Using ssh/terminal for rule-setup

janr · 7 July 2020 14:28

Hi Folks,

is there a how-to/wiki available, that describes the usage of ssh/terminal for creating and managing firewall-rules instead of the webGUI?
I’d like to use a .sh-script for automated standard-configs.

Thanks,

Jan

bbitsch · 7 July 2020 17:16

All firewall rulesnot managed by the WUI must be placed into /etc/sysconfig/firewall.local
After a modification you must call /usr/local/bin/firewallctrl

pmueller · 7 July 2020 19:14

Hi,

be careful what you are doing there: A bunch of people complaining about “my (web interface|SSH port|whatever) is reachable from the internet, how could this happen?!” made some modifications there, without being aware of them months later, or even without a complete understanding of what they were doing.

The web interface is not suitable for automated tasks indeed. However, we cannot guarantee for your systems’ safety if you decided to make custom modifications. Personally, I strongly recommend against taking advantage of /etc/sysconfig/firewall.local.

Thanks, and best regards,
Peter Müller

bbitsch · 7 July 2020 19:21

Peter,
you are completely right!

I just described the possibility of doing that. According to the opening question I supposed JanR has the knowledge.

janr · 8 July 2020 12:38

Hi Bernhard and Peter,

thanks a lot for your information.
As I understand, there is no way to set the rules, shown by the WUI, via .sh-script directly?
Only the strongly not recommended way via /etc/sysconfig/firewall.local is possible?

Regards,

Jan

bbitsch · 8 July 2020 13:42

Hi Jan,

you can set any firewall rule per direct iptables command. I suppose, that is what you want to do in the script.
BUT:

the iptables rules are set up at firewall start based on the settings written by the WUI.
to make rules persistent they must be included in firewall.local ( both the definition in the ‘start’ branch, as the deletion in ‘stop’ branch )
definition at the WUI includes some checks, which are not done by a separate iptables cmd call.

If your problem is a bunch of rules, for which it is cumbersome to enter them one by one in the WUI, you could try to write them per script into the settings files of the firewall. To activate them you must define a dummy rule in the WUI to trigger the firewall generation. The format of the files isn’t not really documented and can change with a core update. Further the fw generator assumes only valid input from the files ( the .cgi does checks and accepts vaid definitions only ).

Have you thought of discussing your requirements in the devel mailing list?