PDA

View Full Version : SP2 for SLES11 adds a firewall interface entry



Andy Konecny
24-Nov-2012, 04:44
I've noticed that SP2 for SLES11 system adds an interface entry
Device = Custom string
Interface or String = any
Configured in = External Zone

Does anyone know why that is there and how much a worry is it?
So far I've just removed it as it appears to me to be more a testing
bit that snuck in that mainly serves to confuse, though I see some
value in having that as a catch all.

Anyone else seen this?
I've seen this for both new systems starting at SP2 level and older
systems patched to SP2. So I've only dealt with 64-bit systems and
mostly with OES.


Andy Konecny
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037

KBOYLE
24-Nov-2012, 23:54
Andy Konecny wrote:

> I've noticed that SP2 for SLES11 system adds an interface entry
> Device = Custom string
> Interface or String = any
> Configured in = External Zone

Where is this?

I don't see this in my /etc/sysconfig/SuSEfirewall2 config file on my
SLES11-SP2 64 bit system which has been upgraded at least a couple of
times.

There is a comment in one of the backup copies of that file that states:

> The special keyword "any" means that packets arriving on interfaces
> not explicitly configured as int, ext or dmz will be considered
> external. Note: this setting only works for packets destined for the
> local machine. If you want forwarding or masquerading you still have
> to add the external interfaces individually. "any" can be mixed with
> other interface names.

.... however that comment is missing from the current config file.


> Does anyone know why that is there and how much a worry is it?

I *assume* it's in there in case additional interfaces are added to the
system so they will automatically me assigned to the "external" zone.

> So far I've just removed it as it appears to me to be more a testing
> bit that snuck in that mainly serves to confuse, though I see some
> value in having that as a catch all.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below...

Andy Konecny
26-Nov-2012, 18:10
In article <Cecss.485$kX4.461@kozak.provo.novell.com>, Kboyle wrote:
> > I've noticed that SP2 for SLES11 system adds an interface entry
> > Device = Custom string
> > Interface or String = any
> > Configured in = External Zone
>
> Where is this?

As seen in the GUI Firewall app


> I don't see this in my /etc/sysconfig/SuSEfirewall2 config file on my
> SLES11-SP2 64 bit system which has been upgraded at least a couple of
> times.

Comparing before and after removal of that line I see one change in my
config file.
FW_DEV_EXT='any eth0' vs FW_DEV_EXT=''
which is just after the following (still in my production files)


> > The special keyword "any" means that packets arriving on interfaces
> > not explicitly configured as int, ext or dmz will be considered
> > external. Note: this setting only works for packets destined for the
> > local machine. If you want forwarding or masquerading you still have
> > to add the external interfaces individually. "any" can be mixed with
> > other interface names.
>

Ah, that's what I hoped it was, and it is clearly a good thing. I guess
leaving them in is safe then now that I understand this.

Thank you for sharing your knowledge


Andy Konecny
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037

KBOYLE
26-Nov-2012, 18:26
Andy Konecny wrote:

> As seen in the GUI Firewall app

While the GUI makes changes easier in many cases, it does not always
allow all settings to be configured.

/etc/sysconfig/SuSEfirewall2 explains what each setting does. I prefer
to edit this file directly as it provides much more control over my
firewall configuration.

By the way, thank you for sharing *your* knowledge. The Knowledge
Partners have noticed your many responses to user's requests for
assistance in various forums. We do appreciate the assistance you
provide. Keep up the good work!

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are using the web interface,
show your appreciation and click on the star below...

Andy Konecny
27-Nov-2012, 20:34
In article <1DNss.1611$Ix6.1506@kovat.provo.novell.com>, Kboyle wrote:
> While the GUI makes changes easier in many cases, it does not always
> allow all settings to be configured.
Oh yes I know that, but if the GUI gets all I need done, why spend the
extra time getting up to speed on yet another config file when there are
so many I already have to know well. Kind of like the decision to
automate a one off task, usually not an efficient use of effort.

> /Etc/sysconfig/SuSEfirewall2 explains what each setting does. I prefer
> to edit this file directly as it provides much more control over my
> firewall configuration.
Once I've gotten to understand a given config file I tend to be the
same, just haven't had sufficient need in this case yet.

>
> By the way, thank you for sharing *your* knowledge. The Knowledge
> Partners have noticed your many responses to user's requests for
> assistance in various forums. We do appreciate the assistance you
> provide. Keep up the good work!
>
Well I have always found I learn best by helping others, and these
forums have been a great way to do that since I first discovered them
(back when at least the Novell side was on CompuServe)
I see that the SUSE and NetIQ Forums now have separated profiles from
the ones under Novell, I guess time to refresh myself with that process.


Andy Konecny
KonecnyConsulting.ca in Toronto
----------------------------------------------------------------------
Andy's Profile: http://forums.novell.com/member.php?userid=75037