PDA

View Full Version : Printer, printer setup, multifunction printer, HP laserjet



hcp_dk
16-Feb-2017, 12:49
I use different printer:
DELL 3100CN via LAN - no problem at all. Dell is very easy get work

HP LaserJet 700 MFP 775dn: multifuction document center run via LAN. This has been a nightmare over weeks.
I had tried different driver. SUSE support tried to help, HP support tried to help....
I found out, the printer work fine with USB. So driver must be ok.

The trick (this is valid for many HP printer and other modern printer with communication)

is here:


http://hplipopensource.com/node/375

OpenSUSE

Avahi
Go to Yast Control Center and click on Firewall.
Select Allowed Services on left hand side pane.
Click on Service to Allow drop down which will show list of services we can enable using this firewall utility.
To allow avahi to discover the devices through hp-setup utility select Zeroconf/Bonjour Multicast DNS and select Add from drop down.and click on Next at the bottom right corner.
The OpenSuse Firewall Utility will display Firewall Conguration Summary. Click on Finish to compelete the process.

mDNS/Bonjour
Go to Yast Control Center and click on Firewall
Select Custom Rules on left pane, select Zone as External and then select Add at the bottom. A pop up will appear . Provide the values of the parameter as : Source Network 0/0, Protocol UDP, Ports 5353
Click on Add at the bottom right.
The OpenSuSe rewall utility will display Firewall Conguration Summary Click on Finish to complete the process.

SLP
Go to Yast Control Center and click on Firewall.
Select Custom Rules on left pane, select Zone as External and then select Add at the bottom. A pop up will appear . Provide the values of the parameter as : Source Network 0/0, Protocol UDP, Ports 427
Click on Add at the bottom right.
The OpenSuSe rewall utility will display Firewall Conguration Summary Click on Finish to complete the process.

Open these ports in internal zone, the printer works.

KBOYLE
16-Feb-2017, 16:41
hcp dk wrote:

> The trick (this is valid for many HP printer and other modern printer
> with communication)
>
> IS HERE:
>
>
> http://hplipopensource.com/node/375
>

Different protocols use different ports. If your firewalls
(workstations and/or servers) block these ports, communication fails
and things don't work.

This is a good reminder for those who may have forgotten to check...


--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hcp_dk
19-Feb-2017, 22:33
Yes, but I'm user only. SUSE Service and HP Service have not be able to find the solution. However: I still have a problem:

a) printer: DELL - no issues at all
b) HP LaserJet 700 MFP 755 from Windows: No problem wherever in network. (5min setup, ready). Access via LAN solved as I wrote here (from SLES + WE) At least it seems to work.

Problem: Setup on SLED Laptop same as on SLES.
Connection via WLAN ASUS RT-AC66U as Accesspoint. But I can see, the HPLIP has problems get communication in place. Some data are not available, print not possible.

How to solve it?

malcolmlewis
20-Feb-2017, 14:42
Yes, but I'm user only. SUSE Service and HP Service have not be able to find the solution. However: I still have a problem:

a) printer: DELL - no issues at all
b) HP LaserJet 700 MFP 755 from Windows: No problem wherever in network. (5min setup, ready). Access via LAN solved as I wrote here (from SLES + WE) At least it seems to work.

Problem: Setup on SLED Laptop same as on SLES.
Connection via WLAN ASUS RT-AC66U as Accesspoint. But I can see, the HPLIP has problems get communication in place. Some data are not available, print not possible.

How to solve it?
Hi
Is the cups service enabled and running on SLED?


systemctl status cups
systemctl start cups
systemctl status cups

hp-setup -i <ip_address_of_printer>

hcp_dk
20-Feb-2017, 22:45
Hi, yes, is running. The problem are open ports. Dell printer works fine.
HP demand more open ports. HPLIP should either open the ports, maybe ask before, or at least make clear ports are not open.
I checked router, But router is open.
I think I found out. But I need to test tomorrow.

malcolmlewis
20-Feb-2017, 23:13
Hi, yes, is running. The problem are open ports. Dell printer works fine.
HP demand more open ports. HPLIP should either open the ports, maybe ask before, or at least make clear ports are not open.
I checked router, But router is open.
I think I found out. But I need to test tomorrow.
Hi
Maybe Zeroconfig/Bonjour in YaST Firewall/Users and under allowed services, but by default I've never had to open a port from a desktop to access a HP printer, just add via hostname/ip address which I usually add to my hosts file.

hcp_dk
21-Feb-2017, 15:49
Yes, my Dell do need neither. But all new HP printer, typical document center, LaserJet Series need these ports and are quite difficult to get handled. Only via HPLIP and manual adaption.

KBOYLE
21-Feb-2017, 17:55
hcp dk wrote:

>
> Yes, my Dell do need neither. But all new HP printer, typical document
> center, LaserJet Series need these ports and are quite difficult to
> get handled. Only via HPLIP and manual adaption.

I have again read this thread. Please confirm:
- Your Dell and HP printers are network connected.
- You can print from your workstation to your Dell printer.
- You can't print from your workstation to your HP printer.
- You *can* print to your HP printer when it is connected via USB.
- You *think* the issue is caused required ports being blocked.


Some more details would be helpful.
- Is your workstation and printer(s) on the same subnet?
- Do you have any port conflicts, perhaps between the two printers?
- Are there other firewalls or routers between your workstation and
your printers?

Have you tried to shutdown your workstation firewall just to eliminate
that as the cause of the problem?

Is your printer configured correctly?
- Valid IP address, Subnet mask, default gateway?
- Are you using a static IP address or DHCP?
- If you are using DHCP, where is the DHCP server?
- Can you ping your printer?

Please report back what you learn.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hcp_dk
25-Feb-2017, 12:15
Hi, thanks for your effort. I have worked with it more - and HP and SUSE would like to know what the problem is :-)

let's count together:
All Printer are network connected.
They are all in same subnet, even connected via a Zyxtel switch. It's an AD Windows Domaine.
The firewall is outside - a Trusgate. Even the WLAN is accesspoint only.
I setup the open ports acc. to HP. I think I wrote abut this note?
Static IP for printer and server, rest DHCP via Trustgate, AD Server.
I can ping the printer, see, the printer....


I can print
- via USB
- via Windows in a KVM virtual box !!
- on Dell printer
- sometimes - randomly it happens

I can't print on HP LaserJet
- from SLED
- from SLES
- from Leap 42.1 (tried yesterday)
The analysis show the print file is not send complete - only a part of it. That I can show (SUSE service supported here)

hcp_dk
25-Feb-2017, 12:31
I just did as suggested an disabled firewall:
SLES: no change, don't print
SLED: printing fine. even after reboot

Then I tired enable the firewall again:
233

AS you can see, there is another firewall in the system I have no idea about.
How can I find out what that is?

malcolmlewis
25-Feb-2017, 15:54
Hi
So what system is the 'other' firewall running on, SLES or SLED?

Hard to say, you would need to ask the person who setup the system, looks at ps -ef output or list the systemd services.

KBOYLE
25-Feb-2017, 19:43
I just did as suggested an disabled firewall:
Lets look at the results:

SLED: printing fine. even after reboot
Summery:

When the firewall is enabled, it doesn't print.
When the firewall is disabled, it does print.

This tells me it's a SLED firewall issue. The firewall is blocking traffic on required ports.

Check the firewall configuration.
Verify that all required ports are configured correctly.

I would work on this first as it appears to be the easiest to resolve and what you learn here will help in resolving your SLES issues.

Remember to restart the firewall service after making changes.


SLES: no change, don't print
I assume the message about "Another Firewall Active" is from SLES?

I suspect the "other" firewall, whatever it may be, is still blocking the ports needed for printing.

FYI, here's a brief description how your firewall configuration is implemented.


When you use YaST Firewall, it saves the configuration in /etc/sysconfig/SEfirewall2.
If you prefer and if you know what you are doing, you can use a text editor to change /etc/sysconfig/SEfirewall2 yourself.
When you start the firewall (rcSuSEfirewall2 start) the configuration is read from /etc/sysconfig/SEfirewall2 and used to create a set of "iptables" rules.
These rules are what really control access to your system.
When you stop the firewall (rcSuSEfirewall2 stop) the rules are removed from "iptables"


When there is no firewall active, this is what you should see:

server:~ # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
server:~ #

Please run these commands on your SLES system so we can see what might still be blocked after your firewall is shut down.

server:~ # rcSuSEfirewall2 stop
server:~ # iptables -L


Please reply and paste the output from the commands between code tags. Use the "#" at the top of the posting box.

...Awaiting your reply.

hcp_dk
02-Mar-2017, 09:20
Hi
thanks for reply and info. I had been very busy the last days and not time to do much more than work.
OK. I did this on the SLES + WE system.



[CODE]#
linuxSLES:/etc/sysconfig # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate RELATED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain forward_ext (0 references)
target prot opt source destination

Chain forward_int (0 references)
target prot opt source destination

Chain input_ext (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:mdns
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:bootps
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- anywhere anywhere udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:bootps
LOG udp -- anywhere anywhere udp spt:svrloc dpt:svrloc ctstate NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC "
ACCEPT udp -- anywhere anywhere udp spt:svrloc dpt:svrloc
LOG udp -- anywhere anywhere udp spt:mdns dpt:mdns ctstate NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC "
ACCEPT udp -- anywhere anywhere udp spt:mdns dpt:mdns
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 ctstate NEW LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT "
DROP all -- anywhere anywhere

Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain reject_func (0 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable
linuxSLES:/etc/sysconfig # rcSuSEfirewall2 stop
linuxSLES:/etc/sysconfig # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
linuxSLES:/etc/sysconfig #

I made som analysis of ports with nmap both for TCP and UDP. I can't see any open port 9100 for the SLES. But printer has open ports.

I can send the results - but per mail since these are many print screens.

KBOYLE
02-Mar-2017, 18:12
I did this on the SLES + WE system.

What you mean by "+ WE"?

Here's what I see:

Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
When the firewall is enabled, these directives cause all packets to be DROPped unless there are exceptions configured and I don't see any configured exceptions so I'm not surprised that the ports you need for printing are blocked.


linuxSLES:/etc/sysconfig # rcSuSEfirewall2 stop
linuxSLES:/etc/sysconfig # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
linuxSLES:/etc/sysconfig #

This shows that when you stopped your firewall, all packets are ACCEPTed so there should be no ports that are blocked.

Based on the information you provided:

Printing should work when the firewall is disabled.
Printing should not work when the firewall is enabled.


But... you say you still can't print when the firewall is disabled so we have to keep looking.

In your post on 2017-02-25 you say:

AS you can see, there is another firewall in the system I have no idea about.
How can I find out what that is?

Is the message you posted on 2017-02-25 from SLES or SLED?
Did you click on "Continue" after reading the warning? I assume you did?

If it is from your SLES system,

What additional non-SUSE software has been installed on the system?
What additional device drivers have been installed on the system?

KBOYLE
02-Mar-2017, 18:22
I just did as suggested an disabled firewall:
SLES: no change, don't print
SLED: printing fine. even after reboot

SLED:

Have you opened the required ports in you firewall?
Is printing from SLED now working?



Then I tired enable the firewall again:
Is that message from SLES or SLED?

malcolmlewis
02-Mar-2017, 18:24
On Thu 02 Mar 2017 05:14:01 PM CST, KBOYLE wrote:

hcp_dk;36850 Wrote:
> I did this on the SLES + WE system.

WHAT YOU MEAN BY \"+ WE\"?

Hi
The new SLE acronym; W(orkstation) E(xtension)....

