261. SuSEFirewall

Interface manipulation of /etc/sysconfig/SuSEFirewall

261.1. Authors

  • Lukas Ocilka <locilka@suse.cz>

261.2. Summary of Module Globals

List of Global Functions

  • ActivateConfiguration - Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

  • AddForwardIntoMasqueradeRule - Adds forward into masquerade rule.

  • AddInterfaceIntoZone - Functions adds interface into defined zone. All appearances of interface in other zones are removed.

  • AddService - Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

  • AddSpecialInterfaceIntoZone - Functions adds special string into defined zone.

  • AddXenSupport - Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.

  • ConvertToServicesDefinedByPackages - Converts old built-in service definitions to services defined by packages.

  • DisableServices - Functions disables services needed for SuSEFirewall in /etc/inet.d/

  • EnableServices - Functions enables services needed for SuSEFirewall in /etc/inet.d/

  • Export - Function for getting exported SuSEFirewall configuration

  • GetAcceptExpertRules - Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

  • GetAdditionalServices - This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.

  • GetAllDialUpInterfaces - Function returns list of dial-up interfaces.

  • GetAllKnownInterfaces - Function returns list of maps of known interfaces.

  • GetAllNonDialUpInterfaces - Function returns list of non-dial-up interfaces.

  • GetBroadcastAllowedPorts - Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

  • GetEnableService - Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

  • GetFirewallInterfaces - Function returns all interfaces already configured in firewall.

  • GetFirewallInterfacesMap - Function returns map of `interfaces in zones`.

  • GetFirewallKernelModules - Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.

  • GetIgnoreLoggingBroadcast - Function returns yes/no - ingoring broadcast for zone

  • GetInterfacesInZone - Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

  • GetInterfacesInZoneSupportingAnyFeature - Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

  • GetKnownFirewallZones - Function returns list of known firewall zones (shortnames)

  • GetListOfForwardsIntoMasquerade - Function returns list of rules of forwarding ports to masqueraded IPs.

  • GetListOfKnownInterfaces - Function returns list of all known interfaces.

  • GetLoggingSettings - Function returns actual state of logging for rule taken as parameter.

  • GetMasquerade - Function returns actual state of Masquerading support.

  • GetModified - Functions returns whether any firewall's configuration was modified.

  • GetProtectFromInternalZone - Function returns if firewall is protected from internal zone.

  • GetProtocolTranslatedName - Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.

  • GetServices - Function returns map of supported services in all firewall zones.

  • GetServicesAcceptRelated - Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

  • GetServicesInZones - Function returns map of supported services all network interfaces.

  • GetSpecialInterfacesInZone - Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

  • GetStartService - Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

  • GetSupportRoute - Function returns if firewall supports routing.

  • GetTrustIPsecAs - Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

  • GetZoneFullName - Function returns localized name of the zone identified by zone shortname.

  • GetZoneOfInterface - Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

  • GetZonesOfInterfaces - Function returns list of zones of requested interfaces

  • GetZonesOfInterfacesWithAnyFeatureSupported - Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

  • HaveService - Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

  • Import - Function for setting SuSEFirewall configuration from input

  • InterfacesSupportedByAnyFeature - Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

  • IsAnyNetworkInterfaceSupported - Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

  • IsEnabled - Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

  • IsInterfaceInZone - Function returns if the interface is in zone.

  • IsOtherFirewallRunning - Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

  • IsServiceSupportedInZone - Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.

  • IsStarted - Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

  • Read - Function for reading SuSEFirewall configuration. Fills internal variables only.

  • RemoveForwardIntoMasqueradeRule - Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

  • RemoveInterfaceFromZone - Function removes interface from defined zone.

  • RemoveService - Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

  • RemoveSpecialInterfaceFromZone - Function removes special string from defined zone.

  • ResetModified - Do not use this function. Only for firewall installation proposal.

  • ResetReadFlag - Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.

  • SaveAndRestartService - Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

  • SetAcceptExpertRules - Sets expert allow rules for zone.

  • SetAdditionalServices - Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

  • SetBroadcastAllowedPorts - Function creates allowed-broadcast-ports string from broadcast map and saves it.

  • SetEnableService - Function which sets if SuSEfirewall should start in Write process

  • SetFirewallKernelModules - Sets list of additional kernel modules to be loaded by firewall on startup.

  • SetIgnoreLoggingBroadcast - Function sets yes/no - ingoring broadcast for zone

  • SetInstallPackagesIfMissing - By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

  • SetLoggingSettings - Function sets state of logging for rule taken as parameter.

