| 261. SuSEFirewall | ||
|---|---|---|
 |  | |
| 261. SuSEFirewall | ||
|---|---|---|
| | | |
Interface manipulation of /etc/sysconfig/SuSEFirewall
List of Global Functions
ActivateConfiguration - Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).
AddForwardIntoMasqueradeRule - Adds forward into masquerade rule.
AddInterfaceIntoZone - Functions adds interface into defined zone. All appearances of interface in other zones are removed.
AddService - Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.
AddSpecialInterfaceIntoZone - Functions adds special string into defined zone.
AddXenSupport - Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.
ConvertToServicesDefinedByPackages - Converts old built-in service definitions to services defined by packages.
DisableServices - Functions disables services needed for SuSEFirewall in /etc/inet.d/
EnableServices - Functions enables services needed for SuSEFirewall in /etc/inet.d/
Export - Function for getting exported SuSEFirewall configuration
GetAcceptExpertRules - Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.
GetAdditionalServices - This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.
GetAllDialUpInterfaces - Function returns list of dial-up interfaces.
GetAllKnownInterfaces - Function returns list of maps of known interfaces.
GetAllNonDialUpInterfaces - Function returns list of non-dial-up interfaces.
GetBroadcastAllowedPorts - Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.
GetEnableService - Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process
GetFirewallInterfaces - Function returns all interfaces already configured in firewall.
GetFirewallInterfacesMap - Function returns map of `interfaces in zones`.
GetFirewallKernelModules - Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.
GetIgnoreLoggingBroadcast - Function returns yes/no - ingoring broadcast for zone
GetInterfacesInZone - Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.
GetInterfacesInZoneSupportingAnyFeature - Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.
GetKnownFirewallZones - Function returns list of known firewall zones (shortnames)
GetListOfForwardsIntoMasquerade - Function returns list of rules of forwarding ports to masqueraded IPs.
GetListOfKnownInterfaces - Function returns list of all known interfaces.
GetLoggingSettings - Function returns actual state of logging for rule taken as parameter.
GetMasquerade - Function returns actual state of Masquerading support.
GetModified - Functions returns whether any firewall's configuration was modified.
GetProtectFromInternalZone - Function returns if firewall is protected from internal zone.
GetProtocolTranslatedName - Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.
GetServices - Function returns map of supported services in all firewall zones.
GetServicesAcceptRelated - Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
GetServicesInZones - Function returns map of supported services all network interfaces.
GetSpecialInterfacesInZone - Function returns list of special strings like 'any' or 'auto' and uknown interfaces.
GetStartService - Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.
GetSupportRoute - Function returns if firewall supports routing.
GetTrustIPsecAs - Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.
GetZoneFullName - Function returns localized name of the zone identified by zone shortname.
GetZoneOfInterface - Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.
GetZonesOfInterfaces - Function returns list of zones of requested interfaces
GetZonesOfInterfacesWithAnyFeatureSupported - Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.
HaveService - Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.
Import - Function for setting SuSEFirewall configuration from input
InterfacesSupportedByAnyFeature - Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.
IsAnyNetworkInterfaceSupported - Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.
IsEnabled - Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().
IsInterfaceInZone - Function returns if the interface is in zone.
IsOtherFirewallRunning - Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.
IsServiceSupportedInZone - Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.
IsStarted - Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().
Read - Function for reading SuSEFirewall configuration. Fills internal variables only.
RemoveForwardIntoMasqueradeRule - Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().
RemoveInterfaceFromZone - Function removes interface from defined zone.
RemoveService - Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.
RemoveSpecialInterfaceFromZone - Function removes special string from defined zone.
ResetModified - Do not use this function. Only for firewall installation proposal.
ResetReadFlag - Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.
SaveAndRestartService - Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.
SetAcceptExpertRules - Sets expert allow rules for zone.
SetAdditionalServices - Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.
SetBroadcastAllowedPorts - Function creates allowed-broadcast-ports string from broadcast map and saves it.
SetEnableService - Function which sets if SuSEfirewall should start in Write process
SetFirewallKernelModules - Sets list of additional kernel modules to be loaded by firewall on startup.
SetIgnoreLoggingBroadcast - Function sets yes/no - ingoring broadcast for zone
SetInstallPackagesIfMissing - By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.
SetLoggingSettings - Function sets state of logging for rule taken as parameter.
