[QUOTE=hcp_dk;36994]Firewall:rcSuSEfirewall2 stop iptables --flush INPUT iptables --flush FORWARD iptables --flush OUTPUTThis commands removed the error massage. But when I’m reboot, the error massage come again. I can so type commands again and the error message disappear[/QUOTE]

I am doing some more research on this issue. I will update this thread when I have more information.

Hi Kevin,

thanks so far. I think we got quite far. I can open a service request and try get support from there. It seems to be a more difficult issue as a bug or so?

[QUOTE=hcp_dk;37024]Hi Kevin,

thanks so far. I think we got quite far. I can open a service request and try get support from there. It seems to be a more difficult issue as a bug or so?[/QUOTE]
I have already asked someone from SUSE tech support to have a look at this. I should have a response later this week.

You also were unable to print from your SLES system.

[LIST]
[]Have you tried to correct your SLES firewall configuration, doing the same as you did on SLED?
[]Can you now print from SLES?
[*]Is your SLES system something you need or was it just setup to see if you could print from it?
[/LIST]

Let me correct that statement: I have asked for more information about the firewall message.

If no one has any suggestions regarding the print performance issue, that may be worth following up with a Service Request.

Hi Kevin,
I have not tried SLES further. It’s a PC and firewall is internal zone. I’m not traveling for some days but can try later.
However, if we not can solve the issue on SLED with LAN and print it’s the same on SLES:

o.k. because you wrote you are CUPS. And we can see print is a problem over LAN.

One issue is the CUPS via LAN and that I have asked SUSE find somebody who know.

Firewall messages I wrote.
I get the failure message about 2 firewalls acting.
I can flush input, output as done and the message disappear. As soon I reboot, the message comes again.

Hi Kevin,

I tried now the same on SLES.
Firewall internal: no print possible
Firewall exteral and open ports as done on SLED: no print possible.

I tried printing from Libre

hcp dk wrote:
[color=blue]

Hi Kevin,

I tried now the same on SLES.
Firewall internal: no print possible
Firewall exteral and open ports as done on SLED: no print possible.

I tried printing from Libre[/color]

I suspected there were other issues with SLES. Is this a test system or
one that you intend to keep?

Can you print if you stop the firewall AND flush iptables?

If you still cant print, can you please post the contents of
/etc/sysconfig/SuSEfirewall2?

–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

I did

rcSuSEfirewall2 stop iptables --flush INPUT iptables --flush FORWARD iptables --flush OUTPUT

tried printing a PDF document

Firewall settings are:

[CODE]linuxSLES:/etc/sysconfig # cat SuSEfirewall2

Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany

Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany

Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany

Author: Marc Heuse, 2002

Ludwig Nussel, 2004-2011

/etc/sysconfig/SuSEfirewall2

for use with /sbin/SuSEfirewall2 version 3.6

------------------------------------------------------------------------

Note that running a packet filter/firewall is no panacea against

network security threats. Make sure to

- expose only actually needed services

- assign different zones to express different levels of trust.

Opening ports for LAN services in the external zone defeats the

purpose of the firewall!

- use software that is designed with security in mind (such as

postfix, vsftpd, openssh)

- install security updates regularly

------------------------------------------------------------------------

Configuration Hints:

Note that while this file looks like a shell script and is parsed

by a shell script it actually is not a shell script itself. More

information about sysconfig files can be found here:

http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig

It’s generally a good idea to avoid using shell variable

substitution (foo="$bar") and multi line values.

If you have any problems configuring this file, take a look at

/usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST

For end user systems that are only connected to one network

FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need

to be modified. The defaults for all other settings are usually

fine.

For firewalls that should perform routing or masquerading between

networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,

FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,

FW_FORWARD_MASQ

Please note that if you use service names, they have to exist in

/etc/services. There is for example no service “dns”, it’s called

“domain”; email is called “smtp” etc.

------------------------------------------------------------------------

Path: Network/Firewall/SuSEfirewall2

Description: SuSEfirewall2 configuration

Type: string

Which are the interfaces that point to the internet/untrusted

networks?

Enter all untrusted network devices here

Format: space separated list of interface or configuration names

The special keyword “any” means that packets arriving on interfaces not

explicitly configured as int, ext or dmz will be considered external. Note:

this setting only works for packets destined for the local machine. If you

want forwarding or masquerading you still have to add the external interfaces

individually. “any” can be mixed with other interface names.

Examples: “wlan0”, “ippp0 ippp1”, “any dsl0”

Note: alias interfaces (like eth0:1) are ignored

FW_DEV_EXT=“eth0”

Type: string

Which are the interfaces that point to the internal network?

