SP2 for SLES11 adds a firewall interface entry

I’ve noticed that SP2 for SLES11 system adds an interface entry
Device = Custom string
Interface or String = any
Configured in = External Zone

Does anyone know why that is there and how much a worry is it?
So far I’ve just removed it as it appears to me to be more a testing
bit that snuck in that mainly serves to confuse, though I see some
value in having that as a catch all.

Anyone else seen this?
I’ve seen this for both new systems starting at SP2 level and older
systems patched to SP2. So I’ve only dealt with 64-bit systems and
mostly with OES.

Andy Konecny
KonecnyConsulting.ca in Toronto

Andy’s Profile: http://forums.novell.com/member.php?userid=75037

Andy Konecny wrote:
[color=blue]

I’ve noticed that SP2 for SLES11 system adds an interface entry
Device = Custom string
Interface or String = any
Configured in = External Zone[/color]

Where is this?

I don’t see this in my /etc/sysconfig/SuSEfirewall2 config file on my
SLES11-SP2 64 bit system which has been upgraded at least a couple of
times.

There is a comment in one of the backup copies of that file that states:
[color=blue]

The special keyword “any” means that packets arriving on interfaces
not explicitly configured as int, ext or dmz will be considered
external. Note: this setting only works for packets destined for the
local machine. If you want forwarding or masquerading you still have
to add the external interfaces individually. “any” can be mixed with
other interface names.[/color]

… however that comment is missing from the current config file.

[color=blue]

Does anyone know why that is there and how much a worry is it?[/color]

I assume it’s in there in case additional interfaces are added to the
system so they will automatically me assigned to the “external” zone.
[color=blue]

So far I’ve just removed it as it appears to me to be more a testing
bit that snuck in that mainly serves to confuse, though I see some
value in having that as a catch all.[/color]


Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below…

In article Cecss.485$kX4.461@kozak.provo.novell.com, Kboyle wrote:[color=blue][color=green]

I’ve noticed that SP2 for SLES11 system adds an interface entry
Device = Custom string
Interface or String = any
Configured in = External Zone[/color]

Where is this?[/color]

As seen in the GUI Firewall app

[color=blue]

I don’t see this in my /etc/sysconfig/SuSEfirewall2 config file on my
SLES11-SP2 64 bit system which has been upgraded at least a couple of
times.[/color]

Comparing before and after removal of that line I see one change in my
config file.
FW_DEV_EXT=‘any eth0’ vs FW_DEV_EXT=’’
which is just after the following (still in my production files)

[color=blue][color=green]

The special keyword “any” means that packets arriving on interfaces
not explicitly configured as int, ext or dmz will be considered
external. Note: this setting only works for packets destined for the
local machine. If you want forwarding or masquerading you still have
to add the external interfaces individually. “any” can be mixed with
other interface names.[/color]
[/color]

Ah, that’s what I hoped it was, and it is clearly a good thing. I guess
leaving them in is safe then now that I understand this.

Thank you for sharing your knowledge

Andy Konecny
KonecnyConsulting.ca in Toronto

Andy’s Profile: http://forums.novell.com/member.php?userid=75037

Andy Konecny wrote:
[color=blue]

As seen in the GUI Firewall app[/color]

While the GUI makes changes easier in many cases, it does not always
allow all settings to be configured.

/etc/sysconfig/SuSEfirewall2 explains what each setting does. I prefer
to edit this file directly as it provides much more control over my
firewall configuration.

By the way, thank you for sharing your knowledge. The Knowledge
Partners have noticed your many responses to user’s requests for
assistance in various forums. We do appreciate the assistance you
provide. Keep up the good work!


Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below…

In article 1DNss.1611$Ix6.1506@kovat.provo.novell.com, Kboyle wrote:[color=blue]

While the GUI makes changes easier in many cases, it does not always
allow all settings to be configured.[/color]
Oh yes I know that, but if the GUI gets all I need done, why spend the
extra time getting up to speed on yet another config file when there are
so many I already have to know well. Kind of like the decision to
automate a one off task, usually not an efficient use of effort.
[color=blue]
/Etc/sysconfig/SuSEfirewall2 explains what each setting does. I prefer
to edit this file directly as it provides much more control over my
firewall configuration.[/color]
Once I’ve gotten to understand a given config file I tend to be the
same, just haven’t had sufficient need in this case yet.
[color=blue]

By the way, thank you for sharing your knowledge. The Knowledge
Partners have noticed your many responses to user’s requests for
assistance in various forums. We do appreciate the assistance you
provide. Keep up the good work!
[/color]
Well I have always found I learn best by helping others, and these
forums have been a great way to do that since I first discovered them
(back when at least the Novell side was on CompuServe)
I see that the SUSE and NetIQ Forums now have separated profiles from
the ones under Novell, I guess time to refresh myself with that process.

Andy Konecny
KonecnyConsulting.ca in Toronto

Andy’s Profile: http://forums.novell.com/member.php?userid=75037