264. SuSEFirewallExpertRules

Interface manipulation of /etc/sysconfig/SuSEFirewall (expert rules)

264.1. Summary of Module Globals

List of Global Functions

  • AddNewAcceptRule - Adds a new accept-rule. Possible keys for parameters are "network", "protocol", "dport" and "sport". Needed are "network" and "protocol".

  • DeleteRuleID - Deletes Custom Rule defined by the ID of the rule. The ID is an order of list returned by GetListOfAcceptRules(). ID starts at number 0. Every time you delete some rule, the list is, of course, regenerated.

  • GetAllExpertRulesProtocols - Returns list of all protocols accepted by the expert rules.

  • GetListOfAcceptRules - Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. "network" and "protocol" are needed arguments, "dport" and "sport" are optional. Undefined values are returned as empty strings.

  • IsValidNetwork - Function checks the network definition used for firewall expert rules.

  • RemoveAcceptRule - Removes a single expert firewall rule.

  • ValidNetwork - Returns string of valid network definition.

List of Global Variables

    264.2. Global Functions

    264.2.1. AddNewAcceptRule

    Adds a new accept-rule. Possible keys for parameters are "network", "protocol", "dport" and "sport". Needed are "network" and "protocol".

    Function parameters

    • string zone

    • map <string, string> params

    Return value

    • boolean

    Example 122. 

     AddNewAcceptRule (
         "EXT",
         $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
     ) -> true


    264.2.2. DeleteRuleID

    Deletes Custom Rule defined by the ID of the rule. The ID is an order of list returned by GetListOfAcceptRules(). ID starts at number 0. Every time you delete some rule, the list is, of course, regenerated.

    Function parameters

    • string zone

    • integer rule_id

    Return value

    • boolean

    Example 123. 

     	DeleteRuleID (0) -> true
    


    264.2.3. GetAllExpertRulesProtocols

    Returns list of all protocols accepted by the expert rules.

    Return value

    • list <string>

    264.2.4. GetListOfAcceptRules

    Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. "network" and "protocol" are needed arguments, "dport" and "sport" are optional. Undefined values are returned as empty strings.

    Function parameters

    • string zone

    Return value

    • list <map <string, string> > - of rules

    This might return, e.g., [
         // All requests from 80.44.11.22 to TCP port 22
    	   $[ "network" : "80.44.11.22",   "protocol" : "tcp", "dport" : "22",  "sport" : ""   ],
    
         // All requests from network 80.44.11.0/24 to UDP port 53 originating on port 53
    	   $[ "network" : "80.44.11.0/24", "protocol" : "udp", "dport" : "53",  "sport" : "53" ],
    
         // All requests from network 0/0 (everywhere) to TCP port 443
    	   $[ "network" : "0/0",           "protocol" : "tcp", "dport" : "443", "sport" : ""   ],
     ]
    

    Example 124. 

     GetListOfAcceptRules("EXT") -> $[]


    264.2.5. IsValidNetwork

    Function checks the network definition used for firewall expert rules.

    Function parameters

    • string network

    Return value

    • boolean - if it is a valid network definition

    Example 125. 

     IsValidNetwork("192.168.0.1")               -> true
     IsValidNetwork("192.168.0.355")             -> false
     IsValidNetwork("192.168.0.0/24")            -> true
     IsValidNetwork("192.168.0.1/32")            -> true
     IsValidNetwork("192.168.0.1/0")             -> false
     IsValidNetwork("192.168.0.0/255.255.0.0")   -> true
     IsValidNetwork("192.168.0.0/255.255.333.0") -> false
     IsValidNetwork("192.168.0.0/255.255.224.0") -> true
     IsValidNetwork("0/0")                       -> true
    


    264.2.6. RemoveAcceptRule

    Removes a single expert firewall rule.

    Function parameters

    • string zone

    • map <string, string> params

    Return value

    • boolean

    Example 126. 

     RemoveAcceptRule (
         "EXT",
         $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
     ) -> true


    264.2.7. ValidNetwork

    Returns string of valid network definition.

    Return value

    • string - describing the valid network.

    264.3. Global Variables

    264.4. Module Requirements

    264.4.1. Module Imports

    • IP
    • Netmask
    • SuSEFirewall

    264.4.2. Module Includes