Enter all trusted network interfaces here. If you are not

connected to a trusted network (e.g. you have just a dialup) leave

this empty.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_INT=""

Type: string

Which are the interfaces that point to the dmz or dialup network?

Enter all the network devices here which point to the dmz/dialups.

A “dmz” is a special, seperated network, which is only connected

to the firewall, and should be reachable from the internet to

provide services, e.g. WWW, Mail, etc. and hence is at risk from

attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an

example.

Note: You have to configure FW_FORWARD to define the services

which should be available to the internet and set FW_ROUTE to yes.

Format: space separated list of interface or configuration names

Examples: “tr0”, “eth0 eth1”

FW_DEV_DMZ=""

Type: yesno

Should routing between the internet, dmz and internal network be

activated?

Set this to “yes” if you either want to masquerade internal

machines or allow access to the dmz (or internal machines, but

this is not a good idea).

This option overrides IP_FORWARD from /etc/sysconfig/sysctl and

net.ipv4.ip_forward settings in /etc/sysctl.conf

Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on

manually.

Setting this option one alone doesn’t do anything. Either activate

masquerading with FW_MASQUERADE below if you want to masquerade

your internal network to the internet, or configure FW_FORWARD to

define what is allowed to be forwarded. You also need to define

internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.

defaults to “no” if not set

FW_ROUTE=“no”

Type: yesno

Do you want to masquerade internal networks to the outside?

Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV

“Masquerading” means that all your internal machines which use

services on the internet seem to come from your firewall. Please

note that it is more secure to communicate via proxies to the

internet than to use masquerading.

This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.

defaults to “no” if not set

FW_MASQUERADE=“no”

Type: string

You also have to define on which interfaces to masquerade on.

Those are usually the same as the external interfaces. Most users

can leave the default.

The special string “zone:” concatenated with the name of a zone

means to take all interfaces in the specified zone.

Note: Old version of SuSEfirewall2 used a shell variable

($FW_DEV_EXT) here. That method is deprecated as it breaks auto

detection of interfaces. Please use zone:ext instead.

Examples: “ippp0”, “zone:dmz”

defaults to “zone:ext” if not set

FW_MASQ_DEV=""

Type: string

Which internal computers/networks are allowed to access the

internet via masquerading (not via proxys on the firewall)?

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0” unrestricted access to the internet

This is also the default if you leave FW_MASQ_NETS empty.

- “10.0.0.0/8” allows the whole 10.0.0.0 network with

unrestricted access.

- “10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21” allows

the 10.0.1.0 network to use www/ftp to the internet. -

- “10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24” the

10.0.1.0/24 network is allowed to access unprivileged

ports whereas 10.0.2.0/24 is granted unrestricted

access.

- “0/0,!10.0.0.0/8” unrestricted access to the internet

with the exception of 10.0.0.8 which will not be

masqueraded.

FW_MASQ_NETS=""

Type: string

Which computers/networks to exclude from masquerading.

Note that this only affects the POSTROUTING chain of the nat

table. Ie the forwarding rules installed by FW_MASQ_NETS do not

include the listed exceptions.

*** Since you may use FW_NOMASQ_NETS together with IPsec make sure

that the policy database is loaded even when the tunnel is not up

yet. Otherwise packets to the listed networks will be forwarded to

the internet unencrypted! ***

Format: space separated list of

[,,[,port[:port]]

If the protocol is icmp then port is interpreted as icmp type

Examples: - “0/0,10.0.0.0/8” do not masquerade packets from

anywhere to the 10.0.0.0/8 network

FW_NOMASQ_NETS=""

Type: list(yes,no,notrack,)

Do you want to protect the firewall from the internal network?

Requires: FW_DEV_INT

If you set this to “yes”, internal machines may only access

services on the firewall you explicitly allow. If you set this to

“no”, any internal user can connect (and attack) any service on

the firewall.

The value “notrack” acts similar to “no” but additionally

connection tracking is switched off for interfaces in the zone.

This is useful to gain better performance on high speed

interfaces.

defaults to “no” if not set

see also FW_REJECT_INT

FW_PROTECT_FROM_INT=“no”

Type: string

Which TCP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Examples: “ssh”, “123 514”, “3200:3299”, “ftp 22 telnet 512:514”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_TCP=“161 162 9100”

Type: string

Which UDP services on the firewall should be accessible from

untrusted networks?

Format: space separated list of ports, port ranges or well known

service names (see /etc/services)

Example: “53”, “syslog”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_UDP=“161 162 427 5353 9100”

Type: string

Which IP services on the firewall should be accessible from

untrusted networks?

Usually for VPN/Routing services that END at the firewall like

IPsec, GRE, PPTP or OSPF

Format: space separated list of ports, port ranges or well known

protocol names (see /etc/protocols)

Example: “esp”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_IP=""

Type: string

Which RPC services on the firewall should be accessible from

untrusted networks?

