YaST2 Developers Documentation: SuSEFirewall configuration

SuSEFirewall configuration

modules/SuSEFirewall.ycp
Interface manipulation of /etc/sysconfig/SuSEFirewall

This module has an unstable interface.

Copyright 2004, Novell, Inc. All rights reserved.

Imports

  • Message
  • Mode
  • NetworkDevices
  • PortAliases
  • PortRanges
  • Progress
  • Report
  • Service
  • SuSEFirewallServices

Structures

Global Variables

Global Functions

Local Variables

Local Functions

local configuration_has_been_read -> boolean

configuration hasn't been read for the default this should reduce the readings to only ONE

global special_all_interface_string -> string

String which includes all interfaces not-defined in any zone

global max_port_number -> integer

Maximal number of port number, they are in the interval 1-65535 included

global special_all_interface_zone -> string

Zone which works with the special_all_interface_string string

global SetModified () -> void

Function sets internal variable, which indicates, that any "firewall settings were modified", to "true"

global GetKnownFirewallZones () -> list <string>

Function returns list of known firewall zones (shortnames)

Return value:
of firewall zones
local report_only_once -> list <string>

Variable for ReportOnlyOnce() function

local ReportOnlyOnce (string what_to_report) -> boolean

Report the error, warning, message only once. Stores the error, warning, message in memory. This is just a helper function that could avoid from filling y2log up with a lot of the very same messages - 'foreach()' is a very powerful builtin.

Parameters:
what_to_report
Return value:
whether the message should be reported or not
Example

	string error = sformat("Port number %1 is invalid.", port_nr);
	if (ReportOnlyOnce(error)) y2error(error);
global IsAnyNetworkInterfaceSupported () -> boolean

Function returns whether the feature 'any' network interface is supported in the firewall configuration. The string 'any' must be in the 'EXT' zone.

Return value:
is_supported whether the feature is supported or not
local GetListOfSuSEFirewallVariables () -> list <string>

Function return list of variables needed for SuSEFirewall's settings.

Return value:
of names of variables
local IncreaseVerbosity () -> void

Local function for increasing the verbosity level.

local DecreaseVerbosity () -> void

Local function for decreasing the verbosity level.

local IsVerbose () -> boolean

Local function returns if other functions should produce verbose output. like popups, reporting errors, etc.

local GetDefaultValue (string variable) -> string

Local function for returning default values (if defined) for sysconfig variables.

Parameters:
variable
local ReadSysconfigSuSEFirewall (list<string> variables) -> void

Local function for reading list of sysconfig variables into internal variables.

Parameters:
variables
local ResetSysconfigSuSEFirewall (list<string> variables) -> void

Local function for reseting list of sysconfig variables in internal variables.

Parameters:
variables
local WriteSysconfigSuSEFirewall (list<string> variables) -> boolean

Local function for writing the list of internal variables into sysconfig. List of variables is list of keys in SETTINGS map, to sync configuration into the disk, use `nil` as the last list item.

Parameters:
variables
local IsSupportedProtocol (string protocol) -> boolean

Local function returns if protocol is supported by firewall. Protocol name must be in upper-cases.

Parameters:
protocol
Return value:
if protocol is supported
local IsKnownZone (string zone) -> boolean

Local function returns if zone (shortname like "EXT") is supported by firewall. Undefined zones are, for sure, unsupported.

Parameters:
zone
Return value:
if zone is known and supported.
local GetZoneConfigurationString (string zone) -> string

Local function returns configuration string used in configuration for zone. For instance "ext" for "EXT" zone.

Parameters:
zone
Return value:
zone configuration string
local GetConfigurationStringZone (string zone_string) -> string

Local function returns zone name (shortname) for configuration string. For instance "EXT" for "ext" zone.

Parameters:
zone_string
Return value:
zone shortname
local GetAllowedServicesForZoneProto (string zone, string protocol) -> list <string>

Function returns list of allowed services for zone and protocol

Parameters:
zone
protocol
Return value:
of allowed services/ports
local SetAllowedServicesForZoneProto (list <string> allowed_services, string zone, string protocol) -> void

Function sets list of services as allowed ports for zone and protocol

Parameters:
allowed_services
zone
protocol
local GetBroadcastConfiguration (string zone) -> string

Local function returns configuration string for broadcast packets.

Parameters:
zone
Return value:
with broadcast configuration
local SetBroadcastConfiguration (string zone, string broadcast_configuration) -> void

Local function saves configuration string for broadcast packets.

Parameters:
zone
broadcast_configuration
global GetBroadcastAllowedPorts () -> map <string, list <string> >

Local function return map of allowed ports (without aliases). If any list for zone is defined but empty, all allowed UDP ports for this zone also accept broadcast packets.