--
Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
openSUSE Leap 42.1|GNOME 3.16.2|4.1.36-44-default
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below... Thanks!

hcp_dk
02-Mar-2017, 18:43
Oh yes. i can see I'm still not good enough to interpret the messages. (but get better :-) )

See: I have SLED and SLES with Work Extension. It is basically SLED running on SLES.
The firewall has not bee modified.
As tested when firewall is disabled, it worked one day. (see some answers before)

Since SUSE not supply sufficient software, I used LEAP42.2 repository (same kernel) to get few software I need to work:
Shutter (really good program)
FreeCad (3D Cad software)
Adobe Flash
Teamviewer - need help my 80 years parents remote with their PC :-)
Acrobat reader (only for some prints with several layers needed)
VLC player (needed for any play of multimedia)
BleachBit (HD cleaning program)
Skype
Driver for Dell Printer

hcp_dk
02-Mar-2017, 18:50
I have exact the same "Drop" in firewall on SLED (means both on SLES and SLED)
So either there is software that change firewall or there is a failure already when installed the system.

I can't print with firewall.
How can I change this "chain drop"?

hcp_dk
02-Mar-2017, 19:51
I would like to change this setup. See here:
http://unix.stackexchange.com/questions/227972/how-to-set-up-a-clear-suse-firewall
...seems I'm not the only on who face this problem?

https://www.suse.com/communities/blog/basic-iptables-tutorial/
Using this tutorial i can open firewall using

linux-w2mu:~ # iptables -P INPUT DROP

Then,

# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate ESTABLISHED
ACCEPT icmp -- anywhere anywhere ctstate RELATED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET "
DROP all -- anywhere anywhere

Chain FORWARD (policy ACCEPT)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING "

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Ports are open.
But i can't print from SLES anyway and it seems as soon as I touch yast Firewall2 GUI or restart firewall, the old setup comes up.

KBOYLE
02-Mar-2017, 22:56
See: I have SLED and SLES with Work Extension. It is basically SLED running on SLES.
The firewall has not bee modified.
As tested when firewall is disabled, it worked one day. (see some answers before)


If you can print to your HP printer from SLES and SLED when the firewall is disabled, then this is just a firewall issue.

When your firewall is enabled, it blocks (almost) everything. This is normal.
You have to configure the firewall to permit communication

on specific ports
between specific sources and destinations
etc.


As I suggested in an earlier post:

Find out what ports need to be open to print to your HP Printer
Using YaST - Firewall, open the necessary ports.


After you have configured your firewall, please confirm you can print to your HP printer from your SLED system with the firewall enabled.

KBOYLE
02-Mar-2017, 23:54
it seems as soon as I touch yast Firewall2 GUI or restart firewall, the old setup comes up.

That is normal. In a previous post I said:


FYI, here's a brief description how your firewall configuration is implemented.

When you use YaST Firewall, it saves the configuration in /etc/sysconfig/SEfirewall2.
If you prefer and if you know what you are doing, you can use a text editor to change /etc/sysconfig/SEfirewall2 yourself.
When you start the firewall (rcSuSEfirewall2 start) the configuration is read from /etc/sysconfig/SEfirewall2 and used to create a set of "iptables" rules.
These rules are what really control access to your system.
When you stop the firewall (rcSuSEfirewall2 stop) the rules are removed from "iptables"



When troubleshooting, it is important to change only one thing at a time and observe how it affects everything!

Forget about iptables. I only mentioned it because it was an easy way to see what directives were in effect. If you need to configure your firewall, use YaST - Firewall.

Things are becoming way too complicated. I can't follow what changes you are making and I don't know which system you are changing.

In another post I suggested that we get things working from your SLED system first. That is your laptop, is it not? You said you can print when the firewall is disabled but not when it is enabled. That suggests it is a simple firewall issue.

Find out what ports need to be open to print to your HP printer. Please tell us.
Use YaST - Firewall to open the appropriate ports.


Once you have this part working, we can continue looking at other issues.

hcp_dk
05-Mar-2017, 19:56
The problem is: Sometimes printer work. It can happen i change w.g firewall and the printer works, but not next day with same setup.
It is not stable.

Further, the DELL printer prints always, in-dependent what I do. Only the HP printer is a problem.

I made several test in weekend. The printer itself mention in the display, the print file is not complete send.
I tested with and without firewall.
With different print driver
different setup.

All that is collected in a file to get a better description and systematic overview.
For me, it is quite confusing.
I made several dumps too showing the LAN traffic. I can load them up too - fitting to the document attached here.

hcp_dk
06-Mar-2017, 07:44
I tested today morning.

Same PC as before, firewall on.
Used my KVM viortual machine on this PC and started WIN10 on it.
installed the HP laserjet automatically and printed from Win10 via SUSE on HP laserjet
successfully.

KBOYLE
07-Mar-2017, 00:58
I made several test in weekend. The printer itself mention in the display, the print file is not complete send.
I tested with and without firewall.

I looked at the PDF file you provided. On Page 3, I see this:

linuxSLES:/home/hans-christoph # snmpwalk -Os -c public -v 1 10.0.25.26
1.3.6.1.4.1.11.2.3.9.1.1.7.0

Please answer these questions:

Is "LinuxSLES" your server?
I thought we were going to get this working on your SLED system first?
Are you able to print from SLED to the HP printer with your firewall enabled?
Please confirm: SLED is running on your laptop?


In another post, you said:

The firewall is outside - a Trusgate. Even the WLAN is accesspoint only.

The firewall screen shots show both an internal and an external interface.

What system was this screen shot taken on?
Why does it have multiple interfaces when you said you are using an external firewall?
Please provide the IP addresses for each interface.
Did you run the five Tests from your SLES or your SLED system?


On Page 3 of the PDF, where it says "open ports manuell:", you show the Custom Allowed Rules. They are not configured correctly!

The source network should not be "0/0" (any network). Since your printing is between devices on your LAN, the source network should be your LAN. Example: 192.168.1.0/24.
Do not configure a Source Port. Source ports usually cannot be predicted. If you do configure one, all traffic will likely be blocked because the actual source port will not match the one you specified.


Please correct your firewall configuration and provide the requested information.

hcp_dk
07-Mar-2017, 21:07
Hi Kevin,
first of all thank for support and engagement.

I have SLED (Laptop) and SLES+Workstation Extension on a PC. SLES to see how that works. I agree, we stick to SLES since both systems, even very alike, seems to act different.
SLES is on LAN.
The Server is an Windows Server 2008 - Active Domain. SLES works as Desktop.

I tried and tested in the beginning from both systems, since they should be alike. I found out that it might work one day or hour once, but not later. Why I don't know?
In general, I can't print stable from Linux system on HP laserjet.
(Just as Note: I have another PC with Leap42.1 Here I can't print too. )

The whole system is like: 100Mbits WAN - Modem - Trustgate (DHCP) - Asus WLAN accesspoint
from here WLAN and LAN to whole system.

Since all printer etc. are in the "internal system", Trustgate firewall is not important.
All print screens are from SLES system, from the here called internal zone and external zone. The network card is on internal zone. The SUSE Firewall provide these zones default: internal zone and external zone.
All data and print screens come from SLES.

The trustgte has IP 10.0.25.1
Win Server IP 10.0.25.4
HP Laserjet IP 10.0.25.26
SLES has a dynamic adress obtained from DHCP server.

I made a check of all ports via nmap.
I made 7 tests (I send a link later where I showed I can print from virtual box KVM and Windows10 via SLES to HP laserjet.
I made for all test LAN dumps.
Printer shows: Not all data arrived the printer.

Custom rules:
On HPLIP website HP suggest open some ports manually to solve possible issues. I put the links too. I followed that.
http://hplipopensource.com/node/216 and
http://hplipopensource.com/node/375
Maybe you can help me to set these rules correctly?

I'll try correct the port informations as mentiond.
thanks for support

KBOYLE
07-Mar-2017, 21:43
I have SLED (Laptop) and SLES+Workstation Extension on a PC. SLES to see how that works. I agree, we stick to SLES since both systems, even very alike, seems to act different.

I suggested you try to get printing working on your SLED desktop/laptop first.

You said that you can print to the HP printer from your laptop when the firewall is disabled so this should be a simple firewall configuration issue.

In my previous post I pointed out some firewall configuration issues which should be easy to correct. Printing should work once your firewall is configured correctly.

Once you can print from your laptop, you will know what the correct firewall settings are. You can then use the same settings on your SLES system. That may not be enough to let you print from your SLES system because I suspect there may be other configuration issues we will need to look at.

Are you okay with this approach?

KBOYLE
07-Mar-2017, 23:07
Since all printer etc. are in the "internal system", Trustgate firewall is not important.

Okay, for now we will ignore the Trustgate firewall.


The SUSE Firewall provide these zones default: internal zone and external zone.

Let's look a little closer at this:

The external zone is considered unsafe. Traffic to and from this zone is blocked by default. Exceptions are needed to permit traffic.
The internal zone is considered safe. Traffic to and from this zone is permitted by default.



You said:

The network card is on internal zone.

To simplify the firewall configuration each interface, Network Interface Card (NIC), is assigned to a zone. While a zone can have multiple NICs assigned to it, if you only have one NIC, how can you have both an internal and an external zone?

Please refer to the SUSE Linux Enterprise Server 11 SP4 Security Guide
15.3. Firewalling Basics (https://www.suse.com/documentation/sles11/singlehtml/book_security/book_security.html#sec.fire.fw)


Maybe you can help me to set these rules correctly?
I'm trying!:o

hcp_dk
09-Mar-2017, 13:52
Hi Kevin,

acc. to documentation, in internal zone, all ports are open. 235
The NIC is in internal zone.
That means, all ports should be open.

Why can i print via KVM and Win10, not via SUSE?
Why is not the whole file send?

KBOYLE
09-Mar-2017, 18:28
Hi Kevin,

acc. to documentation, in internal zone, all ports are open.
The NIC is in internal zone.
That means, all ports should be open.

I agree with your conclusion!


Why can i print via KVM and Win10, not via SUSE?
Why is not the whole file send?

That is what we are trying to find out.

You have two systems with printing issues: SLES (your server) and SLED (your laptop).
They both may or may not suffer from the same issue. That is still to be determined.
To simplify troubleshooting, we should not make assumptions. We need to verify everything.
When you provide additional information, please be sure to specify where the information was obtained (server or laptop).
Because you said you can print from your laptop when the firewall is disabled, it appears there is a firewall issue that should be easy to resolve. That is why I would like to resolve your laptop printing issue first.

Please post the output from these commands:

Run them on your laptop.
When posting the results, please use code tags: ("#").


cat /etc/*release
ifconfig
cat /etc/sysconfig/SuSEfirewall2

hcp_dk
09-Mar-2017, 21:26
Hi Kevin,

These data are now from Laptop. Both SLES, SLED

cat /etc/*release


NAME="SLED"
VERSION="12-SP2"
VERSION_ID="12.2"
PRETTY_NAME="SUSE Linux Enterprise Desktop 12 SP2"
ID="sled"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sled:12:sp2"
SUSE Linux Enterprise Desktop 12 (x86_64)
VERSION = 12
PATCHLEVEL = 2
# This file is deprecated and will be removed in a future service pack or release.
# Please check /etc/os-release for details about this release.


ifconfig

SLEDLaptop:/home/hans-christoph # ifconfig
eth0 Link encap:Ethernet HWaddr C4:7D:46:1E:6A:67
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Interrupt:16 Memory:b1200000-b1220000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:237 errors:0 dropped:0 overruns:0 frame:0
TX packets:237 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:42224 (41.2 Kb) TX bytes:42224 (41.2 Kb)

virbr0 Link encap:Ethernet HWaddr 52:54:00:94:74:BC
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

wlan0 Link encap:Ethernet HWaddr A4:34:D9:D7:ED:71
inet addr:10.0.25.147 Bcast:10.0.25.255 Mask:255.255.255.0
inet6 addr: fe80::a634:d9ff:fed7:ed71/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107089 errors:0 dropped:0 overruns:0 frame:0
TX packets:46230 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:147963529 (141.1 Mb) TX bytes:5659802 (5.3 Mb)

I have installed KVM (virtual machine) on Laptop too because I use WIN10 for special engineering software within SUSE. VIBR is the LAN bridge to virtual machine