Port numbers of RPC services are dynamically assigned by the

portmapper. Therefore “rpcinfo -p localhost” has to be used to

automatically determine the currently assigned port for the

services specified here.

USE WITH CAUTION!

regular users can register rpc services and therefore may be able

to have SuSEfirewall2 open arbitrary ports

Example: “mountd nfs”

Note: this setting has precedence over FW_SERVICES_ACCEPT_*

FW_SERVICES_EXT_RPC=""

Type: string

Which services on the firewall should be accessible from

untrusted networks?

Packages can drop a configuration file that specifies all required

ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for

services that require multiple ports or protocols. Enter the space

separated list of configuration files you want to load.

The content of those files is merged into

FW_SERVICES_$zone_$protocol, ie has precedence over

FW_SERVICES_ACCEPT_*

Example: “samba-server nfs-kernel-server”

FW_CONFIGURATIONS_EXT=“avahi”

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_DMZ_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_DMZ_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_DMZ_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_DMZ_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_DMZ=""

Type: string

see comments for FW_SERVICES_EXT_TCP

FW_SERVICES_INT_TCP=""

Type: string

see comments for FW_SERVICES_EXT_UDP

FW_SERVICES_INT_UDP=""

Type: string

see comments for FW_SERVICES_EXT_IP

FW_SERVICES_INT_IP=""

Type: string

see comments for FW_SERVICES_EXT_RPC

FW_SERVICES_INT_RPC=""

Type: string

see comments for FW_CONFIGURATIONS_EXT

FW_CONFIGURATIONS_INT=""

Type: string

Packets to drop.

Format: space separated list of net,protocol[,port][,sport]

Example: “0/0,tcp,445 0/0,udp,4662”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_DROP_EXT=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_DMZ=""

Type: string

see FW_SERVICES_DROP_EXT

FW_SERVICES_DROP_INT=""

Type: string

Default:

Packets to reject. Common usage is TCP port 113 which if dropped

would cause long timeouts when sending mail or connecting to IRC

servers.

Format: space separated list of net,protocol[,dport][,sport]

Example: “0/0,tcp,113”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note: In older SuSEfirewall2 version this setting took place after

FW_SERVICES_ACCEPT_*, now it takes precedence.

FW_SERVICES_REJECT_EXT=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_DMZ=""

Type: string

see FW_SERVICES_REJECT_EXT

FW_SERVICES_REJECT_INT=""

Type: string

Default:

Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}

and more specific than FW_TRUSTED_NETS

Format: space separated list of net,protocol[,dport[,sport[,flags]]]

Example: “0/0,tcp,22”

Supported flags are

hitcount=NUMBER : ipt_recent --hitcount parameter

blockseconds=NUMBER : ipt_recent --seconds parameter

recentname=NAME : ipt_recent --name parameter

Example:

Allow max three ssh connects per minute from the same IP address:

“0/0,tcp,22,hitcount=3,blockseconds=60,recentname=ssh”

The special value rpc is recognized as protocol and means that dport is

interpreted as rpc service name. See FW_SERVICES_EXT_RPC for

details.

Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP

take precedence over FW_SERVICES_ACCEPT_EXT so don’t open the same

port with both options.

Note2: the iptables recent module may not be available for ipv6. To

avoid an error message use 0.0.0.0/0 instead of 0/0. This will

install the rule for ipv4 only.

FW_SERVICES_ACCEPT_EXT=“10.0.25.0/24,udp,5353
10.0.25.0/24,udp,427
10.0.25.0/24,tcp,9100
10.0.25.0/24,udp,9100
10.0.25.0/24,tcp,161
10.0.25.0/24,udp,161
10.0.25.0/24,tcp,162
10.0.25.0/24,udp,162”

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_EXT

FW_SERVICES_ACCEPT_INT=""

Type: string

Default:

Services to allow that are considered RELATED by the connection tracking

engine.

Format: space separated list of net,protocol[,sport[,dport]]

Example:

Allow samba broadcast replies marked as related by

nf_conntrack_netbios_ns from a certain network:

“192.168.1.0/24,udp,137”

See also FW_LOAD_MODULES

FW_SERVICES_ACCEPT_RELATED_EXT=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_DMZ=""

Type: string

see FW_SERVICES_ACCEPT_RELATED_EXT

FW_SERVICES_ACCEPT_RELATED_INT=""

Type: string

Which services should be accessible from ‘trusted’ hosts or nets?

Define trusted hosts or networks (doesn’t matter whether they are internal or

external) and the services (tcp,udp,icmp) they are allowed to use. This can

be used instead of FW_SERVICES_* for further access restriction. Please note

that this is no replacement for authentication since IP addresses can be

spoofed. Also note that trusted hosts/nets are not allowed to ping the

firewall until you also permit icmp.