  • SetMasquerade - Function sets Masquerade support.

  • SetModified - Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".

  • SetProtectFromInternalZone - Function sets if firewall should be protected from internal zone.

  • SetServices - Function sets status for several services on several network interfaces.

  • SetServicesAcceptRelated - Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

  • SetServicesForZones - Function sets status for several services in several firewall zones.

  • SetStartService - Function which sets if SuSEfirewall should start in Write process.

  • SetSupportRoute - Function sets if firewall should support routing.

  • SetTrustIPsecAs - Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

  • StartServices - Functions starts services needed for SuSEFirewall

  • StopServices - Functions stops services needed for SuSEFirewall

  • SuSEFirewallIsInstalled - Returns whether all needed packages are installed.

  • Write - Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

  • WriteConfiguration - Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

  • WriteOnly - Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

List of Global Variables

261.3. Global Functions

261.3.1. ActivateConfiguration

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Return value

  • boolean - if successful

261.3.2. AddForwardIntoMasqueradeRule

Adds forward into masquerade rule.

Function parameters

  • string source_net

  • string forward_to_ip

  • string protocol

  • string req_port

  • string redirect_to_port

  • string requested_ip

Return value

  • void

Example 95. 

	AddForwardIntoMasqueradeRule ("0/0", "192.168.32.1", "TCP", "80", "8080", "10.0.0.1")


261.3.3. AddInterfaceIntoZone

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Function parameters

  • string interface

  • string zone

Return value

  • void

Example 96. 

 AddInterfaceIntoZone ("eth5", "DMZ")


261.3.4. AddService

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - success

Example 97. 

	AddService ("ssh", "TCP", "EXT")
	AddService ("ssh", "TCP", "dsl0")


261.3.5. AddSpecialInterfaceIntoZone

Functions adds special string into defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

261.3.6. AddXenSupport

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.

Return value

  • void

See also:

  • https://bugzilla.novell.com/show_bug.cgi?id=154133

  • https://bugzilla.novell.com/show_bug.cgi?id=233934

  • https://bugzilla.novell.com/show_bug.cgi?id=375482

261.3.7. ConvertToServicesDefinedByPackages

Converts old built-in service definitions to services defined by packages.

Return value

  • void

See also:

  • #bnc 399217

261.3.8. DisableServices

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Return value

  • boolean - result

261.3.9. EnableServices

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Return value

  • boolean - result

261.3.10. Export

Function for getting exported SuSEFirewall configuration

Return value

  • map <string, any> - with configuration

261.3.11. GetAcceptExpertRules

Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.

Function parameters

  • string zone

Return value

  • string - with rules

261.3.12. GetAdditionalServices

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.

Function parameters

  • string protocol

  • string zone

Return value

  • list <string> - of additional (unassigned) services

Example 98. 

	GetAdditionalServices("TCP", "EXT") -> ["53", "128"]


261.3.13. GetAllDialUpInterfaces

Function returns list of dial-up interfaces.

Return value

  • list <string> - of dial-up interface names

Example 99. 

 GetAllDialUpInterfaces() -> ["modem0", "dsl5"]


261.3.14. GetAllKnownInterfaces

Function returns list of maps of known interfaces.

Return value

  • list <map <string, string> > - of all interfaces

[ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]

261.3.15. GetAllNonDialUpInterfaces

Function returns list of non-dial-up interfaces.

Return value

  • list <string> - of non-dial-up interface names

Example 100. 

 GetAllNonDialUpInterfaces() -> ["eth1", "eth2"]


261.3.16. GetBroadcastAllowedPorts

Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.

Return value

  • map <string, list <string> > - strings are allowed ports or port ranges

$[
   "ZONE1" : [ "port1", "port2" ],
   "ZONE2" : [ "port3", "port4" ],
   "ZONE3" : [ ]
 ]

261.3.17. GetEnableService

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Return value

  • boolean - if the firewall should start

See also:

  • Write()

  • EnableServices()

261.3.18. GetFirewallInterfaces

Function returns all interfaces already configured in firewall.

Return value

  • list<string> - of configured interfaces

261.3.19. GetFirewallInterfacesMap

Function returns map of `interfaces in zones`.

Return value

  • map <string, list <string> > - interface in zones

map $[zone : [list of interfaces]]

Example 101. 