SLEDLaptop:/home/hans-christoph # cat /etc/sysconfig/SuSEfirewall2
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany
# Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany
# Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany
#
# Author: Marc Heuse, 2002
# Ludwig Nussel, 2004-2011
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.6
#
# ------------------------------------------------------------------------
#
# Note that running a packet filter/firewall is no panacea against
# network security threats. Make sure to
#
# - expose only actually needed services
# - assign different zones to express different levels of trust.
# Opening ports for LAN services in the external zone defeats the
# purpose of the firewall!
# - use software that is designed with security in mind (such as
# postfix, vsftpd, openssh)
# - install security updates regularly
#
# ------------------------------------------------------------------------
#
# Configuration Hints:
#
# Note that while this file looks like a shell script and is parsed
# by a shell script it actually is not a shell script itself. More
# information about sysconfig files can be found here:
# http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig
# It's generally a good idea to avoid using shell variable
# substitution (foo="$bar") and multi line values.
#
# If you have any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
#
# For end user systems that are only connected to one network
# FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need
# to be modified. The defaults for all other settings are usually
# fine.
#
# For firewalls that should perform routing or masquerading between
# networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
# FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
# FW_FORWARD_MASQ
#
# Please note that if you use service names, they have to exist in
# /etc/services. There is for example no service "dns", it's called
# "domain"; email is called "smtp" etc.
#
# ------------------------------------------------------------------------

## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
#
# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external. Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "wlan0", "ippp0 ippp1", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT=""

## Type: string
#
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_INT="eth0 wlan0 wwan0"

## Type: string
#
# Which are the interfaces that point to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected
# to the firewall, and should be reachable from the internet to
# provide services, e.g. WWW, Mail, etc. and hence is at risk from
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
# example.
#
# Note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_DMZ=""

## Type: yesno
#
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
# net.ipv4.ip_forward settings in /etc/sysctl.conf
# Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
# manually.
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="no"

## Type: yesno
#
# Do you want to masquerade internal networks to the outside?
#
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
#
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE="no"

## Type: string
#
# You also have to define on which interfaces to masquerade on.
# Those are usually the same as the external interfaces. Most users
# can leave the default.
#
# The special string "zone:" concatenated with the name of a zone
# means to take all interfaces in the specified zone.
#
# Note: Old version of SuSEfirewall2 used a shell variable
# ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
# detection of interfaces. Please use zone:ext instead.
#
# Examples: "ippp0", "zone:dmz"
#
# defaults to "zone:ext" if not set
#
FW_MASQ_DEV=""

## Type: string
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# This is also the default if you leave FW_MASQ_NETS empty.
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
# - "0/0,!10.0.0.0/8" unrestricted access to the internet
# with the exception of 10.0.0.8 which will not be
# masqueraded.
#
FW_MASQ_NETS=""

## Type: string
#
# Which computers/networks to exclude from masquerading.
#
# Note that this only affects the POSTROUTING chain of the nat
# table. Ie the forwarding rules installed by FW_MASQ_NETS do not
# include the listed exceptions.
# *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
# that the policy database is loaded even when the tunnel is not up
# yet. Otherwise packets to the listed networks will be forwarded to
# the internet unencrypted! ***
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
# anywhere to the 10.0.0.0/8 network
#
FW_NOMASQ_NETS=""

## Type: list(yes,no,notrack,)
#
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.
#
# The value "notrack" acts similar to "no" but additionally
# connection tracking is switched off for interfaces in the zone.
# This is useful to gain better performance on high speed
# interfaces.
#
# defaults to "no" if not set
#
# see also FW_REJECT_INT
#
FW_PROTECT_FROM_INT="no"

## Type: string
#
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_TCP=""

## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Example: "53", "syslog"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_UDP="427 5353"

## Type: string
#
# Which IP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing services that END at the firewall like
# IPsec, GRE, PPTP or OSPF
#
# Format: space separated list of ports, port ranges or well known
# protocol names (see /etc/protocols)
#
# Example: "esp"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_IP=""

## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore may be able
# to have SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_RPC=""

## Type: string
#
# Which services _on the firewall_ should be accessible from
# untrusted networks?
#
# Packages can drop a configuration file that specifies all required
# ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
# services that require multiple ports or protocols. Enter the space
# separated list of configuration files you want to load.
#
# The content of those files is merged into
# FW_SERVICES_$zone_$protocol, ie has precedence over
# FW_SERVICES_ACCEPT_*
#
# Example: "samba-server nfs-kernel-server"
FW_CONFIGURATIONS_EXT="avahi netbios-server samba-client samba-server"

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_DMZ=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_INT="netbios-server samba-client samba-server"

## Type: string
#
# Packets to drop.
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_DROP_EXT=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_DMZ=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_INT=""

## Type: string
## Default:
#
# Packets to reject. Common usage is TCP port 113 which if dropped
# would cause long timeouts when sending mail or connecting to IRC
# servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_REJECT_EXT=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_DMZ=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_INT=""

## Type: string
## Default:
#
# Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport[,sport[,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
# hitcount=NUMBER : ipt_recent --hitcount parameter
# blockseconds=NUMBER : ipt_recent --seconds parameter
# recentname=NAME : ipt_recent --name parameter
# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
# take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
# port with both options.
#
# Note2: the iptables recent module may not be available for ipv6. To
# avoid an error message use 0.0.0.0/0 instead of 0/0. This will
# install the rule for ipv4 only.
#
FW_SERVICES_ACCEPT_EXT=""

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_INT="0/0,udp,5353,5353
0/0,udp,427,427"

## Type: string
## Default:
#
# Services to allow that are considered RELATED by the connection tracking
# engine.
#
# Format: space separated list of net,protocol[,sport[,dport]]
#
# Example:
# Allow samba broadcast replies marked as related by
# nf_conntrack_netbios_ns from a certain network:
# "192.168.1.0/24,udp,137"
#
# See also FW_LOAD_MODULES
#
FW_SERVICES_ACCEPT_RELATED_EXT=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_INT=""

## Type: string
#
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal or
# external) and the services (tcp,udp,icmp) they are allowed to use. This can
# be used instead of FW_SERVICES_* for further access restriction. Please note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

## Type: string
#
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,destination port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# flags, separated by comma:
# ipsec:
# match packets that originate from an IPsec tunnel
# zonein=ZONE, zoneout=ZONE:
# match only packets coming in/going out on interfaces from
# the specified zone.
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
# - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh"
# allow ssh from one IPv6 network to another
#
FW_FORWARD=""

## Type: string
#
# same as FW_FORWARD but packages are rejected instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_REJECT=""

## Type: string
#
# same as FW_FORWARD but packages are dropped instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_DROP=""

## Type: string
#
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsistent iptables behaviour only port numbers are possible
# but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""

## Type: string
#
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
# to additionally open the local port
FW_REDIRECT=""

## Type: yesno
#
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type: yesno
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"

## Type: yesno
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests and forwarded pakets.
#
# Set to "no" for on systems with high traffic
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type: yesno
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"

## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# You may specify an alternative logging target by starting the
# string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2"
#
# Note that ULOG doesn't work with IPv6
#
# only change this if you know what you are doing!
FW_LOG=""

## Type: yesno
#
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, rp_filter, routing flush,
# bootp_relay, proxy_arp, secure_redirects, accept_source_route
# icmp_echo_ignore_broadcasts, ipfrag_time)
#
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY=""

## Type: yesno
#
# Whether ip routing should be disabled when the firewall is shut
# down.
#
# Note: IPv4 only, IPv6 sysctls are left untouched
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_STOP_KEEP_ROUTING_STATE="no"

## Type: yesno
#
# Allow the firewall to reply to icmp echo requests
#
# defaults to "yes" if not set
#
FW_ALLOW_PING_FW=""

## Type: yesno
#
# Allow hosts in the dmz to be pinged from hosts in other zones even
# if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ=""

## Type: yesno
#
# Allow hosts in the external zone to be pinged from hosts in other
# zones even if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT=""

## Type: yesno
#
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""

## Type: string(yes,no)
#
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ="no"

## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"

## Type: list(yes,no,int,ext,dmz,)
#
# Specifies whether routing between interfaces of the same zone should be allowed
# Requires: FW_ROUTE="yes"
#
# Set this to allow routing between interfaces in the same zone,
# e.g. between all internet interfaces, or all internal network
# interfaces.
#
# Caution: Keep in mind that "yes" affects all zones. ie even if you
# need inter-zone routing only in the internal zone setting this
# parameter to "yes" would allow routing between all external
# interfaces as well. It's better to use
# FW_ALLOW_CLASS_ROUTING="int" in this case.
#
# Choice: "yes", "no", or space separate list of zone names
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""

## Type: string
#
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
#
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
# You may override this value on a per zone basis by using a zone
# specific variable, e.g. FW_REJECT_DMZ="yes"
#
FW_REJECT=""

## Type: yesno
#
# see FW_REJECT for description
#
# default config file setting is "yes" assuming that slowing down
# portscans is not strictly required in the internal zone even if
# you protect yourself from the internal zone
#
FW_REJECT_INT=""

## Type: string
#
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets.
#
# - reject: reject all IPv6 packets. This is the default if stateful matching is
# not available.
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether ip6tables supports stateful matching.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""

## Type: list(yes,no,int,ext,dmz,)
## Default: no
#
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"

## Type: string
#
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""

## Type: string(no,auto)
#
# Set default firewall zone
#
# Format: 'auto', 'no' or name of zone.
#
# When set to 'no' no firewall rules will be installed for unknown
# or unconfigured interfaces. That means traffic on such interfaces
# hits the default drop rules.
#
# When left empty or when set to 'auto' the zone that has the
# interface string 'any' configured is used for all unconfigured
# interfaces (see FW_DEV_EXT). If no 'any' string was found the
# external zone is used.
#
# When a default zone is defined a catch all rule redirects traffic
# from interfaces that were not present at the time SuSEfirewall2
# was run to the default zone. Normally SuSEfirewall2 needs to be
# run if new interfaces appear to avoid such unknown interfaces.
#
# Defaults to 'auto' if not set
#
FW_ZONE_DEFAULT=''

## Type: list(yes,no,auto,)
## Default:
#
# Whether to use iptables-batch
#
# iptables-batch commits all rules in an almost atomic way similar
# to iptables-restore. This avoids excessive iptables calls and race
# conditions.
#
# Choice:
# - yes: use iptables-batch if available and warn if it isn't
# - no: don't use iptables-batch
# - auto: use iptables-batch if available, silently fall back to
# iptables if it isn't
#
# Defaults to "auto" if not set
#
FW_USE_IPTABLES_BATCH=""

## Type: string
#
# Which additional kernel modules to load at startup
#
# Example:
# FW_LOAD_MODULES="nf_conntrack_netbios_ns"
#
# See also FW_SERVICES_ACCEPT_RELATED_EXT
#
FW_LOAD_MODULES="nf_conntrack_netbios_ns"

## Type: string
## Default:
#
# Bridge interfaces without IP address
#
# Traffic on bridge interfaces like the one used by xen appears to
# enter and leave on the same interface. Add such interfaces here in
# order to install special permitting rules for them.
#
# Format: list of interface names separated by space
#
# Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
#
# Example:
# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
#
FW_FORWARD_ALWAYS_INOUT_DEV=""

## Type: string
#
# Whether traffic that is only bridged but not routed should be
# allowed. Such packets appear to pass though the forward chain so
# normally they would be dropped.
#
# Note: it is not possible to configure SuSEfirewall2 as bridging
# firewall. This option merely controls whether SuSEfirewall2 should
# try to not interfere with bridges.
#
# Choice:
# - yes: always install a rule to allow bridge traffic
# - no: don't install a rule to allow bridge traffic
# - auto: install rule only if there are bridge interfaces
#
# Defaults to "auto" if not set
#
FW_FORWARD_ALLOW_BRIDGING=""

## Type: yesno
#
# Write status information to /var/run/SuSEfirewall2/status for use
# by e.g. graphical user interfaces. Can safely be disabled on
# servers.
#
# Defaults to "yes" if not set
#
FW_WRITE_STATUS=""

## Type: yesno
#
# Allow dynamic configuration overrides in
# /var/run/SuSEfirewall2/override for use by e.g. graphical user
# interfaces. Can safely be disabled on servers.
#
# Defaults to "yes" if not set
#
FW_RUNTIME_OVERRIDE=""

## Type: yesno
#
# Install NOTRACK target for interface lo in the raw table. Doing so
# speeds up packet processing on the loopback interface. This breaks
# certain firewall setups that need to e.g. redirect outgoing
# packets via custom rules on the local machine.
#
# Defaults to "yes" if not set
#
FW_LO_NOTRACK=""

## Type: yesno
#
# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
# full rule set already. Default is to just install minimum rules
# that block incoming traffic. Set to "yes" if you use services
# such as drbd that require open ports during boot already.
#
# Defaults to "no" if not set
#
FW_BOOT_FULL_INIT="no"
SLEDLaptop:/home/hans-christoph #


Here a prnt screen of setup firewall in YAST.
236

KBOYLE
10-Mar-2017, 02:19
Hi Kevin,

These data are now from Laptop. Both SLES, SLED

The output you provided appears to be from SLED. How is it from both SLES and SLED?