Format: space separated list of network[,protocol[,port]]

in case of icmp, port means the icmp type

Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”

FW_TRUSTED_NETS=""

Type: string

Which services or networks are allowed to be routed through the

firewall, no matter which zone they are in?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must have valid, non-private, IP addresses which were

assigned to you by your ISP. This opens a direct link to the

specified network, so please think twice befor using this option!

Format: space separated list of

,[,protocol[,destination port[,flags]]]

If the protocol is icmp then port is interpreted as icmp type

flags, separated by comma:

ipsec:

match packets that originate from an IPsec tunnel

zonein=ZONE, zoneout=ZONE:

match only packets coming in/going out on interfaces from

the specified zone.

Examples: - “1.1.1.1,2.2.2.2” allow the host 1.1.1.1 to access any

service on the host 2.2.2.2

- “3.3.3.3/16,4.4.4.4/24” allow the network 3.3.3.3/16

to access any service in the network 4.4.4.4/24

- “5.5.5.5,6.6.6.6,igmp” allow routing of IGMP messages

from 5.5.5.5 to 6.6.6.6

- “0/0,0/0,udp,514” always permit udp port 514 to pass

the firewall

- "192.168.1.0/24,10.10.0.0/16,ipsec \

10.10.0.0/16,192.168.1.0/24,ipsec" permit traffic

from 192.168.1.0/24 to 10.10.0.0/16 and vice versa

provided that both networks are connected via an

IPsec tunnel.

- “fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh”

allow ssh from one IPv6 network to another

FW_FORWARD=""

Type: string

same as FW_FORWARD but packages are rejected instead of accepted

Requires: FW_ROUTE

FW_FORWARD_REJECT=""

Type: string

same as FW_FORWARD but packages are dropped instead of accepted

Requires: FW_ROUTE

FW_FORWARD_DROP=""

Type: string

Which services accessed from the internet should be allowed to masqueraded

servers (on the internal network or dmz)?

Requires: FW_ROUTE

With this option you may allow access to e.g. your mailserver. The

machines must be in a masqueraded segment and may not have public

IP addesses! Hint: if FW_DEV_MASQ is set to the external interface

you have to set FW_FORWARD from internal to DMZ for the service as

well to allow access from internal!

Please note that this should not be used for security reasons!

You are opening a hole to your precious internal network. If e.g.

the webserver there is compromised - your full internal network is

compromised!

Format: space separated list of

,,,[,redirect port,[destination ip]]

Protocol must be either tcp or udp

Examples: - “4.0.0.0/8,10.0.0.10,tcp,80” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10

- “4.0.0.0/8,10.0.0.10,tcp,80,81” forward all tcp request on

port 80 coming from the 4.0.0.0/8 network to the

internal server 10.10.0.10 on port 81

- “200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202”

the network 200.200.200.0/24 trying to access the

address 202.202.202.202 on port 80 will be forwarded

to the internal server 10.0.0.10 on port 81

Note: du to inconsistent iptables behaviour only port numbers are possible

but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)

FW_FORWARD_MASQ=""

Type: string

Which accesses to services should be redirected to a local port on

the firewall machine?

This option can be used to force all internal users to surf via

your squid proxy, or transparently redirect incoming webtraffic to

a secure webserver.

Format: list of [,,[,dport[:lport]]

Where protocol is either tcp or udp. dport is the original

destination port and lport the port on the local machine to

redirect the traffic to

An exclamation mark in front of source or destination network

means everything EXCEPT the specified network

Example: “10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080”

Note: contrary to previous SuSEfirewall2 versions it is no longer necessary

to additionally open the local port

FW_REDIRECT=""

Type: yesno

Which kind of packets should be logged?

When set to “yes”, packages that got dropped and are considered

‘critical’ will be logged. Such packets include for example

spoofed packets, tcp connection requests and certain icmp types.

defaults to “yes” if not set

FW_LOG_DROP_CRIT=“yes”

Type: yesno

whether all dropped packets should be logged

Note: for broadcasts to be logged you also need to set

FW_IGNORE_FW_BROADCAST_* to ‘no’

defaults to “no” if not set

FW_LOG_DROP_ALL=“no”

Type: yesno

When set to “yes”, packages that got accepted and are considered

‘critical’ will be logged. Such packets include for example tcp

connection requests, rpc connection requests and forwarded pakets.

Set to “no” for on systems with high traffic

defaults to “no” if not set

FW_LOG_ACCEPT_CRIT=“yes”

Type: yesno

whether all accepted packets should be logged

Note: setting this to ‘yes’ causes LOTS of log entries and may

fill your disk quickly. It also disables FW_LOG_LIMIT

defaults to “no” if not set

FW_LOG_ACCEPT_ALL=“no”

Type: string

How many packets per time unit get logged for each logging rule.

