YaST2 Developers Documentation: SuSEFirewall configuration

SuSEFirewall configuration

modules/SuSEFirewallExpertRules.ycp
Interface manipulation of /etc/sysconfig/SuSEFirewall (expert rules)
  • Lukas Ocilka <locilka@suse.cz>
  • Flags: Unstable
  • $id$
  • Module for handling SuSEfirewall2 Expert Rules.

This module has an unstable interface.

Copyright 2004, Novell, Inc. All rights reserved.

Imports

  • IP
  • Netmask
  • SuSEFirewall

Structures

Global Functions

Local Variables

Local Functions

local allowed_expert_protocols -> list <string>

List of all possible protocols for expert rulezz. _rpc_ expects RPC service name as the destination port then.

global GetAllExpertRulesProtocols () -> list <string>

Returns list of all protocols accepted by the expert rules.

local ValidNetmaskBits (integer netmask_bits) -> boolean

Returns whether the netmask bits are valid.

Parameters:
netmask_bits
global IsValidNetwork (string network) -> boolean

Function checks the network definition used for firewall expert rules.

Parameters:
network
Return value:
if it is a valid network definition
Example

 IsValidNetwork("192.168.0.1")               -> true
 IsValidNetwork("192.168.0.355")             -> false
 IsValidNetwork("192.168.0.0/24")            -> true
 IsValidNetwork("192.168.0.1/32")            -> true
 IsValidNetwork("192.168.0.1/0")             -> false
 IsValidNetwork("192.168.0.0/255.255.0.0")   -> true
 IsValidNetwork("192.168.0.0/255.255.333.0") -> false
 IsValidNetwork("192.168.0.0/255.255.224.0") -> true
 IsValidNetwork("0/0")                       -> true
See
`man iptables`
global ValidNetwork () -> string

Returns string of valid network definition.

Return value:
describing the valid network.
local AdjustParameters (map <string, string> params) -> map <string, string>

Adjusts parameters to the acceptable representation

Parameters:
params
global GetListOfAcceptRules (string zone) -> list <map <string, string> >

Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. "network" and "protocol" are needed arguments, "dport" and "sport" are optional. Undefined values are returned as empty strings.

"network" is either an IP, IP/Netmask or IP/Netmask_Bits where the connection originates; "protocol" defines the transport protocol; "dport" is the destination port on the current host; "sport" is the source port on the client.

Port can be port number, port name, port range. Protocol can be 'tcp', 'udp', 'icmp', 'all' or '_rpc_' (dport is then a RPC service name, e.g., ypbind).

Structure This might return, e.g., [

     // All requests from 80.44.11.22 to TCP port 22
	   $[ "network" : "80.44.11.22",   "protocol" : "tcp", "dport" : "22",  "sport" : ""   ],

     // All requests from network 80.44.11.0/24 to UDP port 53 originating on port 53
	   $[ "network" : "80.44.11.0/24", "protocol" : "udp", "dport" : "53",  "sport" : "53" ],

     // All requests from network 0/0 (everywhere) to TCP port 443
	   $[ "network" : "0/0",           "protocol" : "tcp", "dport" : "443", "sport" : ""   ],
 ]
Parameters:
zone
Return value:
of rules
Example

 GetListOfAcceptRules("EXT") -> $[]
See
IsValidNetwork()
global AddNewAcceptRule (string zone, map <string, string> params) -> boolean

Adds a new accept-rule. Possible keys for parameters are "network", "protocol", "dport" and "sport". Needed are "network" and "protocol".

Parameters:
zone
params
Example

 AddNewAcceptRule (
     "EXT",
     $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
 ) -> true
See
GetListOfAcceptRules() RemoveAcceptRule()
global RemoveAcceptRule (string zone, map <string, string> params) -> boolean

Removes a single expert firewall rule.

Parameters:
zone
params
Example

 RemoveAcceptRule (
     "EXT",
     $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
 ) -> true
See
GetListOfAcceptRules() for possible keys in map AddNewAcceptRule()