I know you want to get your printer working but here are some things to consider about your firewall:

Your laptop is currently connected to your LAN. If all your interfaces are assigned to the Internal Zone you are saying you trust everything and you do not need to configure special rules to allow communication with devices on your LAN. But what happens when your laptop is not connected to your LAN? If you are connected to a public Wi-Fi hotspot your firewall still treats it as an Internal zone and provides no protection at all. That is not good!

When you only have one zone, it should be the External zone and you should configure rules for all the services you need. This requires a bit more work but you want to keep your laptop secure. Normally, your firewall does not require special configuration to allow outgoing packets or to allow responses to them and there should only be a few cases where you want to allow unsolicited incoming packets.

I see this in your /etc/sysconfig/SuSEfirewall2 configuration:


FW_SERVICES_ACCEPT_INT="0/0,udp,5353,5353
0/0,udp,427,427"
It tells me you didn't make the changes I asked in a previous post:

On Page 3 of the PDF, where it says "open ports manuell:", you show the Custom Allowed Rules. They are not configured correctly!
The source network should not be "0/0" (any network). Since your printing is between devices on your LAN, the source network should be your LAN. Example: 192.168.1.0/24.
Do not configure a Source Port. Source ports usually cannot be predicted. If you do configure one, all traffic will likely be blocked because the actual source port will not match the one you specified.
Also, the ports shown in this output from your laptop are different from those shown in the PDF. Make sure you have included all the necessary ports.

Okay, let's try to get this working.

Make a backup copy of /etc/sysconfig/SuSEfirewall2
Use YaST Firewall to make these changes:


Assign all interfaces to the External Zone.
Remove from the Internal Zone all the Custom Allowed Rules
Setup the External Zone with all the Custom Allowed Rules shown on Page 3 of the PDF
When setting up the rules, the network should be 10.0.25.0/24
When setting up the rules, the Source Port should blank.


When you have finished, restart your firewall then test your printing from SLED.

If you still can't print, please post the output from:

cat /etc/sysconfig/SuSEfirewall2

Good luck!

hcp_dk
10-Mar-2017, 18:57
Hi Kevin,

the data I send are from laptop with SLED as I wrote.
I mentioned that both SLES and SLED have same architecture. So they act same.

It is correct. Actual in my system the laptop is save. I wrote somewhere in documentation, I think about get SUSE on an AD Windows network, the Firewall need to be internal.
I probably need to switch when I'm not home? But you have a point there. I can try that later. It might be not too easy due to network.

The open port was on Laptop, I have not changed it. it comes from HPLIP trouble shooting....

Ok. I try as you describe it now.... :-)

KBOYLE
10-Mar-2017, 19:44
I wrote somewhere in documentation, I think about get SUSE on an AD Windows network, the Firewall need to be internal.
I probably need to switch when I'm not home? But you have a point there. I can try that later.

If you only have one interface,
and it is assigned to the Internal Zone,
and the Internal Zone is a trusted network
then your firewall will not filter any traffic: it will allow everything.

If this is what you really want, there is a simple solution: disable your firewall!

I don't recommend this.

The correct solution is to run a firewall and setup the necessary rules. There are many workstations on Windows AD networks running correctly configured firewalls.

hcp_dk
10-Mar-2017, 20:25
Hi Kevin,

I tried that - miracle. I C to external firewall and opened the ports 161, 162, 427, 5353, 9100 and reboot.
Now I could print pictures. But I couldn't print a Libre document.
All prints take long time - for picures. Libre document came now first page - after 5 min.


hans-christoph@SLEDLaptop:~> cat /etc/sysconfig/SuSEfirewall2
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany
# Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany
# Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany
#
# Author: Marc Heuse, 2002
# Ludwig Nussel, 2004-2011
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.6
#
# ------------------------------------------------------------------------
#
# Note that running a packet filter/firewall is no panacea against
# network security threats. Make sure to
#
# - expose only actually needed services
# - assign different zones to express different levels of trust.
# Opening ports for LAN services in the external zone defeats the
# purpose of the firewall!
# - use software that is designed with security in mind (such as
# postfix, vsftpd, openssh)
# - install security updates regularly
#
# ------------------------------------------------------------------------
#
# Configuration Hints:
#
# Note that while this file looks like a shell script and is parsed
# by a shell script it actually is not a shell script itself. More
# information about sysconfig files can be found here:
# http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig
# It's generally a good idea to avoid using shell variable
# substitution (foo="$bar") and multi line values.
#
# If you have any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
#
# For end user systems that are only connected to one network
# FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need
# to be modified. The defaults for all other settings are usually
# fine.
#
# For firewalls that should perform routing or masquerading between
# networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
# FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
# FW_FORWARD_MASQ
#
# Please note that if you use service names, they have to exist in
# /etc/services. There is for example no service "dns", it's called
# "domain"; email is called "smtp" etc.
#
# ------------------------------------------------------------------------

## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
#
# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external. Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "wlan0", "ippp0 ippp1", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT="eth0 wlan0 wwan0"

## Type: string
#
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_INT=""

## Type: string
#
# Which are the interfaces that point to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected
# to the firewall, and should be reachable from the internet to
# provide services, e.g. WWW, Mail, etc. and hence is at risk from
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
# example.
#
# Note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_DMZ=""

## Type: yesno
#
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
# net.ipv4.ip_forward settings in /etc/sysctl.conf
# Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
# manually.
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="no"

## Type: yesno
#
# Do you want to masquerade internal networks to the outside?
#
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
#
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE="no"

## Type: string
#
# You also have to define on which interfaces to masquerade on.
# Those are usually the same as the external interfaces. Most users
# can leave the default.
#
# The special string "zone:" concatenated with the name of a zone
# means to take all interfaces in the specified zone.
#
# Note: Old version of SuSEfirewall2 used a shell variable
# ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
# detection of interfaces. Please use zone:ext instead.
#
# Examples: "ippp0", "zone:dmz"
#
# defaults to "zone:ext" if not set
#
FW_MASQ_DEV=""

## Type: string
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# This is also the default if you leave FW_MASQ_NETS empty.
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
# - "0/0,!10.0.0.0/8" unrestricted access to the internet
# with the exception of 10.0.0.8 which will not be
# masqueraded.
#
FW_MASQ_NETS=""

## Type: string
#
# Which computers/networks to exclude from masquerading.
#
# Note that this only affects the POSTROUTING chain of the nat
# table. Ie the forwarding rules installed by FW_MASQ_NETS do not
# include the listed exceptions.
# *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
# that the policy database is loaded even when the tunnel is not up
# yet. Otherwise packets to the listed networks will be forwarded to
# the internet unencrypted! ***
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
# anywhere to the 10.0.0.0/8 network
#
FW_NOMASQ_NETS=""

## Type: list(yes,no,notrack,)
#
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.
#
# The value "notrack" acts similar to "no" but additionally
# connection tracking is switched off for interfaces in the zone.
# This is useful to gain better performance on high speed
# interfaces.
#
# defaults to "no" if not set
#
# see also FW_REJECT_INT
#
FW_PROTECT_FROM_INT="no"

## Type: string
#
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_TCP=""

## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Example: "53", "syslog"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_UDP="5353"

## Type: string
#
# Which IP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing services that END at the firewall like
# IPsec, GRE, PPTP or OSPF
#
# Format: space separated list of ports, port ranges or well known
# protocol names (see /etc/protocols)
#
# Example: "esp"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_IP=""

## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore may be able
# to have SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_RPC=""

## Type: string
#
# Which services _on the firewall_ should be accessible from
# untrusted networks?
#
# Packages can drop a configuration file that specifies all required
# ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
# services that require multiple ports or protocols. Enter the space
# separated list of configuration files you want to load.
#
# The content of those files is merged into
# FW_SERVICES_$zone_$protocol, ie has precedence over
# FW_SERVICES_ACCEPT_*
#
# Example: "samba-server nfs-kernel-server"
FW_CONFIGURATIONS_EXT="avahi netbios-server samba-client samba-server"

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_DMZ=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_INT="netbios-server samba-client samba-server"

## Type: string
#
# Packets to drop.
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_DROP_EXT=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_DMZ=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_INT=""

## Type: string
## Default:
#
# Packets to reject. Common usage is TCP port 113 which if dropped
# would cause long timeouts when sending mail or connecting to IRC
# servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_REJECT_EXT=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_DMZ=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_INT=""

## Type: string
## Default:
#
# Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport[,sport[,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
# hitcount=NUMBER : ipt_recent --hitcount parameter
# blockseconds=NUMBER : ipt_recent --seconds parameter
# recentname=NAME : ipt_recent --name parameter
# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
# take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
# port with both options.
#
# Note2: the iptables recent module may not be available for ipv6. To
# avoid an error message use 0.0.0.0/0 instead of 0/0. This will
# install the rule for ipv4 only.
#
FW_SERVICES_ACCEPT_EXT="10.0.25.0/24,tcp,161
10.0.25.0/24,udp,161
10.0.25.0/24,tcp,162
10.0.25.0/24,udp,162
10.0.25.0/24,udp,5353
10.0.25.0/24,tcp,9100
10.0.25.0/24,udp,9100
10.0.25.0/24,udp,427"

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_INT=""

## Type: string
## Default:
#
# Services to allow that are considered RELATED by the connection tracking
# engine.
#
# Format: space separated list of net,protocol[,sport[,dport]]
#
# Example:
# Allow samba broadcast replies marked as related by
# nf_conntrack_netbios_ns from a certain network:
# "192.168.1.0/24,udp,137"
#
# See also FW_LOAD_MODULES
#
FW_SERVICES_ACCEPT_RELATED_EXT=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_INT=""

## Type: string
#
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal or
# external) and the services (tcp,udp,icmp) they are allowed to use. This can
# be used instead of FW_SERVICES_* for further access restriction. Please note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

## Type: string
#
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,destination port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# flags, separated by comma:
# ipsec:
# match packets that originate from an IPsec tunnel
# zonein=ZONE, zoneout=ZONE:
# match only packets coming in/going out on interfaces from
# the specified zone.
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
# - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh"
# allow ssh from one IPv6 network to another
#
FW_FORWARD=""

## Type: string
#
# same as FW_FORWARD but packages are rejected instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_REJECT=""

## Type: string
#
# same as FW_FORWARD but packages are dropped instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_DROP=""

## Type: string
#
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsistent iptables behaviour only port numbers are possible
# but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""

## Type: string
#
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
# to additionally open the local port
FW_REDIRECT=""

## Type: yesno
#
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type: yesno
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"

## Type: yesno
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests and forwarded pakets.
#
# Set to "no" for on systems with high traffic
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type: yesno
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"

## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# You may specify an alternative logging target by starting the
# string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2"
#
# Note that ULOG doesn't work with IPv6
#
# only change this if you know what you are doing!
FW_LOG=""

## Type: yesno
#
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, rp_filter, routing flush,
# bootp_relay, proxy_arp, secure_redirects, accept_source_route
# icmp_echo_ignore_broadcasts, ipfrag_time)
#
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY=""

## Type: yesno
#
# Whether ip routing should be disabled when the firewall is shut
# down.
#
# Note: IPv4 only, IPv6 sysctls are left untouched
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_STOP_KEEP_ROUTING_STATE="no"

## Type: yesno
#
# Allow the firewall to reply to icmp echo requests
#
# defaults to "yes" if not set
#
FW_ALLOW_PING_FW=""

## Type: yesno
#
# Allow hosts in the dmz to be pinged from hosts in other zones even
# if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ=""

## Type: yesno
#
# Allow hosts in the external zone to be pinged from hosts in other
# zones even if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT=""

## Type: yesno
#
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""

## Type: string(yes,no)
#
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ="no"

## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"

## Type: list(yes,no,int,ext,dmz,)
#
# Specifies whether routing between interfaces of the same zone should be allowed
# Requires: FW_ROUTE="yes"
#
# Set this to allow routing between interfaces in the same zone,
# e.g. between all internet interfaces, or all internal network
# interfaces.
#
# Caution: Keep in mind that "yes" affects all zones. ie even if you
# need inter-zone routing only in the internal zone setting this
# parameter to "yes" would allow routing between all external
# interfaces as well. It's better to use
# FW_ALLOW_CLASS_ROUTING="int" in this case.
#
# Choice: "yes", "no", or space separate list of zone names
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""

## Type: string
#
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
#
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
# You may override this value on a per zone basis by using a zone
# specific variable, e.g. FW_REJECT_DMZ="yes"
#
FW_REJECT=""

## Type: yesno
#
# see FW_REJECT for description
#
# default config file setting is "yes" assuming that slowing down
# portscans is not strictly required in the internal zone even if
# you protect yourself from the internal zone
#
FW_REJECT_INT=""

## Type: string
#
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets.
#
# - reject: reject all IPv6 packets. This is the default if stateful matching is
# not available.
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether ip6tables supports stateful matching.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""

## Type: list(yes,no,int,ext,dmz,)
## Default: no
#
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"

## Type: string
#
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""

## Type: string(no,auto)
#
# Set default firewall zone
#
# Format: 'auto', 'no' or name of zone.
#
# When set to 'no' no firewall rules will be installed for unknown
# or unconfigured interfaces. That means traffic on such interfaces
# hits the default drop rules.
#
# When left empty or when set to 'auto' the zone that has the
# interface string 'any' configured is used for all unconfigured
# interfaces (see FW_DEV_EXT). If no 'any' string was found the
# external zone is used.
#
# When a default zone is defined a catch all rule redirects traffic
# from interfaces that were not present at the time SuSEfirewall2
# was run to the default zone. Normally SuSEfirewall2 needs to be
# run if new interfaces appear to avoid such unknown interfaces.
#
# Defaults to 'auto' if not set
#
FW_ZONE_DEFAULT=''

## Type: list(yes,no,auto,)
## Default:
#
# Whether to use iptables-batch
#
# iptables-batch commits all rules in an almost atomic way similar
# to iptables-restore. This avoids excessive iptables calls and race
# conditions.
#
# Choice:
# - yes: use iptables-batch if available and warn if it isn't
# - no: don't use iptables-batch
# - auto: use iptables-batch if available, silently fall back to
# iptables if it isn't
#
# Defaults to "auto" if not set
#
FW_USE_IPTABLES_BATCH=""

## Type: string
#
# Which additional kernel modules to load at startup
#
# Example:
# FW_LOAD_MODULES="nf_conntrack_netbios_ns"
#
# See also FW_SERVICES_ACCEPT_RELATED_EXT
#
FW_LOAD_MODULES="nf_conntrack_netbios_ns"

## Type: string
## Default:
#
# Bridge interfaces without IP address
#
# Traffic on bridge interfaces like the one used by xen appears to
# enter and leave on the same interface. Add such interfaces here in
# order to install special permitting rules for them.
#
# Format: list of interface names separated by space
#
# Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
#
# Example:
# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
#
FW_FORWARD_ALWAYS_INOUT_DEV=""

## Type: string
#
# Whether traffic that is only bridged but not routed should be
# allowed. Such packets appear to pass though the forward chain so
# normally they would be dropped.
#
# Note: it is not possible to configure SuSEfirewall2 as bridging
# firewall. This option merely controls whether SuSEfirewall2 should
# try to not interfere with bridges.
#
# Choice:
# - yes: always install a rule to allow bridge traffic
# - no: don't install a rule to allow bridge traffic
# - auto: install rule only if there are bridge interfaces
#
# Defaults to "auto" if not set
#
FW_FORWARD_ALLOW_BRIDGING=""

## Type: yesno
#
# Write status information to /var/run/SuSEfirewall2/status for use
# by e.g. graphical user interfaces. Can safely be disabled on
# servers.
#
# Defaults to "yes" if not set
#
FW_WRITE_STATUS=""

## Type: yesno
#
# Allow dynamic configuration overrides in
# /var/run/SuSEfirewall2/override for use by e.g. graphical user
# interfaces. Can safely be disabled on servers.
#
# Defaults to "yes" if not set
#
FW_RUNTIME_OVERRIDE=""

## Type: yesno
#
# Install NOTRACK target for interface lo in the raw table. Doing so
# speeds up packet processing on the loopback interface. This breaks
# certain firewall setups that need to e.g. redirect outgoing
# packets via custom rules on the local machine.
#
# Defaults to "yes" if not set
#
FW_LO_NOTRACK=""

## Type: yesno
#
# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
# full rule set already. Default is to just install minimum rules
# that block incoming traffic. Set to "yes" if you use services
# such as drbd that require open ports during boot already.
#
# Defaults to "no" if not set
#
FW_BOOT_FULL_INIT="no"
hans-christoph@SLEDLaptop:~>

KBOYLE
10-Mar-2017, 21:32
Hi Kevin,

I tried that - miracle. I C to external firewall and opened the ports 161, 162, 427, 5353, 9100 and reboot.
Now I could print pictures. But I couldn't print a Libre document.
All prints take long time - for picures. Libre document came now first page - after 5 min.

That is good news.

I have reviewed your /etc/sysconfig/SuSEfirewall2. It looks much better. You did a good job re-configuring the firewall.

There are several reasons why printing can be slow. To see if the firewall is contributing to the problem, just disable the firewall and try to print the same documents.
Please let us know if it makes a difference.

When printing a document, the amount of data sent to the printer depends on many things:

The type of document: A large picture can take a long time.
The printer driver you are using.
The print settings (e.g. resolution)
Your network: a 1Gb network will provide better performance than 10/100 network, if your printer has a 1Gb interface.

You may want to experiment with these settings and compare print times using a USB connection to identify any bottlenecks.

hcp_dk
11-Mar-2017, 15:51
Hi Kevin,

the document has standard few pictures, text, all in all 670 kB.
the internet is 1BGbit speed over whole system
the WLAN has 2 Frequences, 6 Antennas and runs on 1300 Mbits.
The NIC runs up to 600 Mbits.
Print from Windows will take less than 1 minute.

I have disabled the firewall.
The print is still slow. maybe 15min for 9 pages. This makes no difference.


I have now disabled firewall. When done that and open YAST - Firewall I get this picture:
237
I have not installed another firewall. SAMBA runs for access to AD windows network.
There is Apparmor, but disabled in Services. I have not touched it.

KBOYLE
12-Mar-2017, 02:36
Hi Kevin,
the document has standard few pictures, text, all in all 670 kB.

That does not appear to be a very large document.




I have disabled the firewall.
This makes no difference.

That tells me the firewall is good. It is not affecting performance.




the internet is 1BGbit speed over whole system
The NIC runs up to 600 Mbits.

That should be adequate, assuming there are no network issues.




the WLAN has 2 Frequences, 6 Antennas and runs on 1300 Mbits.

You won't get 1,300 Mb even if you have a 1 Gb LAN connecton.
You might get 600 Mb.



The print is still slow. maybe 15min for 9 pages.
15 minutes for 9 pages does appear to be slow but it depends on the amount of data that is sent to the printer. For example, you could be printing several 72 dpi images at 1200 dpi so you could be sending much more than 670 KB to the printer.

I'm curious if it takes just as long if you print via your Ethernet connection instead of your WLAN.




Print from Windows will take less than 1 minute.

Now, this is interesting. Assuming...

you're doing this on your laptop (SLED)
and Windows is a KVM virtual machine
and you're printing via your WLAN connection

It would suggest the bottleneck is related to the Linux print driver or perhaps cups. Have a look at /var/log/messages. Are there any errors or other messages that might point to the cause?




I have now disabled firewall. When done that and open YAST - Firewall I get this picture:
I have not installed another firewall. SAMBA runs for access to AD windows network.
There is Apparmor, but disabled in Services. I have not touched it.
Again, have a look at /var/log/messages. Are there any errors or other messages that might point to the cause?

From an earlier post, I thought that message came from your SLES system. Do you see that message on SLES, SLED, or both?

Try this to see if it resolves the error message:

rcSuSEfirewall2 stop
iptables --flush INPUT
iptables --flush FORWARD
iptables --flush OUTPUT

Now, open YaST Firewall. Do you still get the same message?

hcp_dk
12-Mar-2017, 10:29
Hi Kevin,

all this is now from SLED. So we are on one system.
Usually I print files of several Megabites or hundred of pages without a problem. It must be a problem of data transfer. I think, driver can be an issue since:
- I can print on DELL 3100CN printer
- I can print out of KVM from WINDOWS

I can see in Forums other has problems with LaserJet printer too.

I enable now the firewall again since it is not the main problem.

Firewall:

rcSuSEfirewall2 stop
iptables --flush INPUT
iptables --flush FORWARD
iptables --flush OUTPUT
Now,

This commands removed the error massage. But when I'm reboot, the error massage come again. I can so type commands again and the error message disappear

Error messags print related from "message"

2017-03-11T15:29:39.184983+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-11T15:29:39.190958+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-11T15:29:39.259424+01:00 SLEDLaptop hpps: [8156]: error: Failed to create /var/spool/cups/tmp/.hplip

2017-03-11T15:25:45.475455+01:00 SLEDLaptop smbd[3341]: [2017/03/11 15:25:45.475114, 0] ../source3/printing/nt_printing.c:187(nt_printing_init)
2017-03-11T15:25:45.477961+01:00 SLEDLaptop smbd[3341]: nt_printing_init: error checking published printers: WERR_ACCESS_DENIED

2017-03-12T09:39:51.359111+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-12T09:40:51.582060+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-12T09:41:22.795608+01:00 SLEDLaptop systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
2017-03-12T09:42:06.057051+01:00 SLEDLaptop hp[12763]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26

They are from different days. Today I really stared up and tested print to get the message. Last row is from today.