SetMasquerade - Function sets Masquerade support.
SetModified - Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".
SetProtectFromInternalZone - Function sets if firewall should be protected from internal zone.
SetServices - Function sets status for several services on several network interfaces.
SetServicesAcceptRelated - Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
SetServicesForZones - Function sets status for several services in several firewall zones.
SetStartService - Function which sets if SuSEfirewall should start in Write process.
SetSupportRoute - Function sets if firewall should support routing.
SetTrustIPsecAs - Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.
StartServices - Functions starts services needed for SuSEFirewall
StopServices - Functions stops services needed for SuSEFirewall
SuSEFirewallIsInstalled - Returns whether all needed packages are installed.
Write - Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().
WriteConfiguration - Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.
WriteOnly - Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.
List of Global Variables
max_port_number - Maximal number of port number, they are in the interval 1-65535 included
special_all_interface_string - String which includes all interfaces not-defined in any zone
special_all_interface_zone - Zone which works with the special_all_interface_string string
Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).
Return value
boolean - if successful
Adds forward into masquerade rule.
Function parameters
string source_net
string forward_to_ip
string protocol
string req_port
string redirect_to_port
string requested_ip
Return value
void
Functions adds interface into defined zone. All appearances of interface in other zones are removed.
Function parameters
string interface
string zone
Return value
void
Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.
Function parameters
string service
string protocol
string interface
Return value
boolean - success
Functions adds special string into defined zone.
Function parameters
string interface
string zone
Return value
void
Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable.
Return value
void
See also:
https://bugzilla.novell.com/show_bug.cgi?id=154133
https://bugzilla.novell.com/show_bug.cgi?id=233934
https://bugzilla.novell.com/show_bug.cgi?id=375482
Converts old built-in service definitions to services defined by packages.
Return value
void
See also:
#bnc 399217
Functions disables services needed for SuSEFirewall in /etc/inet.d/
Return value
boolean - result
Functions enables services needed for SuSEFirewall in /etc/inet.d/
Return value
boolean - result
Function for getting exported SuSEFirewall configuration
Return value
map <string, any> - with configuration
Returns list of rules describing protocols and ports that are allowed to be accessed from listed hosts. All is returned as a single string. Zone needs to be defined.
Function parameters
string zone
Return value
string - with rules
This powerful function returns list of services/ports which are not assigned to any fully-supported known-services. This function doesn't check for services defined by packages. They are listed by a different way.
Function parameters
string protocol
string zone
Return value
list <string> - of additional (unassigned) services
Function returns list of dial-up interfaces.
Return value
list <string> - of dial-up interface names
Function returns list of maps of known interfaces.
Return value
list <map <string, string> > - of all interfaces
[ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]
Function returns list of non-dial-up interfaces.
Return value
list <string> - of non-dial-up interface names
Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets. This function returns only ports that are mentioned in configuration, it doesn't return ports that are listed in some service (defined by package) which is enabled.
Return value
map <string, list <string> > - strings are allowed ports or port ranges
$[ "ZONE1" : [ "port1", "port2" ], "ZONE2" : [ "port3", "port4" ], "ZONE3" : [ ] ]
Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process
Return value
boolean - if the firewall should start
See also:
Write()
EnableServices()
Function returns all interfaces already configured in firewall.
Return value
list<string> - of configured interfaces
Function returns map of `interfaces in zones`.
Return value
map <string, list <string> > - interface in zones
map $[zone : [list of interfaces]]
Returns list of additional kernel modules, that are loaded by firewall on startup. For instance "ip_conntrack_ftp" and "ip_nat_ftp" for FTP service.
Return value
list <string> - of kernel modules
See also:
/etc/sysconfig/SuSEfirewall2 option nr. 32 (FW_LOAD_MODULES)
Function returns yes/no - ingoring broadcast for zone
Function parameters
string zone
Return value
string - "yes" or "no"
Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.
Function parameters
string zone
Return value
list<string> - of interfaces
Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.
Function parameters
string zone
Return value
list<string> - of interfaces
Function returns list of known firewall zones (shortnames)
Return value
list <string> - of firewall zones
Function returns list of rules of forwarding ports to masqueraded IPs.
Return value
list <map <string, string> > - list of rules
list [$[ key: value ]]
Example 105.