When empty a default of 3/minute is used to prevent port scans

flooding your log files. For desktop usage it’s a good idea to

have the limit, if you are using logfile analysis tools however

you might want to disable it.

Set to ‘no’ to disable the rate limit. Setting FW_LOG_ACCEPT_ALL

to ‘yes’ disables this option as well.

Format: a digit and suffix /second, /minute, /hour or /day

FW_LOG_LIMIT=""

Type: string

iptables logging option. Must end with --log-prefix and some prefix

characters

You may specify an alternative logging target by starting the

string with "-j ". E.g. “-j ULOG --ulog-prefix SFW2”

Note that ULOG doesn’t work with IPv6

only change this if you know what you are doing!

FW_LOG=""

Type: yesno

Do you want to enable additional kernel TCP/IP security features?

If set to yes, some obscure kernel options are set.

(icmp_ignore_bogus_error_responses, icmp_echoreply_rate,

icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,

ip_local_port_range, log_martians, rp_filter, routing flush,

bootp_relay, proxy_arp, secure_redirects, accept_source_route

icmp_echo_ignore_broadcasts, ipfrag_time)

Tip: Set this to “no” until you have verified that you have got a

configuration which works for you. Then set this to “yes” and keep it

if everything still works. (It should!)

Choice: “yes” or “no”, if not set defaults to “yes”

FW_KERNEL_SECURITY=""

Type: yesno

Whether ip routing should be disabled when the firewall is shut

down.

Note: IPv4 only, IPv6 sysctls are left untouched

Requires: FW_ROUTE

defaults to “no” if not set

FW_STOP_KEEP_ROUTING_STATE=“no”

Type: yesno

Allow the firewall to reply to icmp echo requests

defaults to “yes” if not set

FW_ALLOW_PING_FW=""

Type: yesno

Allow hosts in the dmz to be pinged from hosts in other zones even

if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_DMZ=""

Type: yesno

Allow hosts in the external zone to be pinged from hosts in other

zones even if neither FW_FORWARD nor FW_MASQUERADE is set

Requires: FW_ROUTE

defaults to “no” if not set

FW_ALLOW_PING_EXT=""

Type: yesno

Allow ICMP sourcequench from your ISP?

If set to yes, the firewall will notice when connection is choking, however

this opens yourself to a denial of service attack. Choose your poison.

Defaults to “yes” if not set

FW_ALLOW_FW_SOURCEQUENCH=""

Type: string(yes,no)

Allow IP Broadcasts?

Whether the firewall allows broadcasts packets.

Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.

If you want to drop broadcasts however ignore the annoying log entries, set

FW_IGNORE_FW_BROADCAST_* to yes.

Note that if you allow specifc ports here it just means that broadcast

packets for that port are not dropped. You still need to set

FW_SERVICES_*_UDP to actually allow regular unicast packets to

reach the applications.

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” allow broadcast packets on port 631 and 137

to enter the machine but drop any other broadcasts

- “yes” do not install any extra drop rules for

broadcast packets. They’ll be treated just as unicast

packets in this case.

- “no” drop all broadcast packets before other filtering

rules

defaults to “no” if not set

FW_ALLOW_FW_BROADCAST_EXT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_DMZ=“no”

Type: string(yes,no)

Suppress logging of dropped broadcast packets. Useful if you don’t allow

broadcasts on a LAN interface.

This setting only affects packets that are not allowed according

to FW_ALLOW_FW_BROADCAST_*

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” silently drop broadcast packets on port 631 and 137

- “yes” do not log dropped broadcast packets

- “no” log all dropped broadcast packets

defaults to “no” if not set

FW_IGNORE_FW_BROADCAST_EXT=“yes”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_DMZ=“no”

Type: list(yes,no,int,ext,dmz,)

Specifies whether routing between interfaces of the same zone should be allowed

Requires: FW_ROUTE=“yes”

Set this to allow routing between interfaces in the same zone,

e.g. between all internet interfaces, or all internal network

interfaces.

Caution: Keep in mind that “yes” affects all zones. ie even if you

need inter-zone routing only in the internal zone setting this

parameter to “yes” would allow routing between all external

interfaces as well. It’s better to use

FW_ALLOW_CLASS_ROUTING=“int” in this case.

Choice: “yes”, “no”, or space separate list of zone names

Defaults to “no” if not set

FW_ALLOW_CLASS_ROUTING=""

Type: string

Do you want to load customary rules from a file?

This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!

READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

Type: yesno

Do you want to REJECT packets instead of DROPing?

