Bug 335811

Summary: SuSEFirewall2 should have a more human readable interface.
Product: [openSUSE] openSUSE 10.3 Reporter: Dean Hilkewich <deanjo>
Component: YaST2Assignee: Lukas Ocilka <locilka>
Status: RESOLVED WONTFIX QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: lnussel
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE 10.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Simple and easy to understand port forward
Screenshot - how SuSEfirewall2 can do that...

Description Dean Hilkewich 2007-10-22 20:18:39 UTC 
Would it not be possible to make the SuSEFirewall2 yast module more user friendly?

I don't see why it can't be made into a interface like what is found on so many router firewalls that the public has become accustom to.  What I mean by that is a simple http interface like what is found on something like DD-WRT.  Many people that I know simply disable it because the documentation for it is poor and when they have to start editing configuration files by hand it scares them.  Perhaps something like the sysinfo:/ plug in except you type in firewall:/ and it takes you to a pleasant http interface.  Remote access capability to the firewall would be nice too.
Comment 1 Ludwig Nussel 2007-10-24 14:23:02 UTC 
I'm sorry but your request is too unspecific. Whether or not yast should have an http interface is already discussed elsewhere.
Specific suggestions how to improve yast's firewall UI are certainly appreciated though.
Comment 2 Dean Hilkewich 2007-10-25 03:54:54 UTC 
I wouldn't mark a bug report as invalid, if you need more info then the case should be left as need more info which I will gladly supply in spades complete with pictures of user friendly examples when I have a moment.
Comment 3 Lukas Ocilka 2007-10-25 07:27:31 UTC 
Yes, but please, keep in mind it has to be YaST UI :) No web-UI is currently supported. The only web-UI support we could support in the future will be probably only a web-interface to the current YaST modules (such as ncurses or GTK+ interface does).
Comment 4 Lukas Ocilka 2007-11-08 09:27:09 UTC 
Closing as NORESPONSE

Please, reopen the bug/enhancement if provide some ideas how to improve the UI, thanks.
Comment 5 Dean Hilkewich 2007-11-08 13:21:19 UTC 
Created attachment 182603 [details]
Simple and easy to understand port forward

Sorry for the delay.  The release of Leopard has been taking much of my free time lately.  Here is an example of a straight forward, easy to understand port forwarding.  Presets are alright but they should also display the ports that they use and have the option of changing them.
Comment 6 Dean Hilkewich 2007-11-08 13:22:00 UTC 
Please see above attachement
Comment 7 Lukas Ocilka 2007-11-16 17:53:04 UTC 
Created attachment 183738 [details]
Screenshot - how SuSEfirewall2 can do that...
Comment 8 Lukas Ocilka 2007-11-16 18:01:27 UTC 
Anyway, I'm sorry but I have to close this request as WONTFIX because you're requesting something that just SuSEfirewall2 can't do:

See /etc/sysconfig/SuSEfirewall2
variable 'FW_FORWARD_MASQ'

* It can't name rules (Everquest, Bittorrent2...)
* It can't forward port-ranges (nevertheless joining following ports could
  be done in UI).
* It can't disable particular rules
* Protocol is either TCP or UDP but could be merged in UI too.

# Format: space separated list of
#    <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
#             port 80 coming from the 4.0.0.0/8 network to the
#             internal server 10.10.0.10
#           - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
#             port 80 coming from the 4.0.0.0/8 network to the
#             internal server 10.10.0.10 on port 81
#           - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
#             the network 200.200.200.0/24 trying to access the
#             address 202.202.202.202 on port 80 will be forwarded
#             to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsitent iptables behaviour only port numbers are possible but
# no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ="0/0,192.168.1.107,tcp,32700 0/0,192.168.1.107,tcp,32701 0/0,192.168.1.107,tcp,32702 0/0,192.168.1.107,tcp,32703 0/0,192.168.1.107,tcp,32704 0/0,192.168.1.107,tcp,32705"
Comment 9 Dean Hilkewich 2007-11-17 01:35:45 UTC 
Then that capability to SuSEfirewall should be added.  It can be done, as DD-WRT too uses iptables and it is able to create such a interface.