PDA

View Full Version : SLES 11 SP4 how to use SuSEfirewall 'FW_REDIRECT' smartly



sharfuddin
13-Oct-2015, 13:47
for FW_REDIRECT, in /etc/sysconfig/SuSEfirewall configuration file, may we use a file as an argument, e.g currently FW_REDIRECT is set as:



FW_REDIRECT=" 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,80,8080 0/0,0/0,tcp,289,1289 172.20.17.101/32,0/0,udp,514,1714 172.20.17.102/32,0/0,udp,514,1714 172.20.17.103/32,0/0,udp
,514,1714 172.20.17.105/32,0/0,udp,514,1714 172.20.17.106/32,0/0,udp,514,1714 172.20.17.11/32,0/0,udp,514,1614 172.20.17.12/32,0/0,udp,514,1614 172.20.18.12/32,0/0,udp,
514,1614 172.20.25.35/32,0/0,udp,514,1614 172.20.18.104/32,0/0,udp,514,1814 0/0,0/0,udp,514,1514"


I would rather like to use:
FW_REDIRECT=/etc/sysconfig/SuSEfirewall.d/aix-servers.txt, /etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt, /etc/sysconfig/SuSEfirewall.d/solaris.txt

is it possible ??

Regards,

jmozdzen
13-Oct-2015, 14:01
Hi sharfuddin,

for FW_REDIRECT, in /etc/sysconfig/SuSEfirewall configuration file, may we use a file as an argument, e.g currently FW_REDIRECT is set as:



FW_REDIRECT=" 0/0,0/0,tcp,443,8443 0/0,0/0,tcp,80,8080 0/0,0/0,tcp,289,1289 172.20.17.101/32,0/0,udp,514,1714 172.20.17.102/32,0/0,udp,514,1714 172.20.17.103/32,0/0,udp
,514,1714 172.20.17.105/32,0/0,udp,514,1714 172.20.17.106/32,0/0,udp,514,1714 172.20.17.11/32,0/0,udp,514,1614 172.20.17.12/32,0/0,udp,514,1614 172.20.18.12/32,0/0,udp,
514,1614 172.20.25.35/32,0/0,udp,514,1614 172.20.18.104/32,0/0,udp,514,1814 0/0,0/0,udp,514,1514"


I would rather like to use:
FW_REDIRECT=/etc/sysconfig/SuSEfirewall.d/aix-servers.txt, /etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt, /etc/sysconfig/SuSEfirewall.d/solaris.txt

is it possible ??

Since that file is actually a bash script, you're free to use any form of command to fill that variable, i.e. "

FW_REDIRECT="$(cat /etc/sysconfig/SuSEfirewall.d/aix-servers.txt
/etc/sysconfig/SuSEfirewall.d/cisco-switch-routers.txt
/etc/sysconfig/SuSEfirewall.d/solaris.txt )"

Regards,
Jens

ab
13-Oct-2015, 14:03
No, not like that at least. You can create files that follow the rest of
the loading to do custom things with iptables commands directly, so you
could probably put your commands into those files and have them run, but
that's not exactly what you requested, though it may give you the same
functionality.

It may help to understand the purpose of your desired change.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

sharfuddin
13-Oct-2015, 14:56
Its a Sentinel box. We are running multiple Syslog Servers(udp) each on a unique port. for AIX we have syslog server listening on udp 1614 and for cisco we have syslog server listening on udp 1714 etc.
As, AIX, Cisco, Solaris etc are sending their logs to udp 514, so to redirect them to their dedicated Syslog Server I have set the FW_REDIRECT variable:


FW_REDIRECT=172.20.17.101/32,0/0,udp,514,1714 172.30.18.34/32,0/0,udp,514,1614 172.120.88.12/32,0/0,udp,514,1614


Regards,

sharfuddin
13-Oct-2015, 17:23
Thanks a lot Jens, you made my day ;-)

jmozdzen
13-Oct-2015, 17:54
Hi sharfuddin,

glad to help. Please note that setting such a "value" will likely break YaST integration - IOW calling YaST to show/edit firewall values will probably result in errors and/or mis-filled fields... and potentially results in a borked /etc/sysconfig/SuSEfirewall file as well!

I strongly recommend to create a backup of your config file and try the YaST route once, to actually see the impact.

Regards,
Jens