GetListOfForwardsIntoMasquerade() -> [ $[ "forward_to":"172.24.233.1", "protocol":"tcp", "req_ip":"192.168.0.3", "req_port":"355", "source_net":"192.168.0.0/20", "to_port":"533"], ... ]
Function returns list of all known interfaces.
Return value
list <string> - of interfaces
Function returns actual state of logging for rule taken as parameter.
Function parameters
string rule
Return value
string - 'ALL', 'CRIT', or 'NONE'
Function returns actual state of Masquerading support.
Return value
boolean - if supported
Functions returns whether any firewall's configuration was modified.
Return value
boolean - if the configuration was modified
Function returns if firewall is protected from internal zone.
Return value
boolean - if protected from internal
Returns translated protocol name. Translation is provided from SuSEfirewall2 sysconfig format to l10n format.
Function parameters
string protocol
Return value
string - translated string (e.g., RPC)
Function returns map of supported services in all firewall zones.
Function parameters
list<string> services
Return value
map <string, map <string, boolean> > -
Returns $[service : $[ zone_name : supported_status]]
Example 108.
// Firewall in not protected from internal zone, that's why
// all services report that they are enabled in INT zone
GetServices (["samba-server", "service:irc-server"]) -> $[
"samba-server" : $["DMZ":false, "EXT":false, "INT":true],
"service:irc-server" : $["DMZ":false, "EXT":true, "INT":true]
]Returns list of FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
Function parameters
string zone
Return value
list <string> - list of definitions
See also:
SetServicesAcceptRelated()
Function returns map of supported services all network interfaces.
Function parameters
list<string> services
Return value
map <string, map <string, boolean> > -
Returns $[service : $[ interface : supported_status ]]
Example 110.
GetServicesInZones (["service:irc-server"]) -> $["service:irc-server":$["eth1":true]] // No such service "something" GetServicesInZones (["something"])) -> $["something":$["eth1":nil]] GetServicesInZones (["samba-server"]) -> $["samba-server":$["eth1":false]]
Function returns list of special strings like 'any' or 'auto' and uknown interfaces.
Function parameters
string zone
Return value
list <string> - special strings or unknown interfaces
Function which returns if SuSEfirewall2 should start in Write process. In fact it means that SuSEfirewall2 will at the end.
Return value
boolean - if the firewall should start
Function returns if firewall supports routing.
Return value
boolean - if route is supported
Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.
Return value
string - zone or "no"
Function returns localized name of the zone identified by zone shortname.
Function parameters
string zone
Return value
string - zone name
Example 112.
LANG=en_US GetZoneFullName ("EXT") -> "External Zone"
LANG=cs_CZ GetZoneFullName ("EXT") -> "ExternĂ ZĂłna"Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.
Function parameters
string interface
Return value
string - zone
Function returns list of zones of requested interfaces
Function parameters
list<string> interfaces
Return value
list<string> - firewall zones
Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.
Function parameters
list<string> interfaces
Return value
list<string> - firewall zones
Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP). Service is defined by set of parameters such as port and protocol.
Function parameters
string service
string protocol
string interface
Return value
boolean - if service is allowed
Example 116.
HaveService ("ssh", "TCP", "EXT") -> true
HaveService ("ssh", "TCP", "modem0") -> false
HaveService ("53", "UDP", "dsl") -> falseFunction for setting SuSEFirewall configuration from input
Function parameters
map <string, any> import_settings
Return value
void
Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT. If the feature 'any' is not set, function returns empty list.
Function parameters
string zone
Return value
list<string> - of interfaces covered by special string 'any'
See also:
IsAnyNetworkInterfaceSupported()
Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.
Return value
boolean - is_supported whether the feature is supported or not
Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().
Return value
boolean - if enabled
Function returns if the interface is in zone.
Function parameters
string interface
string zone
Return value
boolean - is in zone
Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.
Return value
boolean - if other firewall is running
Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices. Works transparently also with services defined by packages. Such service starts with "service:" prefix.
Function parameters
string service
string zone
Return value
boolean - if supported
Example 118.
// All ports defined by dns-server service in SuSEFirewallServices module
// are enabled in the respective zone
IsServiceSupportedInZone ("dns-server", "EXT") -> true
// irc-server definition exists on the system and the irc-server
// is mentioned in FW_CONFIGURATIONS_EXT variable of SuSEfirewall2
IsServiceSupportedInZone ("service:irc-server", "EXT") -> trueSee also:
YCP Module SuSEFirewallServices
Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().