	GetFirewallInterfacesMap() -> $["DMZ":[], "EXT":["dsl0"], "INT":["eth1", "eth2"]]


261.3.20. GetFirewallKernelModules

Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.

Return value

  • list <string> - of kernel modules

See also:

  • /etc/sysconfig/SuSEfirewall2 option nr. 32 (FW_LOAD_MODULES)

261.3.21. GetIgnoreLoggingBroadcast

Function returns yes/no - ingoring broadcast for zone

Function parameters

  • string zone

Return value

  • string - "yes" or "no"

Example 102. 

	// Does not logg ignored broadcast packets
	GetIgnoreLoggingBroadcast ("EXT") -> "yes"


261.3.22. GetInterfacesInZone

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces

Example 103. 

 GetInterfacesInZone ("DMZ") -> ["eth4", "eth5"]


261.3.23. GetInterfacesInZoneSupportingAnyFeature

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces

261.3.24. GetKnownFirewallZones

Function returns list of known firewall zones (shortnames)

Return value

  • list <string> - of firewall zones

Example 104. 

 GetKnownFirewallZones() -> ["DMZ", "EXT", "INT"]


261.3.25. GetListOfForwardsIntoMasquerade

Function returns list of rules of forwarding ports to masqueraded IPs.

Return value

  • list <map <string, string> > - list of rules

list [$[ key: value ]]

Example 105. 

	GetListOfForwardsIntoMasquerade() -> [
 $[
   "forward_to":"172.24.233.1",
   "protocol":"tcp",
   "req_ip":"192.168.0.3",
   "req_port":"355",
   "source_net":"192.168.0.0/20",
   "to_port":"533"],
   ...
 ]


261.3.26. GetListOfKnownInterfaces

Function returns list of all known interfaces.

Return value

  • list <string> - of interfaces

Example 106. 

 GetListOfKnownInterfaces() -> ["eth1", "eth2", "modem0", "dsl5"]


261.3.27. GetLoggingSettings

Function returns actual state of logging for rule taken as parameter.

Function parameters

  • string rule

Return value

  • string - 'ALL', 'CRIT', or 'NONE'

Example 107. 

	GetLoggingSettings("ACCEPT") -> "CRIT"
	GetLoggingSettings("DROP") -> "CRIT"


261.3.28. GetMasquerade

Function returns actual state of Masquerading support.

Return value

  • boolean - if supported

261.3.29. GetModified

Functions returns whether any firewall's configuration was modified.

Return value

  • boolean - if the configuration was modified

261.3.30. GetProtectFromInternalZone

Function returns if firewall is protected from internal zone.

Return value

  • boolean - if protected from internal

261.3.31. GetProtocolTranslatedName

Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.

Function parameters

  • string protocol

Return value

  • string - translated string (e.g., RPC)

261.3.32. GetServices

Function returns map of supported services in all firewall zones.

Function parameters

  • list<string> services

Return value

  • map <string, map <string, boolean> > -

Returns $[service : $[ zone_name : supported_status]]

Example 108. 

  // Firewall in not protected from internal zone, that's why
  // all services report that they are enabled in INT zone
  GetServices (["samba-server", "service:irc-server"]) -> $[
    "samba-server" : $["DMZ":false, "EXT":false, "INT":true],
    "service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
  ]


261.3.33. GetServicesAcceptRelated

Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Function parameters

  • string zone

Return value

  • list <string> - list of definitions

Example 109. 

 GetServicesAcceptRelated ("EXT") -> ["0/0,udp,427", "0/0,udp,137"]


See also:

  • SetServicesAcceptRelated()

261.3.34. GetServicesInZones

Function returns map of supported services all network interfaces.

Function parameters

  • list<string> services

Return value

  • map <string, map <string, boolean> > -

Returns $[service : $[ interface : supported_status ]]

Example 110. 

	GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]]
  // No such service "something"
	GetServicesInZones (["something"])) -> $["something":$["eth1":nil]]
  GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]


261.3.35. GetSpecialInterfacesInZone

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Function parameters

  • string zone

Return value

  • list <string> - special strings or unknown interfaces

Example 111. 

	GetSpecialInterfacesInZone("EXT") -> ["any", "unknown-1", "wrong-3"]


261.3.36. GetStartService

Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.

Return value

  • boolean - if the firewall should start

261.3.37. GetSupportRoute

Function returns if firewall supports routing.