Return value:
> strings are allowed ports or port ranges
global SetBroadcastAllowedPorts (map <string, list <string> > broadcast) -> void

Function creates allowed-broadcast-ports string from broadcast map and saves it.

Parameters:
broadcast
local IsBroadcastAllowed (list <string> needed_ports, string zone) -> boolean

Function returns if broadcast is allowed for needed ports in zone.

Parameters:
needed_ports
zone
Return value:
if is allowed
local RemoveAllowedBroadcast (list <string> needed_ports, string zone) -> void

Local function removes list of ports from port allowing broadcast packets in zone.

Parameters:
needed_ports
zone
local AddAllowedBroadcast (list <string> needed_ports, string zone) -> void

Local function adds list of ports to ports accepting broadcast

Parameters:
needed_ports
zone
local RemoveServiceFromProtocolZone (string remove_service, string protocol, string zone) -> boolean

Local function for removing (disallowing) single service/port for defined protocol and zone. Functions doesn't take care of port-aliases.

Parameters:
remove_service
protocol
zone
Return value:
success
local RemoveAllowedPortsOrServices (list <string> remove_ports, string protocol, string zone, boolean check_for_aliases) -> void

Local function removes ports and their aliases (if check_for_aliases is true), for requested protocol and zone.

Parameters:
remove_ports
protocol
zone
check_for_aliases
local AddAllowedPortsOrServices (list <string> add_ports, string protocol, string zone) -> void

Local function allows ports for requested protocol and zone.

Parameters:
add_ports
protocol
zone
local RemoveServiceSupportFromZone (string service, string zone) -> void

Local function removes well-known service's support from zone. Allowed ports are removed with all of their port-aliases.

Parameters:
service
zone
local AddServiceSupportIntoZone (string service, string zone) -> void

Local function adds well-known service's support into zone. It first of all removes the current support for service with port-aliases.

Parameters:
service
zone
local GetPossiblyConflictServices () -> list <string>

Local function returns conflicting services.

Return value:
of services
local HandleConflictService (string service, string zone, boolean enable) -> void

Local function for handling conflicting services in memory. Makes sense for services which share ports like RPC services.

Parameters:
service
zone
enable
global GetModified () -> boolean

Functions returns if any firewall's configuration was modified or wasn't

Return value:
if the configuration was modified
global ResetReadFlag () -> void

Function resets flag which doesn't allow to read configuration from disk again

global GetZoneFullName (string zone) -> string

Function returns name of the zone identified by zone shortname.

Parameters:
zone
Return value:
zone name
global SetProtectFromInternalZone (boolean set_protect) -> void

Function sets if firewall should be protected from internal zone.

Parameters:
set_protect
global GetProtectFromInternalZone () -> boolean

Function returns if firewall is protected from internal zone

Return value:
if protected from internal
global SetSupportRoute (boolean set_route) -> void

Function sets if firewall should support routing.

Parameters:
set_route
global GetSupportRoute () -> boolean

Function returns if firewall supports routing.

Return value:
if route is supported
global SetTrustIPsecAs (string zone) -> void

Function sets how firewall should trust successfully decrypted IPsec packets. It should be the zone name (shortname) or 'no' to trust packets the same as firewall trusts the zone from which IPsec packet came.

Parameters:
zone
global GetTrustIPsecAs () -> string

Function returns the trust level of IPsec packets. See SetTrustIPsecAs() for more information.

Return value:
zone or "no"
global GetStartService () -> boolean

Function which returns if SuSEfirewall should start in Write process

Return value:
if the firewall should start
global SetStartService (boolean start_service) -> void

Function which sets if SuSEfirewall should start in Write process

Parameters:
start_service
global GetEnableService () -> boolean

Function which returns whether SuSEfirewall should be enabled in /etc/init.d/ starting scripts during the Write() process

Return value:
if the firewall should start
See
Write() EnableServices()
global SetEnableService (boolean enable_service) -> void

Function which sets if SuSEfirewall should start in Write process

Parameters:
enable_service
global StartServices () -> boolean

Functions starts services needed for SuSEFirewall

Return value:
result
global StopServices () -> boolean

Functions stops services needed for SuSEFirewall

Return value:
result
global EnableServices () -> boolean

Functions enables services needed for SuSEFirewall in /etc/inet.d/

Return value:
result
global DisableServices () -> boolean

Functions disables services needed for SuSEFirewall in /etc/inet.d/

Return value:
result
global IsEnabled () -> boolean

Function determines if all SuSEFirewall scripts are enabled in init scripts /etc/init.d/ now. For configuration "enabled" status use GetEnableService().

Return value:
if enabled
global IsStarted () -> boolean

Function determines if at least one SuSEFirewall script is started now. For configuration "started" status use GetStartService().

