229. SuSEFirewall

Interface manipulation of /etc/sysconfig/SuSEFirewall

229.1. Summary of Module Globals

List of Global Functions

  • ActivateConfiguration - Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

  • AddForwardIntoMasqueradeRule - Adds forward into masquerade rule.

  • AddInterfaceIntoZone - Functions adds interface into defined zone. All appearances of interface in other zones are removed.

  • AddService - Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

  • AddSpecialInterfaceIntoZone - Functions adds special string into defined zone.

  • AddXenSupport - Function adds a special interface into the FW_FORWARD_ALWAYS_INOUT_DEV variable

  • DisableServices - Functions disables services needed for SuSEFirewall in /etc/inet.d/

  • EnableServices - Functions enables services needed for SuSEFirewall in /etc/inet.d/

  • Export - Function for getting exported SuSEFirewall configuration

  • GetAdditionalServices - This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

  • GetAllDialUpInterfaces - Function returns list of dial-up interfaces.

  • GetAllKnownInterfaces - Function returns list of maps of known interfaces.

  • GetAllNonDialUpInterfaces - Function returns list of non-dial-up interfaces.

  • GetBroadcastAllowedPorts - Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets.

  • GetEnableService - Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

  • GetFirewallInterfaces - Function returns all interfaces configured in firewall, already

  • GetFirewallInterfacesMap - Function returns map of `interfaces in zones`.

  • GetIgnoreLoggingBroadcast - Function returns yes/no - ingoring broadcast for zone

  • GetInterfacesInZone - Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

  • GetInterfacesInZoneSupportingAnyFeature - Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

  • GetKnownFirewallZones - Function returns list of known firewall zones (shortnames)

  • GetListOfForwardsIntoMasquerade - Function returns list of rules of forwarding ports to masqueraded IPs.

  • GetListOfKnownInterfaces - Function returns list of all known interfaces.

  • GetLoggingSettings - Function returns actual state of logging for rule taken as parameter.

  • GetMasquerade - Function returns actual state of Masquerading support.

  • GetModified - Functions returns if any firewall's configuration was modified or wasn't

  • GetProtectFromInternalZone - Function returns if firewall is protected from internal zone

  • GetServices - Function returns map of supported services in all firewall zones.

  • GetServicesInZones - Function returns map of supported services all network interfaces.

  • GetSpecialInterfacesInZone - Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

  • GetStartService - Function which returns if SuSEfirewall should start in Write process

  • GetSupportRoute - Function returns if firewall supports routing.

  • GetTrustIPsecAs - Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

  • GetZoneFullName - Function returns name of the zone identified by zone shortname.

  • GetZoneOfInterface - Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

  • GetZonesOfInterfaces - Function returns list of zones of requested interfaces

  • GetZonesOfInterfacesWithAnyFeatureSupported - Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

  • HaveService - Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP).

  • Import - Function for setting SuSEFirewall configuration from input

  • InterfacesSupportedByAnyFeature - Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT.

  • IsAnyNetworkInterfaceSupported - Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

  • IsEnabled - Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

  • IsInterfaceInZone - Function returns if the interface is in zone.

  • IsOtherFirewallRunning - Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

  • IsServiceSupportedInZone - Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices.

  • IsStarted - Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

  • Read - Function for reading SuSEFirewall configuration. Fills internal variables only.

  • RemoveForwardIntoMasqueradeRule - Function removes rule for forwarding into masquerade from the list of current rules.

  • RemoveInterfaceFromZone - Function removes interface from defined zone.

  • RemoveService - Function removes service from selected zone (or for interface) for selected protocol. Function take care about port-aliases, removes all of them.

  • RemoveSpecialInterfaceFromZone - Function removes special string from defined zone.

  • ResetReadFlag - Function resets flag which doesn't allow to read configuration from disk again

  • SaveAndRestartService - Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

  • SetAdditionalServices - Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added.

  • SetBroadcastAllowedPorts - Function creates allowed-broadcast-ports string from broadcast map and saves it.

  • SetEnableService - Function which sets if SuSEfirewall should start in Write process

  • SetIgnoreLoggingBroadcast - Function sets yes/no - ingoring broadcast for zone

  • SetLoggingSettings - Function sets state of logging for rule taken as parameter.

  • SetMasquerade - Function sets Masquerade support.

  • SetModified - Function sets internal variable, which indicates, that any "firewall settings were modified", to "true"

  • SetProtectFromInternalZone - Function sets if firewall should be protected from internal zone.

  • SetServices - Function sets status for several services in several network interfaces.

  • SetServicesForZones - Function sets status for several services in several firewall zones.

  • SetStartService - Function which sets if SuSEfirewall should start in Write process

  • SetSupportRoute - Function sets if firewall should support routing.