When I'm searching for printer, I find following:

2017-03-10T20:01:27.746970+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-10T20:01:58.671676+01:00 SLEDLaptop systemd[1]: message repeated 2 times: [ Started CUPS Scheduler.]
2017-03-10T20:02:09.638228+01:00 SLEDLaptop hplip.desktop[5095]: #033[01mHP Linux Imaging and Printing System (ver. 3.16.11)#033[0m
2017-03-10T20:02:09.638439+01:00 SLEDLaptop hplip.desktop[5095]: #033[01mHP Device Manager ver. 15.0#033[0m
2017-03-10T20:02:09.638568+01:00 SLEDLaptop hplip.desktop[5095]: Copyright (c) 2001-15 HP Development Company, LP
2017-03-10T20:02:09.638684+01:00 SLEDLaptop hplip.desktop[5095]: This software comes with ABSOLUTELY NO WARRANTY.
2017-03-10T20:02:09.638793+01:00 SLEDLaptop hplip.desktop[5095]: This is free software, and you are welcome to distribute it
2017-03-10T20:02:09.639058+01:00 SLEDLaptop hplip.desktop[5095]: under certain conditions. See COPYING file for more details.
2017-03-10T20:02:09.821970+01:00 SLEDLaptop hplip.desktop[5095]: #033[35;01mwarning: Reportlab not installed. Fax coverpages disabled.#033[0m
2017-03-10T20:02:09.822174+01:00 SLEDLaptop hp-toolbox: hp-toolbox[5095]: warning: Reportlab not installed. Fax coverpages disabled.
2017-03-10T20:02:09.822296+01:00 SLEDLaptop hp-toolbox: hp-toolbox[5095]: warning: Please install version 2.0+ of Reportlab for coverpage support.
2017-03-10T20:02:09.822397+01:00 SLEDLaptop hplip.desktop[5095]: #033[35;01mwarning: Please install version 2.0+ of Reportlab for coverpage support.#033[0m
2017-03-10T20:02:10.342409+01:00 SLEDLaptop python: io/hpmud/hpmud.c 246: invalid channel_open state, current io_mode=raw/uni service=HP-MESSAGE hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:02:10.355569+01:00 SLEDLaptop python: io/hpmud/hpmud.c 702: invalid channel_close state
2017-03-10T20:02:10.358240+01:00 SLEDLaptop python: io/hpmud/hpmud.c 246: invalid channel_open state, current io_mode=raw/uni service=HP-MESSAGE hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:02:17.395836+01:00 SLEDLaptop python: io/hpmud/hpmud.c 702: invalid channel_close state
2017-03-10T20:03:14.448918+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:04:18.160318+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:04:32.440692+01:00 SLEDLaptop laptop-mode: Laptop mode



2017-03-10T20:04:32.442945+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-10T20:05:03.170041+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:08:41.982023+01:00 SLEDLaptop hp[5083]: message repeated 4 times: [ io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26]
2017-03-10T20:08:53.374794+01:00 SLEDLaptop laptop-mode: Laptop mode
2017-03-10T20:08:53.376903+01:00 SLEDLaptop laptop-mode: enabled, active [unchanged]
2017-03-10T20:09:27.032899+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26
2017-03-10T20:10:00.657708+01:00 SLEDLaptop systemd[1]: Started CUPS Scheduler.
2017-03-10T20:10:12.080126+01:00 SLEDLaptop hp[5083]: io/hpmud/jd.c 616: timeout write_channel hp:/net/HP_LaserJet_700_color_MFP_M775?ip=10.0.25.26


These messages seems to come when I use the selv check of HPLIP running.

I'm not an expert in error messages and can send the file if this makes sense?

This is from CUPS log


E [10/Mar/2017:19:42:26 +0100] Unknown directive JobPrivateValues on line 102 of /etc/cups/cupsd.conf.
E [10/Mar/2017:19:42:26 +0100] Unknown directive SubscriptionPrivateAccess on line 104 of /etc/cups/cupsd.conf.
E [10/Mar/2017:19:42:26 +0100] Unknown directive SubscriptionPrivateValues on line 105 of /etc/cups/cupsd.conf.
E [10/Mar/2017:20:14:33 +0100] [Job 96] Stopping unresponsive job.
E [11/Mar/2017:15:25:38 +0100] Unknown directive JobPrivateAccess on line 101 of /etc/cups/cupsd.conf.
E [11/Mar/2017:15:25:38 +0100] Unknown directive JobPrivateValues on line 102 of /etc/cups/cupsd.conf.
E [11/Mar/2017:15:25:38 +0100] Unknown directive SubscriptionPrivateAccess on line 104 of /etc/cups/cupsd.conf.
E [11/Mar/2017:15:25:38 +0100] Unknown directive SubscriptionPrivateValues on line 105 of /etc/cups/cupsd.conf.
E [12/Mar/2017:09:19:12 +0100] [Job 98] Stopping unresponsive job.
E [12/Mar/2017:09:44:52 +0100] Unknown directive JobPrivateAccess on line 101 of /etc/cups/cupsd.conf.
E [12/Mar/2017:09:44:52 +0100] Unknown directive JobPrivateValues on line 102 of /etc/cups/cupsd.conf.
E [12/Mar/2017:09:44:52 +0100] Unknown directive SubscriptionPrivateAccess on line 104 of /etc/cups/cupsd.conf.
E [12/Mar/2017:09:44:52 +0100] Unknown directive SubscriptionPrivateValues on line 105 of /etc/cups/cupsd.conf.


Firewall related messages:

2017-03-12T09:44:52.509180+01:00 SLEDLaptop cron[3267]: (CRON) INFO (running with inotify support)
2017-03-12T09:44:52.516271+01:00 SLEDLaptop kernel: [ 14.529681] ip_tables: (C) 2000-2006 Netfilter Core Team
2017-03-12T09:44:52.521799+01:00 SLEDLaptop kernel: [ 14.535244] ip6_tables: (C) 2000-2006 Netfilter Core Team
2017-03-12T09:44:52.532446+01:00 SLEDLaptop kernel: [ 14.545889] Ebtables v2.0 registered
2017-03-12T09:44:52.681833+01:00 SLEDLaptop kernel: [ 14.695282] Bridge firewalling registered

Bridge firewall might be from KVM virtual box. this bx is not running
But I'm not really good to read error messages.

hcp_dk
12-Mar-2017, 11:10
USB test.

I tried from SLED Laptop and connected the printer via USB. I installed drier again. "HP Laserjet USB"
The printer works as fast as in Windows without problems. SO, USB works

However, I can't connect the printer to all PC via USB - I think we have, when kids are home, 10 PC and Laptops. It should work via network as other printer do too.
But it seems to be lnked to LAN and CUPS handling of LAN?

KBOYLE
12-Mar-2017, 19:32
USB test.

I tried from SLED Laptop and connected the printer via USB. I installed drier again. "HP Laserjet USB"
The printer works as fast as in Windows without problems. SO, USB works
Understood.


However, I can't connect the printer to all PC via USB - I think we have, when kids are home, 10 PC and Laptops.Understood.


It should work via network as other printer do too.Agreed.


But it seems to be lnked to LAN and CUPS handling of LAN?Agreed, but I do not have any experience working with CUPS.
This might be a good time for some of the other Knowledge Partners (https://wiki.microfocus.com/index.php?title=Knowledge_Partner_Program) who have more experience in this area to jump in and offer some assistance. :)

KBOYLE
12-Mar-2017, 19:39
Firewall:
rcSuSEfirewall2 stop
iptables --flush INPUT
iptables --flush FORWARD
iptables --flush OUTPUTThis commands removed the error massage. But when I'm reboot, the error massage come again. I can so type commands again and the error message disappear

I am doing some more research on this issue. I will update this thread when I have more information.

hcp_dk
13-Mar-2017, 18:54
Hi Kevin,

thanks so far. I think we got quite far. I can open a service request and try get support from there. It seems to be a more difficult issue as a bug or so?

KBOYLE
13-Mar-2017, 19:19
Hi Kevin,

thanks so far. I think we got quite far. I can open a service request and try get support from there. It seems to be a more difficult issue as a bug or so?
I have already asked someone from SUSE tech support to have a look at this. I should have a response later this week.

You also were unable to print from your SLES system.


Have you tried to correct your SLES firewall configuration, doing the same as you did on SLED?
Can you now print from SLES?
Is your SLES system something you need or was it just setup to see if you could print from it?

KBOYLE
13-Mar-2017, 19:24
I have already asked someone from SUSE tech support to have a look at this. I should have a response later this week.

Let me correct that statement: I have asked for more information about the firewall message.

If no one has any suggestions regarding the print performance issue, that may be worth following up with a Service Request.

hcp_dk
15-Mar-2017, 19:40
Hi Kevin,
I have not tried SLES further. It's a PC and firewall is internal zone. I'm not traveling for some days but can try later.
However, if we not can solve the issue on SLED with LAN and print it's the same on SLES:

hcp_dk
15-Mar-2017, 19:43
o.k. because you wrote you are CUPS. And we can see print is a problem over LAN.

One issue is the CUPS via LAN and that I have asked SUSE find somebody who know.

hcp_dk
15-Mar-2017, 19:51
Firewall messages I wrote.
I get the failure message about 2 firewalls acting.
I can flush input, output as done and the message disappear. As soon I reboot, the message comes again.

hcp_dk
19-Mar-2017, 12:17
Hi Kevin,

I tried now the same on SLES.
Firewall internal: no print possible
Firewall exteral and open ports as done on SLED: no print possible.

I tried printing from Libre

KBOYLE
20-Mar-2017, 04:52
hcp dk wrote:

>
> Hi Kevin,
>
> I tried now the same on SLES.
> Firewall internal: no print possible
> Firewall exteral and open ports as done on SLED: no print possible.
>
> I tried printing from Libre

I suspected there were other issues with SLES. Is this a test system or
one that you intend to keep?

Can you print if you stop the firewall *AND* flush iptables?

If you still cant print, can you please post the contents of
/etc/sysconfig/SuSEfirewall2?

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hcp_dk
21-Mar-2017, 22:06
I did

rcSuSEfirewall2 stop
iptables --flush INPUT
iptables --flush FORWARD
iptables --flush OUTPUT

tried printing a PDF document

Firewall settings are:

linuxSLES:/etc/sysconfig # cat SuSEfirewall2
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany
# Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany
# Copyright (c) 2005-2011 SUSE LINUX Products GmbH Nuernberg, Germany
#
# Author: Marc Heuse, 2002
# Ludwig Nussel, 2004-2011
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.6
#
# ------------------------------------------------------------------------
#
# Note that running a packet filter/firewall is no panacea against
# network security threats. Make sure to
#
# - expose only actually needed services
# - assign different zones to express different levels of trust.
# Opening ports for LAN services in the external zone defeats the
# purpose of the firewall!
# - use software that is designed with security in mind (such as
# postfix, vsftpd, openssh)
# - install security updates regularly
#
# ------------------------------------------------------------------------
#
# Configuration Hints:
#
# Note that while this file looks like a shell script and is parsed
# by a shell script it actually is not a shell script itself. More
# information about sysconfig files can be found here:
# http://en.opensuse.org/Packaging/SUSE_Package_Conventions/Sysconfig
# It's generally a good idea to avoid using shell variable
# substitution (foo="$bar") and multi line values.
#
# If you have any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
#
# For end user systems that are only connected to one network
# FW_DEV_EXT and maybe FW_CONFIGURATIONS_EXT to open some ports need
# to be modified. The defaults for all other settings are usually
# fine.
#
# For firewalls that should perform routing or masquerading between
# networks the settings FW_DEV_EXT, FW_DEV_INT, FW_ROUTE, FW_MASQUERADE,
# FW_SERVICES_EXT_TCP, and maybe FW_SERVICES_ACCEPT_EXT, FW_FORWARD,
# FW_FORWARD_MASQ
#
# Please note that if you use service names, they have to exist in
# /etc/services. There is for example no service "dns", it's called
# "domain"; email is called "smtp" etc.
#
# ------------------------------------------------------------------------

## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
#
# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external. Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "wlan0", "ippp0 ippp1", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT="eth0"

## Type: string
#
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_INT=""

## Type: string
#
# Which are the interfaces that point to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected
# to the firewall, and should be reachable from the internet to
# provide services, e.g. WWW, Mail, etc. and hence is at risk from
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
# example.
#
# Note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Format: space separated list of interface or configuration names
#
# Examples: "tr0", "eth0 eth1"
#
FW_DEV_DMZ=""

## Type: yesno
#
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from /etc/sysconfig/sysctl and
# net.ipv4.ip_forward settings in /etc/sysctl.conf
# Note: IPv4 only. The IPv6 forwarding sysctl has to be turned on
# manually.
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="no"

## Type: yesno
#
# Do you want to masquerade internal networks to the outside?
#
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
#
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE="no"