Return value:
if started
global Export () -> map <string, any>

Function for getting exported SuSEFirewall configuration

Return value:
with configuration
global Import (map <string, any> import_settings) -> void

Function for setting SuSEFirewall configuration from input

Parameters:
import_settings
global IsInterfaceInZone (string interface, string zone) -> boolean

Function returns if the interface is in zone.

Parameters:
interface
zone
Return value:
is in zone
global GetZoneOfInterface (string interface) -> string

Function returns the firewall zone of interface, nil if no zone includes the interface. Error is reported when interface is found in multiple firewall zones, then the first appearance is returned.

Parameters:
interface
Return value:
zone
global GetZonesOfInterfaces (list<string> interfaces) -> list<string>

Function returns list of zones of requested interfaces

Parameters:
interfaces
global GetZonesOfInterfacesWithAnyFeatureSupported (list<string> interfaces) -> list<string>

Function returns list of zones of requested interfaces. Special string 'any' in 'EXT' zone is supported.

Parameters:
interfaces
global GetAllKnownInterfaces () -> list <map <string, string> >

Function returns list of maps of known interfaces.

Structure [ $[ "id":"modem0", "name":"Askey 815C", "type":"dialup", "zone":"EXT" ], ... ]


   
global GetAllNonDialUpInterfaces () -> list <string>

Function returns list of non-dial-up interfaces.

Return value:
of non-dial-up interface names
global GetAllDialUpInterfaces () -> list <string>

Function returns list of dial-up interfaces.

Return value:
of dial-up interface names
global GetListOfKnownInterfaces () -> list <string>

Function returns list of all known interfaces.

Return value:
of interfaces
global RemoveInterfaceFromZone (string interface, string zone) -> void

Function removes interface from defined zone.

Parameters:
interface
zone
global AddInterfaceIntoZone (string interface, string zone) -> void

Functions adds interface into defined zone. All appearances of interface in other zones are removed.

Parameters:
interface
zone
global GetInterfacesInZone (string zone) -> list<string>

Function returns list of known interfaces in requested zone. Special strings like 'any' or 'auto' and unknown interfaces are removed from list.

Parameters:
zone
Return value:
of interfaces
global GetFirewallInterfaces () -> list<string>

Function returns all interfaces configured in firewall, already

Return value:
of configured interfaces
global InterfacesSupportedByAnyFeature (string zone) -> list<string>

Returns list of interfaces not mentioned in any zone and covered by the special string 'any' in zone 'EXT' if such string exists there and the zone is EXT.

Parameters:
zone
Return value:
of interfaces covered by special string 'any'
global GetInterfacesInZoneSupportingAnyFeature (string zone) -> list<string>

Function returns list of known interfaces in requested zone. Special string 'any' in EXT zone covers all interfaces without any zone assignment.

Parameters:
zone
Return value:
of interfaces
global HaveService (string service, string protocol, string interface) -> boolean

Function returns if requested service is allowed in respective zone. Function takes care for service's aliases (only for TCP and UDP).

Parameters:
service
protocol TCP, UDP, RCP or IP
interface name (like modem0), firewall zone (like "EXT") or "any" for all zones.
Return value:
if service is allowed
global AddService (string service, string protocol, string interface) -> boolean

Function adds service into selected zone (or zone of interface) for selected protocol. Function take care about port-aliases, first of all, removes all of them.

Parameters:
service
protocol
interface
Return value:
success
global RemoveService (string service, string protocol, string interface) -> boolean

Function removes service from selected zone (or for interface) for selected protocol. Function take care about port-aliases, removes all of them.

Parameters:
service
protocol
interface
Return value:
success
local ArePortsOrServicesAllowed (list <string> needed_ports, string protocol, string zone, boolean check_for_aliases) -> boolean

Function returns if needed services are all allowed (or not) in the firewall. Last parameter sets if it also should check for port-aliases, what makes sense for TCP and UDP ports. Protocols and Zones aren't checked for existency. It's on you to do it.

Parameters:
needed_ports
protocol
zone name like EXT
check_for_aliases
Return value:
if all ports are allowed
global IsServiceSupportedInZone (string service, string zone) -> boolean

Function returns if service is supported (allowed) in zone. Service must be defined in the SuSEFirewallServices.

Parameters:
service
zone
Return value:
if supported
See
Module SuSEFirewallServices
global GetServicesInZones (list<string> services) -> map <string, map <string, boolean> >

Function returns map of supported services all network interfaces.

Structure Returns $[service : $[ interface : supported_status ]]


   
Parameters:
services
Return value:
>
global GetServices (list<string> services) -> map <string, map <string, boolean> >

Function returns map of supported services in all firewall zones.

Structure Returns $[service : $[ zone_name : supported_status]]


   
Parameters:
services
Return value:
>
global SetServicesForZones (list<string> services_ids, list<string> firewall_zones, boolean new_status) -> boolean

Function sets status for several services in several firewall zones.