DROPing (which is the default) will make portscans and attacks much

slower, as no replies to the packets will be sent. REJECTing means, that

for every illegal packet, a connection reject packet is sent to the

sender.

Choice: “yes” or “no”, if not set defaults to “no”

Defaults to “no” if not set

You may override this value on a per zone basis by using a zone

specific variable, e.g. FW_REJECT_DMZ=“yes”

FW_REJECT=""

Type: yesno

see FW_REJECT for description

default config file setting is “yes” assuming that slowing down

portscans is not strictly required in the internal zone even if

you protect yourself from the internal zone

FW_REJECT_INT=""

Type: string

Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)

for more information about HTB see http://www.lartc.org

If your download collapses while you have a parallel upload,

this parameter might be an option for you. It manages your

upload stream and reserves bandwidth for special packets like

TCP ACK packets or interactive SSH.

It’s a list of devices and maximum bandwidth in kbit.

For example, the german TDSL account, provides 128kbit/s upstream

and 768kbit/s downstream. We can only tune the upstream.

Example:

If you want to tune a 128kbit/s upstream DSL device like german TDSL set

the following values:

FW_HTB_TUNE_DEV=“dsl0,125”

where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream

you might wonder why 125kbit/s and not 128kbit/s. Well practically you’ll

get a better performance if you keep the value a few percent under your

real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in

it’s own buffers because queing is done by us now.

So for a 256kbit upstream

FW_HTB_TUNE_DEV=“dsl0,250”

might be a better value than “dsl0,256”. There is no perfect value for a

special kind of modem. The perfect value depends on what kind of traffic you

have on your line but 5% under your maximum upstream might be a good start.

Everthing else is special fine tuning.

If you want to know more about the technical background,

http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/

is a good start

FW_HTB_TUNE_DEV=""

Type: list(no,drop,reject)

Default: drop

What to do with IPv6 Packets?

On older kernels ip6tables was not stateful so it’s not possible to implement

the same features as for IPv4 on such machines. For these there are three

choices:

- no: do not set any IPv6 rules at all. Your Host will allow any IPv6

traffic unless you setup your own rules.

- drop: drop all IPv6 packets.

- reject: reject all IPv6 packets. This is the default if stateful matching is

not available.

Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6

Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.

Leave empty to automatically detect whether ip6tables supports stateful matching.

FW_IPv6=""

Type: yesno

Default: yes

Reject outgoing IPv6 Packets?

Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option

does only make sense with FW_IPv6 != no

Defaults to “yes” if not set

FW_IPv6_REJECT_OUTGOING=""

Type: list(yes,no,int,ext,dmz,)

Default: no

Trust level of IPsec packets.

You do not need to change this if you do not intend to run

services that should only be available trough an IPsec tunnel.

The value specifies how much IPsec packets are trusted. ‘int’, ‘ext’ or ‘dmz’

are the respective zones. ‘yes’ is the same as 'int. ‘no’ means that IPsec

packets belong to the same zone as the interface they arrive on.

Note: you still need to explicitely allow IPsec traffic.

Example:

FW_IPSEC_TRUST=“int”

FW_SERVICES_EXT_IP=“esp”

FW_SERVICES_EXT_UDP=“isakmp”

FW_PROTECT_FROM_INT=“no”

Defaults to “no” if not set

FW_IPSEC_TRUST=“no”

Type: string

Define additional firewall zones

The built-in zones INT, EXT and DMZ must not be listed here. Names

of additional zones must only contain lowercase ascii characters.

To define rules for the additional zone, take the approriate

variable for a built-in zone and substitute INT/EXT/DMZ with the

name of the additional zone.

Example:

FW_ZONES=“wlan”

FW_DEV_wlan=“wlan0”

FW_SERVICES_wlan_TCP=“80”

FW_ALLOW_FW_BROADCAST_wlan=“yes”

FW_ZONES=""

Type: string(no,auto)

Set default firewall zone

Format: ‘auto’, ‘no’ or name of zone.

When set to ‘no’ no firewall rules will be installed for unknown

or unconfigured interfaces. That means traffic on such interfaces

hits the default drop rules.

When left empty or when set to ‘auto’ the zone that has the

interface string ‘any’ configured is used for all unconfigured

interfaces (see FW_DEV_EXT). If no ‘any’ string was found the

external zone is used.

When a default zone is defined a catch all rule redirects traffic

from interfaces that were not present at the time SuSEfirewall2

was run to the default zone. Normally SuSEfirewall2 needs to be

run if new interfaces appear to avoid such unknown interfaces.

Defaults to ‘auto’ if not set

FW_ZONE_DEFAULT=’’

Type: list(yes,no,auto,)

Default:

Whether to use iptables-batch

iptables-batch commits all rules in an almost atomic way similar

to iptables-restore. This avoids excessive iptables calls and race

conditions.