Return value

  • boolean - if route is supported

261.3.38. GetTrustIPsecAs

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Return value

  • string - zone or "no"

261.3.39. GetZoneFullName

Function returns localized name of the zone identified by zone shortname.

Function parameters

  • string zone

Return value

  • string - zone name

Example 112. 

  LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
  LANG=cs_CZ GetZoneFullName ("EXT") -> "ExternĂ­ ZĂłna"


261.3.40. GetZoneOfInterface

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Function parameters

  • string interface

Return value

  • string - zone

Example 113. 

 GetZoneOfInterface ("eth-id-01:11:DA:9C:8A:2F") -> "DMZ"


261.3.41. GetZonesOfInterfaces

Function returns list of zones of requested interfaces

Function parameters

  • list<string> interfaces

Return value

  • list<string> - firewall zones

Example 114. 

	GetZonesOfInterfaces (["eth1","eth4"]) -> ["DMZ", "EXT"]


261.3.42. GetZonesOfInterfacesWithAnyFeatureSupported

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Function parameters

  • list<string> interfaces

Return value

  • list<string> - firewall zones

Example 115. 

	GetZonesOfInterfaces (["eth1","eth4"]) -> ["EXT"]


261.3.43. HaveService

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - if service is allowed

Example 116. 

	HaveService ("ssh", "TCP", "EXT") -> true
	HaveService ("ssh", "TCP", "modem0") -> false
	HaveService ("53", "UDP", "dsl") -> false


261.3.44. Import

Function for setting SuSEFirewall configuration from input

Function parameters

  • map <string, any> import_settings

Return value

  • void

261.3.45. InterfacesSupportedByAnyFeature

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces covered by special string 'any'

See also:

  • IsAnyNetworkInterfaceSupported()

261.3.46. IsAnyNetworkInterfaceSupported

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

Return value

  • boolean - is_supported whether the feature is supported or not

261.3.47. IsEnabled

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Return value

  • boolean - if enabled

261.3.48. IsInterfaceInZone

Function returns if the interface is in zone.

Function parameters

  • string interface

  • string zone

Return value

  • boolean - is in zone

Example 117. 

 IsInterfaceInZone ("eth-id-01:11:DA:9C:8A:2F", "INT") -> false


261.3.49. IsOtherFirewallRunning

Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

Return value

  • boolean - if other firewall is running

261.3.50. IsServiceSupportedInZone

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.

Function parameters

  • string service

  • string zone

Return value

  • boolean - if supported

Example 118. 

	// All ports defined by dns-server service in SuSEFirewallServices module
	// are enabled in the respective zone
	IsServiceSupportedInZone ("dns-server", "EXT") -> true
  // irc-server definition exists on the system and the irc-server
  // is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2
  IsServiceSupportedInZone ("service:irc-server", "EXT") -> true


See also:

  • YCP Module SuSEFirewallServices

261.3.51. IsStarted

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Return value

  • boolean - if started

261.3.52. Read

Function for reading SuSEFirewall configuration. Fills internal variables only.

Return value

  • boolean - if successful

261.3.53. RemoveForwardIntoMasqueradeRule

Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().

Function parameters

  • integer remove_item

Return value

  • void

See also:

  • GetListOfForwardsIntoMasquerade()

261.3.54. RemoveInterfaceFromZone

Function removes interface from defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

Example 119. 

 RemoveInterfaceFromZone ("modem0", "EXT")


261.3.55. RemoveService

Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - success

Example 120. 

	RemoveService ("22", "TCP", "DMZ") -> true
  is the same as
	RemoveService ("ssh", "TCP", "DMZ") -> true


261.3.56. RemoveSpecialInterfaceFromZone

Function removes special string from defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

261.3.57. ResetModified

Do not use this function. Only for firewall installation proposal.

Return value

  • void

261.3.58. ResetReadFlag

Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.

Return value

  • void

261.3.59. SaveAndRestartService

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Return value

  • boolean - if successful

261.3.60. SetAcceptExpertRules

Sets expert allow rules for zone.

Function parameters

  • string zone

  • string expert_rules

Return value

  • boolean - if successful

261.3.61. SetAdditionalServices

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.

Function parameters

  • string protocol

  • string zone

  • list <string> new_list_services

Return value

  • void

Example 121. 