Parameters:
services_ids
firewall_zones
new_status
Return value:
if successfull
global SetServices (list<string> services_ids, list<string> interfaces, boolean new_status) -> boolean

Function sets status for several services in several network interfaces.

Parameters:
services_ids
interfaces
new_status
Return value:
if successfull
local CheckAllPossiblyConflictingServices () -> void

Local function check is any of possibly conflicting services was turned on in the firewall configuration.

local ReadDefaultConfiguration () -> void

Local function sets the default configuration and fills internal values.

local ReadCurrentConfiguration () -> void

Local function reads current configuration and fills internal values.

global Read () -> boolean

Function for reading SuSEFirewall configuration. Fills internal variables only.

local AnyRPCServiceInConfiguration () -> boolean

Function returns whether some RPC service is allowed in the configuration. These services reallocate their ports when restarted. See details in bugzilla bug #186186.

Return value:
some_RPC_service_used
global ActivateConfiguration () -> boolean

Function which stops firewall. Then firewall is started immediately when firewall is wanted to be started: SetStartService(boolean).

Return value:
if successful
global WriteConfiguration () -> boolean

Function writes configuration into /etc/sysconfig/ and enables or disables firewall in /etc/init.d/ by the setting SetEnableService(boolean). This is a write-only configuration, firewall is never started only enabled or disabled.

Return value:
if successful
global WriteOnly () -> boolean

Helper function for the backward compatibility. See WriteConfiguration(). Remove from code ASAP.

global Write () -> boolean

Function for writing and enabling configuration it is an union of WriteConfiguration() and ActivateConfiguration().

Return value:
if succesfull
global SaveAndRestartService () -> boolean

Function for saving configuration and restarting firewall. Is is the same as Write() but write is allways forced.

Return value:
if successful
global GetAdditionalServices (string protocol, string zone) -> list <string>

This powerful function returns list of services/ports which are not assigned to any fully-supported known-services.

Parameters:
protocol
zone
Return value:
of additional (unassigned) services
global SetAdditionalServices (string protocol, string zone, list <string> new_list_services) -> void

Function sets additional ports/services from taken list. Firstly, all additional services are removed also with their aliases. Secondly new ports/protocols are added.

Parameters:
protocol
zone
new_list_services
global IsOtherFirewallRunning () -> boolean

Function returns if any other firewall then SuSEfirewall2 is currently running on the system. It uses command `iptables` to get information about just active iptables rules and compares the output with current status of SuSEfirewall2.

Return value:
if other firewall is running
global GetFirewallInterfacesMap () -> map <string, list <string> >

Function returns map of `interfaces in zones`.

Structure map $[zone : [list of interfaces]]


   
global GetSpecialInterfacesInZone (string zone) -> list <string>

Function returns list of special strings like 'any' or 'auto' and uknown interfaces.

Parameters:
zone
Return value:
special strings or unknown interfaces
global RemoveSpecialInterfaceFromZone (string interface, string zone) -> void

Function removes special string from defined zone.

Parameters:
interface
zone
global AddSpecialInterfaceIntoZone (string interface, string zone) -> void

Functions adds special string into defined zone.

Parameters:
interface
zone
global GetMasquerade () -> boolean

Function returns actual state of Masquerading support.

Return value:
if supported
global SetMasquerade (boolean enable) -> void

Function sets Masquerade support.

Parameters:
enable
global GetListOfForwardsIntoMasquerade () -> list <map <string, string> >

Function returns list of rules of forwarding ports to masqueraded IPs.

Structure list [$[ key: value ]]


   
global RemoveForwardIntoMasqueradeRule (integer remove_item) -> void

Function removes rule for forwarding into masquerade from the list of current rules.

Parameters:
remove_item
global AddForwardIntoMasqueradeRule (string source_net, string forward_to_ip, string protocol, string req_port, string redirect_to_port, string requested_ip) -> void

Adds forward into masquerade rule.

Parameters:
source_net
forward_to_ip
protocol
req_port
redirect_to_port
requested_ip
global GetLoggingSettings (string rule) -> string

Function returns actual state of logging for rule taken as parameter.

Parameters:
rule
Return value:
'ALL', 'CRIT', or 'NONE'
global SetLoggingSettings (string rule, string state) -> void

Function sets state of logging for rule taken as parameter.

Parameters:
rule
state
global GetIgnoreLoggingBroadcast (string zone) -> string

Function returns yes/no - ingoring broadcast for zone

Parameters:
zone
global SetIgnoreLoggingBroadcast (string zone, string bcast) -> void

Function sets yes/no - ingoring broadcast for zone

Parameters:
zone
bcast
global AddXenSupport () -> void

Function adds a special interface 'xenbr+' into the FW_FORWARD_ALWAYS_INOUT_DEV variable. This is currently handled by SuSEfirewall2 itself.