221. SuSEFirewall

Interface manipulation of /etc/sysconfig/SuSEFirewall

221.1. Summary of Module Globals

List of Global Functions

  • ActivateConfiguration - Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

  • AddForwardIntoMasqueradeRule - Adds forward into masquerade rule.

  • AddInterfaceIntoZone - Functions adds interface into defined zone. All appearances of interface in other zones are removed.

  • AddService - Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

  • AddSpecialInterfaceIntoZone - Functions adds special string into defined zone.

  • AddXenSupport - Function adds a special interface into the FW_FORWARD_ALWAYS_INOUT_DEV variable

  • DisableServices - Functions disables services needed for SuSEFirewall in /etc/inet.d/

  • EnableServices - Functions enables services needed for SuSEFirewall in /etc/inet.d/

  • Export - Function for getting exported SuSEFirewall configuration

  • GetAdditionalServices - This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

  • GetAllKnownInterfaces - Function returns list of maps of known interfaces. Interfaces handled by a NetworkManager are not returned at all.

  • GetAllNonDialUpInterfaces - Function returns list of non-dial-up interfaces. Interfaces handled by a NetworkManager are not returned at all.

  • GetBroadcastAllowedPorts - Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets.

  • GetEnableService - Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

  • GetFirewallInterfaces - Function returns all interfaces configured in firewall, already

  • GetFirewallInterfacesMap - Function returns map of `interfaces in zones`.

  • GetIgnoreLoggingBroadcast - Function returns yes/no - ingoring broadcast for zone

  • GetInterfacesInZone - Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

  • GetInterfacesInZoneSupportingAnyFeature - Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

  • GetKnownFirewallZones - Function returns list of known firewall zones (shortnames)

  • GetListOfForwardsIntoMasquerade - Function returns list of rules of forwarding ports to masqueraded IPs.

  • GetListOfKnownInterfaces - Function returns list of all known interfaces (if they are not handled by a NetworkManager).

  • GetLoggingSettings - Function returns actual state of logging for rule taken as parameter.

  • GetMasquerade - Function returns actual state of Masquerading support.

  • GetModified - Functions returns if any firewall's configuration was modified or wasn't

  • GetProtectFromInternalZone - Function returns if firewall is protected from internal zone

  • GetServices - Function returns map of supported services in all firewall zones.

  • GetServicesInZones - Function returns map of supported services all network interfaces.

  • GetSpecialInterfacesInZone - Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

  • GetStartService - Function which returns if SuSEfirewall should start in Write process

  • GetSupportRoute - Function returns if firewall supports routing.

  • GetTrustIPsecAs - Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

  • GetZoneFullName - Function returns name of the zone identified by zone shortname.

  • GetZoneOfInterface - Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned. Interfaces handled by a NetworkManager allways return 'nil'.

  • GetZonesOfInterfaces - Function returns list of zones of requested interfaces

  • GetZonesOfInterfacesWithAnyFeatureSupported - Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

  • HaveService - Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP).

  • Import - Function for setting SuSEFirewall configuration from input

  • InterfacesSupportedByAnyFeature - Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT.

  • IsAnyNetworkInterfaceSupported - Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

  • IsEnabled - Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

  • IsInterfaceInZone - Function returns if the interface is in zone. Interfaces handled by a NetworkManager allways return 'false'.

  • IsOtherFirewallRunning - Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

  • IsServiceSupportedInZone - Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices.

  • IsStarted - Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

  • Read - Function for reading SuSEFirewall configuration. Fills internal variables only.

  • RemoveForwardIntoMasqueradeRule - Function removes rule for forwarding into masquerade from the list of current rules.

  • RemoveInterfaceFromZone - Function removes interface from defined zone.

  • RemoveService - Function removes service from selected zone (or for interface) for selected protocol. Function take care about port-aliases, removes all of them.

  • RemoveSpecialInterfaceFromZone - Function removes special string from defined zone.

  • ResetReadFlag - Function resets flag which doesn't allow to read configuration from disk again

  • SaveAndRestartService - Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

  • SetAdditionalServices - Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added.