  • SetTrustIPsecAs - Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

  • StartServices - Functions starts services needed for SuSEFirewall

  • StopServices - Functions stops services needed for SuSEFirewall

  • Write - Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

  • WriteConfiguration - Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

  • WriteOnly - Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

List of Global Variables

229.2. Global Functions

229.2.1. ActivateConfiguration

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Return value

  • boolean - if successful

229.2.2. AddForwardIntoMasqueradeRule

Adds forward into masquerade rule.

Function parameters

  • string source_net

  • string forward_to_ip

  • string protocol

  • string req_port

  • string redirect_to_port

  • string requested_ip

Return value

  • void

229.2.3. AddInterfaceIntoZone

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Function parameters

  • string interface

  • string zone

Return value

  • void

229.2.4. AddService

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - success

229.2.5. AddSpecialInterfaceIntoZone

Functions adds special string into defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

229.2.6. AddXenSupport

Function adds a special interface into the FW_FORWARD_ALWAYS_INOUT_DEV variable

Return value

  • void

229.2.7. DisableServices

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Return value

  • boolean - result

229.2.8. EnableServices

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Return value

  • boolean - result

229.2.9. Export

Function for getting exported SuSEFirewall configuration

Return value

  • map <string, any> - with configuration

229.2.10. GetAdditionalServices

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

Function parameters

  • string protocol

  • string zone

Return value

  • list <string> - of additional (unassigned) services

229.2.11. GetAllDialUpInterfaces

Function returns list of dial-up interfaces.

Return value

  • list <string> - of dial-up interface names

229.2.12. GetAllKnownInterfaces

Function returns list of maps of known interfaces.

Return value

  • list <map <string, string> >

[ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]

229.2.13. GetAllNonDialUpInterfaces

Function returns list of non-dial-up interfaces.

Return value

  • list <string> - of non-dial-up interface names

229.2.14. GetBroadcastAllowedPorts

Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets.

Return value

  • map <string, list <string> > - <zone, list <string> > strings are allowed ports or port ranges

229.2.15. GetEnableService

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Return value

  • boolean - if the firewall should start

229.2.16. GetFirewallInterfaces

Function returns all interfaces configured in firewall, already

Return value

  • list<string> - of configured interfaces

229.2.17. GetFirewallInterfacesMap

Function returns map of `interfaces in zones`.

Return value

  • map <string, list <string> >

map $[zone : [list of interfaces]]

229.2.18. GetIgnoreLoggingBroadcast

Function returns yes/no - ingoring broadcast for zone

Function parameters

  • string zone

Return value

  • string

229.2.19. GetInterfacesInZone

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces

229.2.20. GetInterfacesInZoneSupportingAnyFeature

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces

229.2.21. GetKnownFirewallZones

Function returns list of known firewall zones (shortnames)

Return value

  • list <string> - of firewall zones

229.2.22. GetListOfForwardsIntoMasquerade

Function returns list of rules of forwarding ports to masqueraded IPs.

Return value

  • list <map <string, string> >

list [$[ key: value ]]

229.2.23. GetListOfKnownInterfaces

Function returns list of all known interfaces.

Return value

  • list <string> - of interfaces

229.2.24. GetLoggingSettings

Function returns actual state of logging for rule taken as parameter.

Function parameters

  • string rule

Return value

  • string - 'ALL', 'CRIT', or 'NONE'

229.2.25. GetMasquerade

Function returns actual state of Masquerading support.

Return value

  • boolean - if supported

229.2.26. GetModified

Functions returns if any firewall's configuration was modified or wasn't

Return value

  • boolean - if the configuration was modified

229.2.27. GetProtectFromInternalZone

Function returns if firewall is protected from internal zone

Return value

  • boolean - if protected from internal

229.2.28. GetServices

Function returns map of supported services in all firewall zones.

Function parameters

  • list<string> services

Return value

  • map <string, map <string, boolean> > - <string, map &lt; string : boolean> >

Returns $[service : $[ zone_name : supported_status]]

229.2.29. GetServicesInZones

Function returns map of supported services all network interfaces.

Function parameters

  • list<string> services

Return value

  • map <string, map <string, boolean> > - <string, map &lt; string : boolean > >

Returns $[service : $[ interface : supported_status ]]

229.2.30. GetSpecialInterfacesInZone

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Function parameters

  • string zone

Return value

  • list <string> - special strings or unknown interfaces

229.2.31. GetStartService

Function which returns if SuSEfirewall should start in Write process

Return value

  • boolean - if the firewall should start

229.2.32. GetSupportRoute

Function returns if firewall supports routing.

Return value

  • boolean - if route is supported

229.2.33. GetTrustIPsecAs

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Return value

  • string - zone or "no"

229.2.34. GetZoneFullName

Function returns name of the zone identified by zone shortname.

Function parameters

  • string zone

Return value

  • string - zone name

229.2.35. GetZoneOfInterface

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Function parameters

  • string interface

Return value

  • string - zone

229.2.36. GetZonesOfInterfaces

Function returns list of zones of requested interfaces

Function parameters

  • list<string> interfaces

Return value

  • list<string>

229.2.37. GetZonesOfInterfacesWithAnyFeatureSupported

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Function parameters

  • list<string> interfaces

Return value

  • list<string>

229.2.38. HaveService

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP).

