263. SuSEFirewallExpertRules

Interface manipulation of /etc/sysconfig/SuSEFirewall (expert rules)

263.1. Authors

  • Lukas Ocilka <locilka@suse.cz>

263.2. Summary of Module Globals

List of Global Functions

  • AddNewAcceptRule - Adds a new accept-rule. Possible keys for parameters are "network", "protocol", "dport" and "sport". Needed are "network" and "protocol".

  • DeleteRuleID - Deletes Custom Rule defined by the ID of the rule. The ID is an order of list returned by GetListOfAcceptRules(). ID starts at number 0. Every time you delete some rule, the list is, of course, regenerated.

  • GetAllExpertRulesProtocols - Returns list of all protocols accepted by the expert rules.

  • GetListOfAcceptRules - Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. "network" and "protocol" are needed arguments, "dport" and "sport" are optional. Undefined values are returned as empty strings.

  • IsValidNetwork - Function checks the network definition used for firewall expert rules.

  • RemoveAcceptRule - Removes a single expert firewall rule.

  • ValidNetwork - Returns string of valid network definition.

List of Global Variables

    263.3. Global Functions

    263.3.1. AddNewAcceptRule

    Adds a new accept-rule. Possible keys for parameters are "network", "protocol", "dport" and "sport". Needed are "network" and "protocol".

    Function parameters

    • string zone

    • map <string, string> params

    Return value

    • boolean - if successful

    Example 128. 

     AddNewAcceptRule (
         "EXT",
         $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
     ) -> true


    See also:

    • GetListOfAcceptRules()

    • RemoveAcceptRule()

    263.3.2. DeleteRuleID

    Deletes Custom Rule defined by the ID of the rule. The ID is an order of list returned by GetListOfAcceptRules(). ID starts at number 0. Every time you delete some rule, the list is, of course, regenerated.

    Function parameters

    • string zone

    • integer rule_id

    Return value

    • boolean - if successful

    Example 129. 

     	DeleteRuleID (0) -> true
    


    See also:

    • GetListOfAcceptRules()

    263.3.3. GetAllExpertRulesProtocols

    Returns list of all protocols accepted by the expert rules.

    Return value

    • list <string> - of protocols

    See also:

    • list <string> allowed_expert_protocols

    263.3.4. GetListOfAcceptRules

    Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. "network" and "protocol" are needed arguments, "dport" and "sport" are optional. Undefined values are returned as empty strings.

    Function parameters

    • string zone

    Return value

    • list <map <string, string> > - of rules

    This might return, e.g., [
         // All requests from 80.44.11.22 to TCP port 22
    	   $[ "network" : "80.44.11.22",   "protocol" : "tcp", "dport" : "22",  "sport" : ""   ],
    
         // All requests from network 80.44.11.0/24 to UDP port 53 originating on port 53
    	   $[ "network" : "80.44.11.0/24", "protocol" : "udp", "dport" : "53",  "sport" : "53" ],
    
         // All requests from network 0/0 (everywhere) to TCP port 443
    	   $[ "network" : "0/0",           "protocol" : "tcp", "dport" : "443", "sport" : ""   ],
     ]
    

    Example 130. 

     GetListOfAcceptRules("EXT") -> $[]


    See also:

    • IsValidNetwork()

    263.3.5. IsValidNetwork

    Function checks the network definition used for firewall expert rules.

    Function parameters

    • string network

    Return value

    • boolean - if it is a valid network definition

    Example 131. 

     IsValidNetwork("192.168.0.1")               -> true
     IsValidNetwork("192.168.0.355")             -> false
     IsValidNetwork("192.168.0.0/24")            -> true
     IsValidNetwork("192.168.0.1/32")            -> true
     IsValidNetwork("192.168.0.1/0")             -> false
     IsValidNetwork("192.168.0.0/255.255.0.0")   -> true
     IsValidNetwork("192.168.0.0/255.255.333.0") -> false
     IsValidNetwork("192.168.0.0/255.255.224.0") -> true
     IsValidNetwork("0/0")                       -> true
    


    See also:

    • `man iptables`

    263.3.6. RemoveAcceptRule

    Removes a single expert firewall rule.

    Function parameters

    • string zone

    • map <string, string> params

    Return value

    • boolean - if successful

    Example 132. 

     RemoveAcceptRule (
         "EXT",
         $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
     ) -> true


    See also:

    • GetListOfAcceptRules() for possible keys in map

    • AddNewAcceptRule()

    263.3.7. ValidNetwork

    Returns string of valid network definition.

    Return value

    • string - describing the valid network.

    263.4. Global Variables

    263.5. Module Requirements

    263.5.1. Module Imports

    • IP
    • Netmask
    • SuSEFirewall

    263.5.2. Module Includes