Choice:

- yes: use iptables-batch if available and warn if it isn’t

- no: don’t use iptables-batch

- auto: use iptables-batch if available, silently fall back to

iptables if it isn’t

Defaults to “auto” if not set

FW_USE_IPTABLES_BATCH=""

Type: string

Which additional kernel modules to load at startup

Example:

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

See also FW_SERVICES_ACCEPT_RELATED_EXT

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

Type: string

Default:

Bridge interfaces without IP address

Traffic on bridge interfaces like the one used by xen appears to

enter and leave on the same interface. Add such interfaces here in

order to install special permitting rules for them.

Format: list of interface names separated by space

Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead

Example:

FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”

FW_FORWARD_ALWAYS_INOUT_DEV=""

Type: string

Whether traffic that is only bridged but not routed should be

allowed. Such packets appear to pass though the forward chain so

normally they would be dropped.

Note: it is not possible to configure SuSEfirewall2 as bridging

firewall. This option merely controls whether SuSEfirewall2 should

try to not interfere with bridges.

Choice:

- yes: always install a rule to allow bridge traffic

- no: don’t install a rule to allow bridge traffic

- auto: install rule only if there are bridge interfaces

Defaults to “auto” if not set

FW_FORWARD_ALLOW_BRIDGING=""

Type: yesno

Write status information to /var/run/SuSEfirewall2/status for use

by e.g. graphical user interfaces. Can safely be disabled on

servers.

Defaults to “yes” if not set

FW_WRITE_STATUS=""

Type: yesno

Allow dynamic configuration overrides in

/var/run/SuSEfirewall2/override for use by e.g. graphical user

interfaces. Can safely be disabled on servers.

Defaults to “yes” if not set

FW_RUNTIME_OVERRIDE=""

Type: yesno

Install NOTRACK target for interface lo in the raw table. Doing so

speeds up packet processing on the loopback interface. This breaks

certain firewall setups that need to e.g. redirect outgoing

packets via custom rules on the local machine.

Defaults to “yes” if not set

FW_LO_NOTRACK=""

Type: yesno

Specifies whether /etc/init.d/SuSEfirewall2_init should install the

full rule set already. Default is to just install minimum rules

that block incoming traffic. Set to “yes” if you use services

such as drbd that require open ports during boot already.

Defaults to “no” if not set

FW_BOOT_FULL_INIT=“no”
linuxSLES:/etc/sysconfig #
[/CODE]

Print don’t get done, don’t get processed.

hcp dk wrote:
[color=blue]

Print don’t get done, don’t get processed.[/color]

There are some minor differences between your SLES firewall and your
SLED firewall configuration but, for now, don’t worry about it.

Something is preventing communication with your printer even when the
firewall is disabled.

Can you ping your HP printer from SLED?

Can you ping your HP printer from SLES?

Please run ifconfig on your SLES system and post the results.

–
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

Hi Kevin,

yes, i can ping the printer from SLES and SLED.
I had to set the SLES firewall (stationary PC) to internal since I otherwise do not can search in the Active Directory, the LAN system.

[CODE]linuxSLES:/home/hans-christoph # ifconfig
eth0 Link encap:Ethernet HWaddr 00:19:99:C2:BD:C4
inet addr:10.0.25.143 Bcast:10.0.25.255 Mask:255.255.255.0
inet6 addr: fe80::219:99ff:fec2:bdc4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45401574 errors:0 dropped:0 overruns:0 frame:0
TX packets:37255934 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55023491383 (52474.4 Mb) TX bytes:44257484763 (42207.2 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2290 errors:0 dropped:0 overruns:0 frame:0
TX packets:2290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:173179 (169.1 Kb) TX bytes:173179 (169.1 Kb)

virbr0 Link encap:Ethernet HWaddr 52:54:00:96:00:02
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:258 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31506 (30.7 Kb) TX bytes:532 (532.0 b)
[/CODE]

[QUOTE=hcp_dk;37196]Hi Kevin,
I had to set the SLES firewall (stationary PC) to internal since I otherwise do not can search in the Active Directory, the LAN system.
[/QUOTE]

As I mentioned in an earlier post regarding your SLED…

You were able to print from SLED after your firewall was correctly configured. While you still may have additional printing issues on SLES, let’s try to get your SLES firewall working first.

Ideally, you want to block everything and only open the ports you need. You should verify what ports need to be open on your Windows Server and on client machines. This TechNet article may help: Active Directory and Active Directory Domain Services Port Requirements.

In the mean time, until we get the firewall working, you can allow all traffic between SLES and your Windows Server.

