ttrcf wrote:

> I am using a SLES 15 machine with 2 network cards as a router for a
> private network to the internet. I have setup IP masquerading and
> machines in the 'private' network can access the internet
> successfully.
> What I want to do now is limit the outbound traffic from the private
> network to the external network to a selection of TCP ports and block
> everything else. I need to allow port 22 (SSH) and a few ports on an
> external licence server but nothing else (no http or https for
> example) but I am struggling to see how to setup firewalld to do this.
> The firewall is running and the internal zone allows https as my
> router machine is running rmt for patching and registration but I
> only want this to apply to connections from the internal (private)
> networks to the router itself, not via the masquerading process to he
> external network.
> Can anyone offer any advice or links to resources on how to set this
> up?
> Thanks
> Rob

Hi Rob,

How are you configuring your firewall?

- YaST provides an easy way to configure a simple firewall and the
configuration is saved in /etc/sysconfig/SuSEfirewall2.
- You have more control over what is configured if you edit
/etc/sysconfig/SuSEfirewall2 directly.

The configuration specified in SuSEfirewall2 is used to create the
actual firewall rules via iptables. If you know what you are doing you
can use iptables directly and obtain very granular control over how the
firewall behaves. (man iptables)

To simplify your configuration, SuSEfirewall2 makes a number of
assumptions including: internal zones have access to external zones;
external zones do not have access to other zones; services running on
your firewall system are generally not accessible from other systems.
Then, of course, the rest of the firewall configuration involves
creating exceptions to these rules but there are only so many types of
exceptions that can be created even by editing SuSEfirewall2 directly.

Sometimes it may be necessary to thing outside the box!

I haven't tried this but what happens if you setup both interfaces as
external? By default external interfaces don't have access to anything.
Could you not then define precisely what traffic is permitted to and
from each interface and which interface has access to services on the
firewall itself?

Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.