	SetAdditionalServices ("TCP", "EXT", ["53", "128"])


See also:

  • GetAdditionalServices()

261.3.62. SetBroadcastAllowedPorts

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Function parameters

  • map <string, list <string> > broadcast

Return value

  • void

See also:

  • GetBroadcastAllowedPorts() for an example of data

261.3.63. SetEnableService

Function which sets if SuSEfirewall should start in Write process

Function parameters

  • boolean enable_service

Return value

  • void

261.3.64. SetFirewallKernelModules

Sets list of additional kernel modules to be loaded by firewall on startup.

Function parameters

  • list <string> k_modules

Return value

  • void

Example 122. 

 SuSEFirewall::SetFirewallKernelModules (["ip_conntrack_ftp","ip_nat_ftp"]);


See also:

  • /etc/sysconfig/SuSEfirewall2 option nr. 32

261.3.65. SetIgnoreLoggingBroadcast

Function sets yes/no - ingoring broadcast for zone

Function parameters

  • string zone

  • string bcast

Return value

  • void

Example 123. 

	// Do not log broadcast packetes from DMZ
	SetIgnoreLoggingBroadcast ("DMZ", "yes")


261.3.66. SetInstallPackagesIfMissing

By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.

Function parameters

  • boolean new_status

Return value

  • void

261.3.67. SetLoggingSettings

Function sets state of logging for rule taken as parameter.

Function parameters

  • string rule

  • string state

Return value

  • void

Example 124. 

	SetLoggingSettings ("ACCEPT", "ALL")
	SetLoggingSettings ("DROP", "NONE")


261.3.68. SetMasquerade

Function sets Masquerade support.

Function parameters

  • boolean enable

Return value

  • void

261.3.69. SetModified

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".

Return value

  • void

261.3.70. SetProtectFromInternalZone

Function sets if firewall should be protected from internal zone.

Function parameters

  • boolean set_protect

Return value

  • void

261.3.71. SetServices

Function sets status for several services on several network interfaces.

Function parameters

  • list<string> services_ids

  • list<string> interfaces

  • boolean new_status

Return value

  • boolean - if successfull

Example 125. 

  // Disabling services
	SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false)
  // Enabling services
  SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)


See also:

  • SetServicesForZones()

261.3.72. SetServicesAcceptRelated

Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.

Function parameters

  • string zone

  • list <string> ruleset

Return value

  • void

Example 126. 

 SetServicesAcceptRelated ("EXT", ["0/0,udp,427", "0/0,udp,137"])


See also:

  • GetServicesAcceptRelated()

261.3.73. SetServicesForZones

Function sets status for several services in several firewall zones.

Function parameters

  • list<string> services_ids

  • list<string> firewall_zones

  • boolean new_status

Return value

  • boolean - if successfull

Example 127. 

	SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false);
	SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);


See also:

  • GetServicesInZones()

  • GetServices()

261.3.74. SetStartService

Function which sets if SuSEfirewall should start in Write process.

Function parameters

  • boolean start_service

Return value

  • void

See also:

  • GetStartService()

261.3.75. SetSupportRoute

Function sets if firewall should support routing.

Function parameters

  • boolean set_route

Return value

  • void

261.3.76. SetTrustIPsecAs

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Function parameters

  • string zone

Return value

  • void

261.3.77. StartServices

Functions starts services needed for SuSEFirewall

Return value

  • boolean - result

261.3.78. StopServices

Functions stops services needed for SuSEFirewall

Return value

  • boolean - result

261.3.79. SuSEFirewallIsInstalled

Returns whether all needed packages are installed.

Return value

  • boolean - whether SuSEfirewall2 is installed

261.3.80. Write

Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

Return value

  • boolean - if succesfull

261.3.81. WriteConfiguration

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Return value

  • boolean - if successful

261.3.82. WriteOnly

Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

Return value

  • boolean - if succesful

261.4. Global Variables

261.4.1. max_port_number

Maximal number of port number, they are in the interval 1-65535 included

261.4.2. special_all_interface_string

String which includes all interfaces not-defined in any zone

261.4.3. special_all_interface_zone

Zone which works with the special_all_interface_string string

261.5. Module Requirements

261.5.1. Module Imports

  • Directory
  • FileUtils
  • Message
  • Mode
  • NetworkInterfaces
  • PackageSystem
  • PortAliases
  • PortRanges
  • Progress
  • Report
  • Service
  • Stage
  • SuSEFirewallServices

261.5.2. Module Includes