO (running with inotify support)
2017-03-12T09:44:52.516271+01:00 SLEDLaptop kernel: [ 14.529681] ip_tables: (C) 2000-2006 Netfilter Core Team
2017-03-12T09:44:52.521799+01:00 SLEDLaptop kernel: [ 14.535244] ip6_tables: (C) 2000-2006 Netfilter Core Team
2017-03-12T09:44:52.532446+01:00 SLEDLaptop kernel: [ 14.545889] Ebtables v2.0 registered
2017-03-12T09:44:52.681833+01:00 SLEDLaptop kernel: [ 14.695282] Bridge firewalling registered
[/QUOTE]
Bridge firewall might be from KVM virtual box. this bx is not running
But I’m not really good to read error messages.

USB test.

I tried from SLED Laptop and connected the printer via USB. I installed drier again. “HP Laserjet USB”
The printer works as fast as in Windows without problems. SO, USB works

However, I can’t connect the printer to all PC via USB - I think we have, when kids are home, 10 PC and Laptops. It should work via network as other printer do too.
But it seems to be lnked to LAN and CUPS handling of LAN?

[QUOTE=hcp_dk;36995]USB test.

I tried from SLED Laptop and connected the printer via USB. I installed drier again. “HP Laserjet USB”
The printer works as fast as in Windows without problems. SO, USB works[/QUOTE]
Understood.

[QUOTE]However, I can’t connect the printer to all PC via USB - I think we have, when kids are home, 10 PC and Laptops.[/QUOTE]Understood.

[QUOTE]It should work via network as other printer do too.[/QUOTE]Agreed.

[QUOTE]But it seems to be lnked to LAN and CUPS handling of LAN?[/QUOTE]Agreed, but I do not have any experience working with CUPS.
This might be a good time for some of the other Knowledge Partners who have more experience in this area to jump in and offer some assistance.