Return value
boolean - if started
Function for reading SuSEFirewall configuration. Fills internal variables only.
Return value
boolean - if successful
Function removes rule for forwarding into masquerade from the list of current rules returned by GetListOfForwardsIntoMasquerade().
Function parameters
integer remove_item
Return value
void
See also:
GetListOfForwardsIntoMasquerade()
Function removes interface from defined zone.
Function parameters
string interface
string zone
Return value
void
Function removes service from selected zone (or for interface) for selected protocol. Function takes care about port-aliases, removes all of them.
Function parameters
string service
string protocol
string interface
Return value
boolean - success
Example 120.
RemoveService ("22", "TCP", "DMZ") -> true
is the same as
RemoveService ("ssh", "TCP", "DMZ") -> trueFunction removes special string from defined zone.
Function parameters
string interface
string zone
Return value
void
Do not use this function. Only for firewall installation proposal.
Return value
void
Function resets flag which doesn't allow to read configuration from disk again. So you actually can reread the configuration from disk. Currently, only the first Read() call reads the configuration from disk.
Return value
void
Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.
Return value
boolean - if successful
Sets expert allow rules for zone.
Function parameters
string zone
string expert_rules
Return value
boolean - if successful
Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added. It uses GetAdditionalServices() function to get the current state and then it removes what has been removed and adds what has been added.
Function parameters
string protocol
string zone
list <string> new_list_services
Return value
void
See also:
GetAdditionalServices()
Function creates allowed-broadcast-ports string from broadcast map and saves it.
Function parameters
map <string, list <string> > broadcast
Return value
void
See also:
GetBroadcastAllowedPorts() for an example of data
Function which sets if SuSEfirewall should start in Write process
Function parameters
boolean enable_service
Return value
void
Sets list of additional kernel modules to be loaded by firewall on startup.
Function parameters
list <string> k_modules
Return value
void
See also:
/etc/sysconfig/SuSEfirewall2 option nr. 32
Function sets yes/no - ingoring broadcast for zone
Function parameters
string zone
string bcast
Return value
void
By default SuSEfirewall2 packages are just checked whether they are installed. With this function, you can change the behavior to also offer installing the packages.
Function parameters
boolean new_status
Return value
void
Function sets state of logging for rule taken as parameter.
Function parameters
string rule
string state
Return value
void
Function sets Masquerade support.
Function parameters
boolean enable
Return value
void
Function sets internal variable, which indicates, that any "firewall settings were modified", to "true".
Return value
void
Function sets if firewall should be protected from internal zone.
Function parameters
boolean set_protect
Return value
void
Function sets status for several services on several network interfaces.
Function parameters
list<string> services_ids
list<string> interfaces
boolean new_status
Return value
boolean - if successfull
Example 125.
// Disabling services SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], false) // Enabling services SetServices (["samba-server", "service:irc-server"], ["eth1", "modem0"], true)
See also:
SetServicesForZones()
Functions sets FW_SERVICES_ACCEPT_RELATED_*: Services to allow that are considered RELATED by the connection tracking engine, e.g., SLP browsing reply or Samba browsing reply.
Function parameters
string zone
list <string> ruleset
Return value
void
See also:
GetServicesAcceptRelated()
Function sets status for several services in several firewall zones.
Function parameters
list<string> services_ids
list<string> firewall_zones
boolean new_status
Return value
boolean - if successfull
Example 127.
SetServicesForZones (["samba-server", "service:irc-server"], ["DMZ", "EXT"], false); SetServicesForZones (["samba-server", "service:irc-server"], ["EXT", "DMZ"], true);
See also:
GetServicesInZones()
GetServices()
Function which sets if SuSEfirewall should start in Write process.
Function parameters
boolean start_service
Return value
void
See also:
GetStartService()
Function sets if firewall should support routing.
Function parameters
boolean set_route
Return value
void
Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.
Function parameters
string zone
Return value
void
Functions starts services needed for SuSEFirewall
Return value
boolean - result
Returns whether all needed packages are installed.
Return value
boolean - whether SuSEfirewall2 is installed
Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().
Return value
boolean - if succesfull
Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.
Return value
boolean - if successful
| | | |
| 260. String |  | 262. SuSEFirewall4Network |