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - if service is allowed

229.2.39. Import

Function for setting SuSEFirewall configuration from input

Function parameters

  • map <string, any> import_settings

Return value

  • void

229.2.40. InterfacesSupportedByAnyFeature

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT.

Function parameters

  • string zone

Return value

  • list<string> - of interfaces covered by special string 'any'

229.2.41. IsAnyNetworkInterfaceSupported

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

Return value

  • boolean - is_supported whether the feature is supported or not

229.2.42. IsEnabled

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Return value

  • boolean - if enabled

229.2.43. IsInterfaceInZone

Function returns if the interface is in zone.

Function parameters

  • string interface

  • string zone

Return value

  • boolean - is in zone

229.2.44. IsOtherFirewallRunning

Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

Return value

  • boolean - if other firewall is running

229.2.45. IsServiceSupportedInZone

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices.

Function parameters

  • string service

  • string zone

Return value

  • boolean - if supported

229.2.46. IsStarted

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Return value

  • boolean - if started

229.2.47. Read

Function for reading SuSEFirewall configuration. Fills internal variables only.

Return value

  • boolean

229.2.48. RemoveForwardIntoMasqueradeRule

Function removes rule for forwarding into masquerade from the list of current rules.

Function parameters

  • integer remove_item

Return value

  • void

229.2.49. RemoveInterfaceFromZone

Function removes interface from defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

229.2.50. RemoveService

Function removes service from selected zone (or for interface) for selected protocol. Function take care about port-aliases, removes all of them.

Function parameters

  • string service

  • string protocol

  • string interface

Return value

  • boolean - success

229.2.51. RemoveSpecialInterfaceFromZone

Function removes special string from defined zone.

Function parameters

  • string interface

  • string zone

Return value

  • void

229.2.52. ResetReadFlag

Function resets flag which doesn't allow to read configuration from disk again

Return value

  • void

229.2.53. SaveAndRestartService

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Return value

  • boolean - if successful

229.2.54. SetAdditionalServices

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added.

Function parameters

  • string protocol

  • string zone

  • list <string> new_list_services

Return value

  • void

229.2.55. SetBroadcastAllowedPorts

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Function parameters

  • map <string, list <string> > broadcast

Return value

  • void

229.2.56. SetEnableService

Function which sets if SuSEfirewall should start in Write process

Function parameters

  • boolean enable_service

Return value

  • void

229.2.57. SetIgnoreLoggingBroadcast

Function sets yes/no - ingoring broadcast for zone

Function parameters

  • string zone

  • string bcast

Return value

  • void

229.2.58. SetLoggingSettings

Function sets state of logging for rule taken as parameter.

Function parameters

  • string rule

  • string state

Return value

  • void

229.2.59. SetMasquerade

Function sets Masquerade support.

Function parameters

  • boolean enable

Return value

  • void

229.2.60. SetModified

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true"

Return value

  • void

229.2.61. SetProtectFromInternalZone

Function sets if firewall should be protected from internal zone.

Function parameters

  • boolean set_protect

Return value

  • void

229.2.62. SetServices

Function sets status for several services in several network interfaces.

Function parameters

  • list<string> services_ids

  • list<string> interfaces

  • boolean new_status

Return value

  • boolean - if successfull

229.2.63. SetServicesForZones

Function sets status for several services in several firewall zones.

Function parameters

  • list<string> services_ids

  • list<string> firewall_zones

  • boolean new_status

Return value

  • boolean - if successfull

229.2.64. SetStartService

Function which sets if SuSEfirewall should start in Write process

Function parameters

  • boolean start_service

Return value

  • void

229.2.65. SetSupportRoute

Function sets if firewall should support routing.

Function parameters

  • boolean set_route

Return value

  • void

229.2.66. SetTrustIPsecAs

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Function parameters

  • string zone

Return value

  • void

229.2.67. StartServices

Functions starts services needed for SuSEFirewall

Return value

  • boolean - result

229.2.68. StopServices

Functions stops services needed for SuSEFirewall

Return value

  • boolean - result

229.2.69. Write

Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

Return value

  • boolean - if succesfull

229.2.70. WriteConfiguration

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Return value

  • boolean - if successful

229.2.71. WriteOnly

Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

Return value

  • boolean

229.3. Global Variables

229.3.1. max_port_number

Maximal number of port number, they are in the interval 1-65535 included

229.3.2. special_all_interface_string

String which includes all interfaces not-defined in any zone

229.3.3. special_all_interface_zone

Zone which works with the special_all_interface_string string

229.4. Module Requirements

229.4.1. Module Imports

  • Message
  • Mode
  • NetworkDevices
  • PortAliases
  • PortRanges
  • Progress
  • Report
  • Service
  • SuSEFirewallServices

229.4.2. Module Includes