  • SetBroadcastAllowedPorts - Function creates allowed-broadcast-ports string from broadcast map and saves it.

  • SetEnableService - Function which sets if SuSEfirewall should start in Write process

  • SetIgnoreLoggingBroadcast - Function sets yes/no - ingoring broadcast for zone

  • SetLoggingSettings - Function sets state of logging for rule taken as parameter.

  • SetMasquerade - Function sets Masquerade support.

  • SetModified - Function sets internal variable, which indicates, that any "firewall settings were modified", to "true"

  • SetProtectFromInternalZone - Function sets if firewall should be protected from internal zone.

  • SetServices - Function sets status for several services in several network interfaces.

  • SetServicesForZones - Function sets status for several services in several firewall zones.

  • SetStartService - Function which sets if SuSEfirewall should start in Write process

  • SetSupportRoute - Function sets if firewall should support routing.

  • SetTrustIPsecAs - Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

  • StartServices - Functions starts services needed for SuSEFirewall

  • StopServices - Functions stops services needed for SuSEFirewall

  • Write - Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

  • WriteConfiguration - Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

  • WriteOnly - Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

List of Global Variables

    221.2. Global Functions

    221.2.1. ActivateConfiguration

    Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

    Return value

    • boolean - if successful

    221.2.2. AddForwardIntoMasqueradeRule

    Adds forward into masquerade rule.

    Function parameters

    • string source_net

    • string forward_to_ip

    • string protocol

    • string req_port

    • string redirect_to_port

    • string requested_ip

    Return value

    • void

    221.2.3. AddInterfaceIntoZone

    Functions adds interface into defined zone. All appearances of interface in other zones are removed.

    Function parameters

    • string interface

    • string zone

    Return value

    • void

    221.2.4. AddService

    Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

    Function parameters

    • string service

    • string protocol

    • string interface

    Return value

    • boolean - success

    221.2.5. AddSpecialInterfaceIntoZone

    Functions adds special string into defined zone.

    Function parameters

    • string interface

    • string zone

    Return value

    • void

    221.2.6. AddXenSupport

    Function adds a special interface into the FW_FORWARD_ALWAYS_INOUT_DEV variable

    Return value

    • void

    221.2.7. DisableServices

    Functions disables services needed for SuSEFirewall in /etc/inet.d/

    Return value

    • boolean - result

    221.2.8. EnableServices

    Functions enables services needed for SuSEFirewall in /etc/inet.d/

    Return value

    • boolean - result

    221.2.9. Export

    Function for getting exported SuSEFirewall configuration

    Return value

    • map <string, any> - with configuration

    221.2.10. GetAdditionalServices

    This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

    Function parameters

    • string protocol

    • string zone

    Return value

    • list <string> - of additional (unassigned) services

    221.2.11. GetAllKnownInterfaces

    Function returns list of maps of known interfaces. Interfaces handled by a NetworkManager are not returned at all.

    Return value

    • list <map <string, string> >

    [ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]
    

    221.2.12. GetAllNonDialUpInterfaces

    Function returns list of non-dial-up interfaces. Interfaces handled by a NetworkManager are not returned at all.

    Return value

    • list <string> - of non-dial-up interface names

    221.2.13. GetBroadcastAllowedPorts

    Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets.

    Return value

    • map <string, list <string> > - <zone, list <string> > strings are allowed ports or port ranges

    221.2.14. GetEnableService

    Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

    Return value

    • boolean - if the firewall should start

    221.2.15. GetFirewallInterfaces

    Function returns all interfaces configured in firewall, already

    Return value

    • list<string> - of configured interfaces

    221.2.16. GetFirewallInterfacesMap

    Function returns map of `interfaces in zones`.

    Return value

    • map <string, list <string> >

    map [zone : [list of interfaces]]

    221.2.17. GetIgnoreLoggingBroadcast

    Function returns yes/no - ingoring broadcast for zone

    Function parameters

    • string zone

    Return value

    • string

    221.2.18. GetInterfacesInZone

    Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

    Function parameters

    • string zone

    Return value

    • list<string> - of interfaces

    221.2.19. GetInterfacesInZoneSupportingAnyFeature

    Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

    Function parameters

    • string zone

    Return value

    • list<string> - of interfaces

    221.2.20. GetKnownFirewallZones

    Function returns list of known firewall zones (shortnames)

    Return value

    • list <string> - of firewall zones

    221.2.21. GetListOfForwardsIntoMasquerade

    Function returns list of rules of forwarding ports to masqueraded IPs.

