Bug 425431

Summary: Yast - Security-Firewall - Add 'Disallowed Services AND Quantify Directional Permission/no-Permission as either Outbound or Inbound direction.
Product: [openSUSE] openSUSE 11.0 Reporter: Scott Couston <scott>
Component: YaST2Assignee: Ludwig Nussel <lnussel>
Status: RESOLVED INVALID QA Contact: Jiri Srain <jsrain>
Severity: Enhancement    
Priority: P5 - None CC: locilka, scott
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: openSUSE 11.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Scott Couston 2008-09-11 10:14:22 UTC 
The Firewall component has no real ability to disallow any service. I would suggest adding after the allowed services a 'disallowed services'

My thought would be to open a view the same as the 'advanced tab on Allowed Services but in contrast functionally it will disallow services that a user can input only via a TCP/UDP Port number, Service or RPC or Protocol.

This is suggested in preference to text defined services as only some-one with serious need to disallow a service would use this facility.

Just as the Allowed Services permits a selection of Zone, so too would the disallowed services permit zone selection.

At some time I think both the Allowed Services tag and Disallowed Services should define direction such as 'Allow Inbound" or "Disallow Inbound" so the users who added to current advanced tab chooses a port or service as the correct inbound/outbound port allocation number or service.

Discussion Please? - Before outright wontfix or invalid.
Comment 1 Ludwig Nussel 2008-09-11 11:07:37 UTC 
Please use the opensuse-security mailinglist for discussions.

SuSEfirewall2 blocks everyhting by default so explicity blocking individual services doesn't make sense. For advanced users SuSEfirewall2 has options to specifically REJECT certain ports or networks (global policy is to DROP packets). There is no gui on purpose though. You need to read the config file to use that.
Comment 2 Scott Couston 2008-09-11 22:05:41 UTC 
SuSEfirewall2 is a frontend for iptables which sets up kernel packet filters,
nothing more and nothing less.


This means that you are NOT automatically
protected from all security hazards by using SuSEfirewall2. To minimize
security risks on a networked system obey the following rules:

  ● Run only those services you actually need. Think twice before opening them
    to the internet.

  ● Use only software which has been designed with security in mind (like
    postfix, vsftpd, OpenSSH).

  ● Do not expose services that are designed for use in a LAN to the internet
    (like e.g. samba, NFS, cups).

  ● Do not run untrusted software. (philosophical question, can you trust SUSE
    or any other software distributor?)

  ● Run YaST Online Update on a regular basis or enable it's automatic mode to
    get the latest security fixes.