Yast firewall settings do not apply

SUSE Product Topics SLES Networking
1

Hello community!

I posted my question on LinuxQuestions.org (http://www.linuxquestions.org/questions/linux-newbie-8/problems-with-tomcat6-cannot-access-tomcat-manager-firewall-blocks-port-8080-a-4175591495/), but I was told there they don’t know too much about open SUSE specifically, so I’m asking the experts here.

My problem is that I cannot access tomcat6 from other computers on the same subnet as my tomcat6 server (which is an OES2015, with all the latest updates, fresh install by the way). At least not as long as the firewall is enabled.

I think I can say I’m 100% sure the firewall is the problem, and here’s why: tomcat seems to be correctly configured to listen on port 8080. I can access it perfectly fine from the localhost at all times. AND: I can also perfectly access it from any computer on the same subnet as long as the firewall is turned off on my OES2015. As soon as I turn the firewall on, computers on the same subnet trying to access the tomcat start page on my OES2015 get a “connection timed out” message.
Now, this wouldn’t be surprising, but I have set exceptions in the firewall of my OES2015 using Yast. Just to make sure, I added the exception for internal zone, external zone and demilitarized zone (even though that’s probably not necessary).

The following screenshot show’s how I did it (example for external zone, looks exactly the same for internal zone and demilitarized zone):

Screenshot

And, of course, I restarted the firewall after making those changes, and, just to be sure, I even restarted the whole OES2015 server.

Still, no luck, I cannot access tomcat6 from any of the other computers in the same subnet (repeat: as long as the firewall is turned on, that is, as soon as I turn it off, the tomcat6 startpage is perfectly reachable from all computers on the same subnet).

Is this a known bug in Yast or something, that firewall exceptions are not applied to iptables?

Probably not, probably I’m just too stupid to configure it correctly. :slight_smile:
Any help would be greatly appreciated.

Have a wonderful day!

Peter

2

Hi and welcome to the forum :slight_smile:
I normally just add the ports to open via allowed services and select the advanced button to add the port number in the relevant protocol box.

Just check changes are applied via;

iptables -S
3

Agreed; go to ‘Allowed Services’ and then ‘Advanced’ and type 8080 in the
TCP field. DELETE your current rules, as those are wrong; notice you have
a source port specified, so unless your clients happen to use the same
source port as the destination port, it will be blocked.

Other commands to see what iptables is actually doing:

/usr/sbin/iptables -nvL
/usr/sbin/iptables-save
tail -f /var/log/firweall


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

4

[QUOTE=ab;34863]Agreed; go to ‘Allowed Services’ and then ‘Advanced’ and type 8080 in the
TCP field. DELETE your current rules, as those are wrong; notice you have
a source port specified, so unless your clients happen to use the same
source port as the destination port, it will be blocked.

Other commands to see what iptables is actually doing:

/usr/sbin/iptables -nvL
/usr/sbin/iptables-save
tail -f /var/log/firweall

[/QUOTE]

Thanks a lot, your suggestions worked, I can now reach tomcat6 from any computer on my OES2015’s subnet.

I really appreciate that, I’m coming from Windows, but I find learning Linux not too hard because of the good support you get in the community!

Have a nice day!

5

On 10/23/2016 04:54 AM, baedamichi wrote:[color=blue]

Thanks a lot, your suggestions worked, I can now reach tomcat6 from any
computer on my OES2015’s subnet.[/color]

Great to hear; thank-you for posting back your results.
[color=blue]

I really appreciate that, I’m coming from Windows, but I find learning
Linux not too hard because of the good support you get in the
community![/color]

Welcome to the community; I imagine, like mine, it will be a great journey
for the reasons you specified, among others.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…