    Return value

    • list <map <string, string> >

    list [$[ key: value ]]

    221.2.22. GetListOfKnownInterfaces

    Function returns list of all known interfaces (if they are not handled by a NetworkManager).

    Return value

    • list <string> - of interfaces

    221.2.23. GetLoggingSettings

    Function returns actual state of logging for rule taken as parameter.

    Function parameters

    • string rule

    Return value

    • string - 'ALL', 'CRIT', or 'NONE'

    221.2.24. GetMasquerade

    Function returns actual state of Masquerading support.

    Return value

    • boolean - if supported

    221.2.25. GetModified

    Functions returns if any firewall's configuration was modified or wasn't

    Return value

    • boolean - if the configuration was modified

    221.2.26. GetProtectFromInternalZone

    Function returns if firewall is protected from internal zone

    Return value

    • boolean - if protected from internal

    221.2.27. GetServices

    Function returns map of supported services in all firewall zones.

    Function parameters

    • list<string> services

    Return value

    • map <string, map <string, boolean> > - <string, map &lt; string : boolean> >

    Returns map $[service, map $[ zone_name : supported_status]]

    221.2.28. GetServicesInZones

    Function returns map of supported services all network interfaces.

    Function parameters

    • list<string> services

    Return value

    • map <string, map <string, boolean> > - <string, map &lt; string : boolean > >

    Returns map $[service, map $[ interface : supported_status ]]

    221.2.29. GetSpecialInterfacesInZone

    Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

    Function parameters

    • string zone

    Return value

    • list <string> - special strings or unknown interfaces

    221.2.30. GetStartService

    Function which returns if SuSEfirewall should start in Write process

    Return value

    • boolean - if the firewall should start

    221.2.31. GetSupportRoute

    Function returns if firewall supports routing.

    Return value

    • boolean - if route is supported

    221.2.32. GetTrustIPsecAs

    Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

    Return value

    • string - zone or "no"

    221.2.33. GetZoneFullName

    Function returns name of the zone identified by zone shortname.

    Function parameters

    • string zone

    Return value

    • string - zone name

    221.2.34. GetZoneOfInterface

    Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned. Interfaces handled by a NetworkManager allways return 'nil'.

    Function parameters

    • string interface

    Return value

    • string - zone

    221.2.35. GetZonesOfInterfaces

    Function returns list of zones of requested interfaces

    Function parameters

    • list<string> interfaces

    Return value

    • list<string>

    221.2.36. GetZonesOfInterfacesWithAnyFeatureSupported

    Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

    Function parameters

    • list<string> interfaces

    Return value

    • list<string>

    221.2.37. HaveService

    Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP).

    Function parameters

    • string service

    • string protocol

    • string interface

    Return value

    • boolean - if service is allowed

    221.2.38. Import

    Function for setting SuSEFirewall configuration from input

    Function parameters

    • map <string, any> import_settings

    Return value

    • void

    221.2.39. InterfacesSupportedByAnyFeature

    Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT.

    Function parameters

    • string zone

    Return value

    • list<string> - of interfaces covered by special string 'any'

    221.2.40. IsAnyNetworkInterfaceSupported

    Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

    Return value

    • boolean - is_supported whether the feature is supported or not

    221.2.41. IsEnabled

    Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

    Return value

    • boolean - if enabled

    221.2.42. IsInterfaceInZone

    Function returns if the interface is in zone. Interfaces handled by a NetworkManager allways return 'false'.

    Function parameters

    • string interface

    • string zone

    Return value

    • boolean - is in zone

    221.2.43. IsOtherFirewallRunning

    Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

    Return value

    • boolean - if other firewall is running

    221.2.44. IsServiceSupportedInZone

    Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices.