Using YaST Firewall:
[LIST]
[]Ensure all interfaces are assigned to the External zone.
[]Setup 2 Custom Rules to allow all traffic between SLES and Windows Server.
[LIST]
[]Source Network is your Windows Server (10.0.25.4?); Protocol is TCP; Other fields left blank.
[]Source Network is your Windows Server (10.0.25.4?); Protocol is UDP; Other fields left blank.
[/LIST]

[]Restart your firewall
[]Verify you can “search in the Active Directory”.
[/LIST]

Please report your findings.

After you have reconfigured your firewall, it would be interesting to see just what ports are open on your SLES system.

From your SLED system, as root, run the following command and report the results.

nmap --open -T4 -p1-65535 10.0.25.143

If nmap is not installed, you can install it.

zypper install nmap

Hi Kyle,
now I’m back.

SLED: actually I can’t print from SLED at all. Not with or without firewall. I have no clue why. The data not even reach the printer. Maybe due to updates?

SLES: I did as mentioned above.

Actually I can access the windows network.

Try printing a 4MB large PDF. Data arrive the printer. But no printing happen.

this is the log for external firewall setup as mentioned before:

[CODE]linuxSLES:/home/hans-christoph # nmap --open -T4 -p1-65535 10.0.25.143

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-29 22:10 CEST
Nmap scan report for 10.0.25.143
Host is up (0.000011s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3689/tcp open rendezvous

Nmap done: 1 IP address (1 host up) scanned in 5.88 seconds
linuxSLES:/home/hans-christoph #
[/CODE]

this is for internal firewall setup

[CODE]linuxSLES:/home/hans-christoph # nmap --open -T4 -p1-65535 10.0.25.143

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-29 22:12 CEST
Nmap scan report for 10.0.25.143
Host is up (0.0000090s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3689/tcp open rendezvous

Nmap done: 1 IP address (1 host up) scanned in 5.81 seconds
linuxSLES:/home/hans-christoph #
[/CODE]

no difference… And there are not many ports open.

I see that!

I see that too!

Your previous post shows you opened ports in the External Zone for the 10.0.25.0/24 network:

[LIST]
[]Did you restart your firewall after configuring it?
[]Did you run the nmap port scan from an IP address in the 10.0.25.0/24 network?
[/LIST]

If you expect printing and other services to work, you have to ensure the appropriate ports are open. You can use nmap from another device on your network to verify that the ports are open. If they are not open, then you have to determine why.

There is still the message about “Another Firewall Active”. It appears that message is displayed when starting YaST Firewall if there are entries in iptables. I have not been able to determine why entries remain in iptables after stopping your firewall but they can be removed by flushing iptables as described previously.

Try this to see what you can learn:
[LIST]
[]Ensure interfaces are assigned to the Firerwall’s External Zone
[]Restart your firewall
[]Run nmap and make a note of the open ports.
[]Stop the firewall.
[]Run nmap a second time and make a note of the open ports.
[]Flush iptables.
[*]Run nmap a third time and make a note of the open ports.
[/LIST]

If the necessary ports still remain closed, then you will need additional troubleshooting that is beyond what can be provided via the forums. I suggest you open a Service Request for this issue. You may want to refer the support person to this lengthy thread so they see what has already been tried.

You stated previously that you installed packages from unsupported (non SLE) repositories. There may be incompatibilities between those unsupported packages you installed and the SLE packages already installed on your system that could be responsible for this behavior. If that is so, then you may be on your own to find a solution.

[QUOTE=hcp_dk;37321]Hi Kyle,
now I’m back.

SLED: actually I can’t print from SLED at all. Not with or without firewall. I have no clue why. The data not even reach the printer. Maybe due to updates?[/QUOTE]

That is unfortunate.
[LIST]
[]What did you change?
[]Can you run an nmap port scan from your SLES server to see what ports are open on your SLED laptop?
[*]
[/LIST]

[QUOTE]SLES: I did as mentioned above.
Actually I can access the windows network. [/QUOTE]
I thought that might help.

That may be related to a port issue or perhaps a driver issue. I don’t remember if you were ever able to print to the HP printer from SLES. To verify that the driver is installed correctly, are you able to print from SLES via a USB connection?

Hi Kevin,

I did these nmap from SLES (inside). I can do it from outside too - later, with both setups (external open ports and internal)
Firewall is restarted every time. but i can reboot each time
The modules I installed have nothing todo with firewall. It’s codecs and FreeCad, Shutter (try that - very good program)

But there is something myth with this firewall.

SUSE service has been a half a day on SLES tried a lot (remote). Now they opened a bug. But as you said, there is a point regarding firewall.
Let’s collect data.
I’m now off for a week - in Denver CO.
I have my SLED laptop with me.

Yes, USB print work.

As we figured out before: It is a problem of network and HP specific.