## Type: string
#
# You also have to define on which interfaces to masquerade on.
# Those are usually the same as the external interfaces. Most users
# can leave the default.
#
# The special string "zone:" concatenated with the name of a zone
# means to take all interfaces in the specified zone.
#
# Note: Old version of SuSEfirewall2 used a shell variable
# ($FW_DEV_EXT) here. That method is deprecated as it breaks auto
# detection of interfaces. Please use zone:ext instead.
#
# Examples: "ippp0", "zone:dmz"
#
# defaults to "zone:ext" if not set
#
FW_MASQ_DEV=""

## Type: string
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# This is also the default if you leave FW_MASQ_NETS empty.
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
# - "0/0,!10.0.0.0/8" unrestricted access to the internet
# with the exception of 10.0.0.8 which will not be
# masqueraded.
#
FW_MASQ_NETS=""

## Type: string
#
# Which computers/networks to exclude from masquerading.
#
# Note that this only affects the POSTROUTING chain of the nat
# table. Ie the forwarding rules installed by FW_MASQ_NETS do not
# include the listed exceptions.
# *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
# that the policy database is loaded even when the tunnel is not up
# yet. Otherwise packets to the listed networks will be forwarded to
# the internet unencrypted! ***
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
# anywhere to the 10.0.0.0/8 network
#
FW_NOMASQ_NETS=""

## Type: list(yes,no,notrack,)
#
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.
#
# The value "notrack" acts similar to "no" but additionally
# connection tracking is switched off for interfaces in the zone.
# This is useful to gain better performance on high speed
# interfaces.
#
# defaults to "no" if not set
#
# see also FW_REJECT_INT
#
FW_PROTECT_FROM_INT="no"

## Type: string
#
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_TCP="161 162 9100"

## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Example: "53", "syslog"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_UDP="161 162 427 5353 9100"

## Type: string
#
# Which IP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing services that END at the firewall like
# IPsec, GRE, PPTP or OSPF
#
# Format: space separated list of ports, port ranges or well known
# protocol names (see /etc/protocols)
#
# Example: "esp"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_IP=""

## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore may be able
# to have SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
#
# Note: this setting has precedence over FW_SERVICES_ACCEPT_*
#
FW_SERVICES_EXT_RPC=""

## Type: string
#
# Which services _on the firewall_ should be accessible from
# untrusted networks?
#
# Packages can drop a configuration file that specifies all required
# ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for
# services that require multiple ports or protocols. Enter the space
# separated list of configuration files you want to load.
#
# The content of those files is merged into
# FW_SERVICES_$zone_$protocol, ie has precedence over
# FW_SERVICES_ACCEPT_*
#
# Example: "samba-server nfs-kernel-server"
FW_CONFIGURATIONS_EXT="avahi"

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_DMZ=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""

## Type: string
#
# see comments for FW_CONFIGURATIONS_EXT
FW_CONFIGURATIONS_INT=""

## Type: string
#
# Packets to drop.
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_DROP_EXT=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_DMZ=""

## Type: string
#
# see FW_SERVICES_DROP_EXT
FW_SERVICES_DROP_INT=""

## Type: string
## Default:
#
# Packets to reject. Common usage is TCP port 113 which if dropped
# would cause long timeouts when sending mail or connecting to IRC
# servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note: In older SuSEfirewall2 version this setting took place after
# FW_SERVICES_ACCEPT_*, now it takes precedence.
#
FW_SERVICES_REJECT_EXT=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_DMZ=""

## Type: string
#
# see FW_SERVICES_REJECT_EXT
FW_SERVICES_REJECT_INT=""

## Type: string
## Default:
#
# Services to allow. This is a more generic form of FW_SERVICES_XXX_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport[,sport[,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
# hitcount=NUMBER : ipt_recent --hitcount parameter
# blockseconds=NUMBER : ipt_recent --seconds parameter
# recentname=NAME : ipt_recent --name parameter
# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ss h"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
# take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
# port with both options.
#
# Note2: the iptables recent module may not be available for ipv6. To
# avoid an error message use 0.0.0.0/0 instead of 0/0. This will
# install the rule for ipv4 only.
#
FW_SERVICES_ACCEPT_EXT="10.0.25.0/24,udp,5353
10.0.25.0/24,udp,427
10.0.25.0/24,tcp,9100
10.0.25.0/24,udp,9100
10.0.25.0/24,tcp,161
10.0.25.0/24,udp,161
10.0.25.0/24,tcp,162
10.0.25.0/24,udp,162"

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_EXT
FW_SERVICES_ACCEPT_INT=""

## Type: string
## Default:
#
# Services to allow that are considered RELATED by the connection tracking
# engine.
#
# Format: space separated list of net,protocol[,sport[,dport]]
#
# Example:
# Allow samba broadcast replies marked as related by
# nf_conntrack_netbios_ns from a certain network:
# "192.168.1.0/24,udp,137"
#
# See also FW_LOAD_MODULES
#
FW_SERVICES_ACCEPT_RELATED_EXT=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_DMZ=""

## Type: string
#
# see FW_SERVICES_ACCEPT_RELATED_EXT
FW_SERVICES_ACCEPT_RELATED_INT=""

## Type: string
#
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal or
# external) and the services (tcp,udp,icmp) they are allowed to use. This can
# be used instead of FW_SERVICES_* for further access restriction. Please note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

## Type: string
#
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,destination port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# flags, separated by comma:
# ipsec:
# match packets that originate from an IPsec tunnel
# zonein=ZONE, zoneout=ZONE:
# match only packets coming in/going out on interfaces from
# the specified zone.
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
# - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh"
# allow ssh from one IPv6 network to another
#
FW_FORWARD=""

## Type: string
#
# same as FW_FORWARD but packages are rejected instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_REJECT=""

## Type: string
#
# same as FW_FORWARD but packages are dropped instead of accepted
#
# Requires: FW_ROUTE
#
FW_FORWARD_DROP=""

## Type: string
#
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsistent iptables behaviour only port numbers are possible
# but no service names (http://bugzilla.netfilter.org/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""

## Type: string
#
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Note: contrary to previous SuSEfirewall2 versions it is no longer necessary
# to additionally open the local port
FW_REDIRECT=""

## Type: yesno
#
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type: yesno
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"

## Type: yesno
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests and forwarded pakets.
#
# Set to "no" for on systems with high traffic
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type: yesno
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"

## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# You may specify an alternative logging target by starting the
# string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2"
#
# Note that ULOG doesn't work with IPv6
#
# only change this if you know what you are doing!
FW_LOG=""

## Type: yesno
#
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, rp_filter, routing flush,
# bootp_relay, proxy_arp, secure_redirects, accept_source_route
# icmp_echo_ignore_broadcasts, ipfrag_time)
#
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY=""

## Type: yesno
#
# Whether ip routing should be disabled when the firewall is shut
# down.
#
# Note: IPv4 only, IPv6 sysctls are left untouched
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_STOP_KEEP_ROUTING_STATE="no"

## Type: yesno
#
# Allow the firewall to reply to icmp echo requests
#
# defaults to "yes" if not set
#
FW_ALLOW_PING_FW=""

## Type: yesno
#
# Allow hosts in the dmz to be pinged from hosts in other zones even
# if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ=""

## Type: yesno
#
# Allow hosts in the external zone to be pinged from hosts in other
# zones even if neither FW_FORWARD nor FW_MASQUERADE is set
#
# Requires: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT=""

## Type: yesno
#
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""

## Type: string(yes,no)
#
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries, set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ="no"

## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"

## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"

## Type: list(yes,no,int,ext,dmz,)
#
# Specifies whether routing between interfaces of the same zone should be allowed
# Requires: FW_ROUTE="yes"
#
# Set this to allow routing between interfaces in the same zone,
# e.g. between all internet interfaces, or all internal network
# interfaces.
#
# Caution: Keep in mind that "yes" affects all zones. ie even if you
# need inter-zone routing only in the internal zone setting this
# parameter to "yes" would allow routing between all external
# interfaces as well. It's better to use
# FW_ALLOW_CLASS_ROUTING="int" in this case.
#
# Choice: "yes", "no", or space separate list of zone names
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""

## Type: string
#
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
#
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
# You may override this value on a per zone basis by using a zone
# specific variable, e.g. FW_REJECT_DMZ="yes"
#
FW_REJECT=""

## Type: yesno
#
# see FW_REJECT for description
#
# default config file setting is "yes" assuming that slowing down
# portscans is not strictly required in the internal zone even if
# you protect yourself from the internal zone
#
FW_REJECT_INT=""

## Type: string
#
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets.
#
# - reject: reject all IPv6 packets. This is the default if stateful matching is
# not available.
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether ip6tables supports stateful matching.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""

## Type: list(yes,no,int,ext,dmz,)
## Default: no
#
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"

## Type: string
#
# Define additional firewall zones
#
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""

## Type: string(no,auto)
#
# Set default firewall zone
#
# Format: 'auto', 'no' or name of zone.
#
# When set to 'no' no firewall rules will be installed for unknown
# or unconfigured interfaces. That means traffic on such interfaces
# hits the default drop rules.
#
# When left empty or when set to 'auto' the zone that has the
# interface string 'any' configured is used for all unconfigured
# interfaces (see FW_DEV_EXT). If no 'any' string was found the
# external zone is used.
#
# When a default zone is defined a catch all rule redirects traffic
# from interfaces that were not present at the time SuSEfirewall2
# was run to the default zone. Normally SuSEfirewall2 needs to be
# run if new interfaces appear to avoid such unknown interfaces.
#
# Defaults to 'auto' if not set
#
FW_ZONE_DEFAULT=''

## Type: list(yes,no,auto,)
## Default:
#
# Whether to use iptables-batch
#
# iptables-batch commits all rules in an almost atomic way similar
# to iptables-restore. This avoids excessive iptables calls and race
# conditions.
#
# Choice:
# - yes: use iptables-batch if available and warn if it isn't
# - no: don't use iptables-batch
# - auto: use iptables-batch if available, silently fall back to
# iptables if it isn't
#
# Defaults to "auto" if not set
#
FW_USE_IPTABLES_BATCH=""

## Type: string
#
# Which additional kernel modules to load at startup
#
# Example:
# FW_LOAD_MODULES="nf_conntrack_netbios_ns"
#
# See also FW_SERVICES_ACCEPT_RELATED_EXT
#
FW_LOAD_MODULES="nf_conntrack_netbios_ns"

## Type: string
## Default:
#
# Bridge interfaces without IP address
#
# Traffic on bridge interfaces like the one used by xen appears to
# enter and leave on the same interface. Add such interfaces here in
# order to install special permitting rules for them.
#
# Format: list of interface names separated by space
#
# Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
#
# Example:
# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
#
FW_FORWARD_ALWAYS_INOUT_DEV=""

## Type: string
#
# Whether traffic that is only bridged but not routed should be
# allowed. Such packets appear to pass though the forward chain so
# normally they would be dropped.
#
# Note: it is not possible to configure SuSEfirewall2 as bridging
# firewall. This option merely controls whether SuSEfirewall2 should
# try to not interfere with bridges.
#
# Choice:
# - yes: always install a rule to allow bridge traffic
# - no: don't install a rule to allow bridge traffic
# - auto: install rule only if there are bridge interfaces
#
# Defaults to "auto" if not set
#
FW_FORWARD_ALLOW_BRIDGING=""

## Type: yesno
#
# Write status information to /var/run/SuSEfirewall2/status for use
# by e.g. graphical user interfaces. Can safely be disabled on
# servers.
#
# Defaults to "yes" if not set
#
FW_WRITE_STATUS=""

## Type: yesno
#
# Allow dynamic configuration overrides in
# /var/run/SuSEfirewall2/override for use by e.g. graphical user
# interfaces. Can safely be disabled on servers.
#
# Defaults to "yes" if not set
#
FW_RUNTIME_OVERRIDE=""

## Type: yesno
#
# Install NOTRACK target for interface lo in the raw table. Doing so
# speeds up packet processing on the loopback interface. This breaks
# certain firewall setups that need to e.g. redirect outgoing
# packets via custom rules on the local machine.
#
# Defaults to "yes" if not set
#
FW_LO_NOTRACK=""

## Type: yesno
#
# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
# full rule set already. Default is to just install minimum rules
# that block incoming traffic. Set to "yes" if you use services
# such as drbd that require open ports during boot already.
#
# Defaults to "no" if not set
#
FW_BOOT_FULL_INIT="no"
linuxSLES:/etc/sysconfig #


Print don't get done, don't get processed.