    Function parameters

    • string service

    • string zone

    Return value

    • boolean - if supported

    221.2.45. IsStarted

    Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

    Return value

    • boolean - if started

    221.2.46. Read

    Function for reading SuSEFirewall configuration. Fills internal variables only.

    Return value

    • boolean

    221.2.47. RemoveForwardIntoMasqueradeRule

    Function removes rule for forwarding into masquerade from the list of current rules.

    Function parameters

    • integer remove_item

    Return value

    • void

    221.2.48. RemoveInterfaceFromZone

    Function removes interface from defined zone.

    Function parameters

    • string interface

    • string zone

    Return value

    • void

    221.2.49. RemoveService

    Function removes service from selected zone (or for interface) for selected protocol. Function take care about port-aliases, removes all of them.

    Function parameters

    • string service

    • string protocol

    • string interface

    Return value

    • boolean - success

    221.2.50. RemoveSpecialInterfaceFromZone

    Function removes special string from defined zone.

    Function parameters

    • string interface

    • string zone

    Return value

    • void

    221.2.51. ResetReadFlag

    Function resets flag which doesn't allow to read configuration from disk again

    Return value

    • void

    221.2.52. SaveAndRestartService

    Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

    Return value

    • boolean - if successful

    221.2.53. SetAdditionalServices

    Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added.

    Function parameters

    • string protocol

    • string zone

    • list <string> new_list_services

    Return value

    • void

    221.2.54. SetBroadcastAllowedPorts

    Function creates allowed-broadcast-ports string from broadcast map and saves it.

    Function parameters

    • map <string, list <string> > broadcast

    Return value

    • void

    221.2.55. SetEnableService

    Function which sets if SuSEfirewall should start in Write process

    Function parameters

    • boolean enable_service

    Return value

    • void

    221.2.56. SetIgnoreLoggingBroadcast

    Function sets yes/no - ingoring broadcast for zone

    Function parameters

    • string zone

    • string bcast

    Return value

    • void

    221.2.57. SetLoggingSettings

    Function sets state of logging for rule taken as parameter.

    Function parameters

    • string rule

    • string state

    Return value

    • void

    221.2.58. SetMasquerade

    Function sets Masquerade support.

    Function parameters

    • boolean enable

    Return value

    • void

    221.2.59. SetModified

    Function sets internal variable, which indicates, that any "firewall settings were modified", to "true"

    Return value

    • void

    221.2.60. SetProtectFromInternalZone

    Function sets if firewall should be protected from internal zone.

    Function parameters

    • boolean set_protect

    Return value

    • void

    221.2.61. SetServices

    Function sets status for several services in several network interfaces.

    Function parameters

    • list<string> services_ids

    • list<string> interfaces

    • boolean new_status

    Return value

    • boolean - if successfull

    221.2.62. SetServicesForZones

    Function sets status for several services in several firewall zones.

    Function parameters

    • list<string> services_ids

    • list<string> firewall_zones

    • boolean new_status

    Return value

    • boolean - if successfull

    221.2.63. SetStartService

    Function which sets if SuSEfirewall should start in Write process

    Function parameters

    • boolean start_service

    Return value

    • void

    221.2.64. SetSupportRoute

    Function sets if firewall should support routing.

    Function parameters

    • boolean set_route

    Return value

    • void

    221.2.65. SetTrustIPsecAs

    Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

    Function parameters

    • string zone

    Return value

    • void

    221.2.66. StartServices

    Functions starts services needed for SuSEFirewall

    Return value

    • boolean - result

    221.2.67. StopServices

    Functions stops services needed for SuSEFirewall

    Return value

    • boolean - result

    221.2.68. Write

    Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

    Return value

    • boolean - if succesfull

    221.2.69. WriteConfiguration

    Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

    Return value

    • boolean - if successful

    221.2.70. WriteOnly

    Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

    Return value

    • boolean

    221.3. Global Variables

    221.4. Module Requirements

    221.4.1. Module Imports

    • Message
    • Mode
    • NetworkDevices
    • PortAliases
    • Progress
    • Report
    • Service
    • SuSEFirewallServices

    221.4.2. Module Includes