KBOYLE
22-Mar-2017, 04:13
hcp dk wrote:

> Print don't get done, don't get processed.

There are some minor differences between your SLES firewall and your
SLED firewall configuration but, for now, don't worry about it.

Something is preventing communication with your printer even when the
firewall is disabled.

Can you ping your HP printer from SLED?

Can you ping your HP printer from SLES?

Please run ifconfig on your SLES system and post the results.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

hcp_dk
24-Mar-2017, 21:14
Hi Kevin,

yes, i can ping the printer from SLES and SLED.
I had to set the SLES firewall (stationary PC) to internal since I otherwise do not can search in the Active Directory, the LAN system.


linuxSLES:/home/hans-christoph # ifconfig
eth0 Link encap:Ethernet HWaddr 00:19:99:C2:BD:C4
inet addr:10.0.25.143 Bcast:10.0.25.255 Mask:255.255.255.0
inet6 addr: fe80::219:99ff:fec2:bdc4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:45401574 errors:0 dropped:0 overruns:0 frame:0
TX packets:37255934 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:55023491383 (52474.4 Mb) TX bytes:44257484763 (42207.2 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:2290 errors:0 dropped:0 overruns:0 frame:0
TX packets:2290 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:173179 (169.1 Kb) TX bytes:173179 (169.1 Kb)

virbr0 Link encap:Ethernet HWaddr 52:54:00:96:00:02
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:258 errors:0 dropped:0 overruns:0 frame:0
TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:31506 (30.7 Kb) TX bytes:532 (532.0 b)

KBOYLE
25-Mar-2017, 18:46
Hi Kevin,
I had to set the SLES firewall (stationary PC) to internal since I otherwise do not can search in the Active Directory, the LAN system.


As I mentioned in an earlier post regarding your SLED...

When you only have one zone, it should be the External zone and you should configure rules for all the services you need. This requires a bit more work but you want to keep your laptop secure. Normally, your firewall does not require special configuration to allow outgoing packets or to allow responses to them and there should only be a few cases where you want to allow unsolicited incoming packets.

You were able to print from SLED after your firewall was correctly configured. While you still may have additional printing issues on SLES, let's try to get your SLES firewall working first.

Ideally, you want to block everything and only open the ports you need. You should verify what ports need to be open on your Windows Server and on client machines. This TechNet article may help: Active Directory and Active Directory Domain Services Port Requirements (https://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx).

In the mean time, until we get the firewall working, you can allow all traffic between SLES and your Windows Server.

Using YaST Firewall:

Ensure all interfaces are assigned to the External zone.
Setup 2 Custom Rules to allow all traffic between SLES and Windows Server.

Source Network is your Windows Server (10.0.25.4?); Protocol is TCP; Other fields left blank.
Source Network is your Windows Server (10.0.25.4?); Protocol is UDP; Other fields left blank.


Restart your firewall
Verify you can "search in the Active Directory".


Please report your findings.

KBOYLE
25-Mar-2017, 21:47
While you still may have additional printing issues on SLES, let's try to get your SLES firewall working first.
After you have reconfigured your firewall, it would be interesting to see just what ports are open on your SLES system.

From your SLED system, as root, run the following command and report the results.

nmap --open -T4 -p1-65535 10.0.25.143
If nmap is not installed, you can install it.

zypper install nmap

hcp_dk
29-Mar-2017, 22:10
Hi Kyle,
now I'm back.

SLED: actually I can't print from SLED at all. Not with or without firewall. I have no clue why. The data not even reach the printer. Maybe due to updates?

SLES: I did as mentioned above.
245
Actually I can access the windows network.

Try printing a 4MB large PDF. Data arrive the printer. But no printing happen.

hcp_dk
29-Mar-2017, 22:13
this is the log for external firewall setup as mentioned before:

linuxSLES:/home/hans-christoph # nmap --open -T4 -p1-65535 10.0.25.143

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-29 22:10 CEST
Nmap scan report for 10.0.25.143
Host is up (0.000011s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3689/tcp open rendezvous

Nmap done: 1 IP address (1 host up) scanned in 5.88 seconds
linuxSLES:/home/hans-christoph #


this is for internal firewall setup

linuxSLES:/home/hans-christoph # nmap --open -T4 -p1-65535 10.0.25.143

Starting Nmap 6.47 ( http://nmap.org ) at 2017-03-29 22:12 CEST
Nmap scan report for 10.0.25.143
Host is up (0.0000090s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3689/tcp open rendezvous

Nmap done: 1 IP address (1 host up) scanned in 5.81 seconds
linuxSLES:/home/hans-christoph #


no difference... And there are not many ports open.

KBOYLE
30-Mar-2017, 20:47
no difference...
I see that!

And there are not many ports open.
I see that too!

Your previous post shows you opened ports in the External Zone for the 10.0.25.0/24 network:


Did you restart your firewall after configuring it?
Did you run the nmap port scan from an IP address in the 10.0.25.0/24 network?


If you expect printing and other services to work, you have to ensure the appropriate ports are open. You can use nmap from another device on your network to verify that the ports are open. If they are not open, then you have to determine why.

There is still the message about "Another Firewall Active". It appears that message is displayed when starting YaST Firewall if there are entries in iptables. I have not been able to determine why entries remain in iptables after stopping your firewall but they can be removed by flushing iptables as described previously.

Try this to see what you can learn:

Ensure interfaces are assigned to the Firerwall's External Zone
Restart your firewall
Run nmap and make a note of the open ports.
Stop the firewall.
Run nmap a second time and make a note of the open ports.
Flush iptables.
Run nmap a third time and make a note of the open ports.


If the necessary ports still remain closed, then you will need additional troubleshooting that is beyond what can be provided via the forums. I suggest you open a Service Request for this issue. You may want to refer the support person to this lengthy thread so they see what has already been tried.

You stated previously that you installed packages from unsupported (non SLE) repositories. There may be incompatibilities between those unsupported packages you installed and the SLE packages already installed on your system that could be responsible for this behavior. If that is so, then you may be on your own to find a solution.

KBOYLE
30-Mar-2017, 20:58
Hi Kyle,
now I'm back.

SLED: actually I can't print from SLED at all. Not with or without firewall. I have no clue why. The data not even reach the printer. Maybe due to updates?

That is unfortunate.

What did you change?
Can you run an nmap port scan from your SLES server to see what ports are open on your SLED laptop?




SLES: I did as mentioned above.
Actually I can access the windows network.
I thought that might help. :D


Try printing a 4MB large PDF. Data arrive the printer. But no printing happen.
That may be related to a port issue or perhaps a driver issue. I don't remember if you were ever able to print to the HP printer from SLES. To verify that the driver is installed correctly, are you able to print from SLES via a USB connection?

hcp_dk
01-Apr-2017, 17:50
Hi Kevin,

I did these nmap from SLES (inside). I can do it from outside too - later, with both setups (external open ports and internal)
Firewall is restarted every time. but i can reboot each time
The modules I installed have nothing todo with firewall. It's codecs and FreeCad, Shutter (try that - very good program)

But there is something myth with this firewall.

SUSE service has been a half a day on SLES tried a lot (remote). Now they opened a bug. But as you said, there is a point regarding firewall.
Let's collect data.
I'm now off for a week - in Denver CO.
I have my SLED laptop with me.

hcp_dk
01-Apr-2017, 17:52
Yes, USB print work.

As we figured out before: It is a problem of network and HP specific.

KBOYLE
01-Apr-2017, 21:58
Hi Kevin,

I did these nmap from SLES (inside). I can do it from outside too - later, with both setups (external open ports and internal)

The firewall normally doesn't block outgoing traffic but it is supposed to block all incoming traffic. To allow access to certain services on your system, you configure your firewall to open specific ports to incoming traffic. To find what ports are open, you run nmap from outside your system.

To find what ports are open on SLES you would run nmap on your SLED system and scan your SLES system.
To find what ports are open on SLED you would run nmap on your SLES system and scan your SLED system.



The modules I installed have nothing todo with firewall. It's codecs and FreeCad, Shutter (try that - very good program)
They may not have anything to do directly with the firewall but most programs have dependencies on other modules and libraries. By installing packages from unsupported repositories you may have changed other modules needed by SLE which could result in strange behaviors like the ones you are experiencing..


But there is something myth with this firewall.

SUSE service has been a half a day on SLES tried a lot (remote). Now they opened a bug. But as you said, there is a point regarding firewall.
Let's collect data.
I'm now off for a week - in Denver CO.
I have my SLED laptop with me.

If SUSE support is working on this we should wait to see what they find. Why don't you report back after they finish?

KBOYLE
01-Apr-2017, 22:05
Yes, USB print work.

As we figured out before: It is a problem of network and HP specific.

In a previous post you said you couldn't print from SLES to the HP printer. I wanted to confirm that it wasn't a driver issue on your SLES system.

Let's wait to see what SUSE support can find.

hcp_dk
13-Apr-2017, 13:07
After some work from SUSE and via Forum regarding CUPS and Firewall, some spend time we found out, the print job lose lot of data. I could print from Windows out of KVM - but even here it took some time and I lost data.
Since hardware was new, the last weak point seems to be the printer.
Update Firmware:
Update Firmware is always a risk.
- download firmware from HP and unpack on your PC
- on your browser type IP adress of printer and go into printer.
- update firmware via LAN
After update of Firmware, the printer works very fast and fine.

BUT: the HP printers do NOT work without HPLIPS.
Printer NEED to be installed via HPLIPS. This demands all interfaces on internal. After installation, interfaces might be on external again.
The print still works.

hcp_dk
13-Apr-2017, 13:09
Hi Kevin,

as you can see, after some intense work an analysis of files and data and logs I updated firmware and the printer works well. The HPLIPS installtion is a litle bit tricky but possible.

KBOYLE
13-Apr-2017, 20:31
After some work from SUSE and via Forum regarding CUPS and Firewall, some spend time we found out, the print job lose lot of data. I could print from Windows out of KVM - but even here it took some time and I lost data.

Troubleshooting is a process of elimination.

In a very early post you said:

HP LaserJet 700 MFP 755 from Windows: No problem wherever in network.

Then you said:

I can print
- via USB
- via Windows in a KVM virtual box !!
- on Dell printer
- sometimes - randomly it happens

Conclusion: If you can print from Windows, then the printer is okay.

Once you realized you do have errors when you print from Windows, that suggests there is an issue with the printer.


Since hardware was new, the last weak point seems to be the printer.
Update Firmware:
Update Firmware is always a risk.
- download firmware from HP and unpack on your PC
- on your browser type IP adress of printer and go into printer.
- update firmware via LAN
After update of Firmware, the printer works very fast and fine.

That makes sense. I'm glad the new firmware resolved your issue!



BUT: the HP printers do NOT work without HPLIPS.
Printer NEED to be installed via HPLIPS.

You knew this in the beginning.

HPLIP requires that certain ports are open. You tried to open the ports but did not configure your firewall correctly. That's why it didn't work.


This demands all interfaces on internal.

No! The required ports need to be open.

Assigning an interface to the Internal zone allows all traffic. No ports are blocked. All ports are open.

The right way to do this is to assign the interface to the External zone and make sure the correct ports are open. This way your system remains protected and you can print.


After installation, interfaces might be on external again.
The print still works.

Yes, it would be a good idea to do that!

I'm glad you finally identified the problem and got your printer working. Thank you for updating this thread so others reading it will also have the solution.