We need to do some slightly exotic firewalling on a SUSE 10SP2 host, so I tweaked the firewall ruleset I've been using for years and started looking for the best way to apply it on a SuSE 10SP2 system. What I found is not pretty.

I found 4 SuSE scripts to manage the firewall, in addition to the basic iptables commands which are part of the netfilter (iptables) package used across Linux distributions:

  • /sbin/SuSEfirewall2: The script that actually manipulates iptables.
  • /etc/init.d/SuSEfirewall2_init: init script to start the firewall, presumably.
  • /etc/init.d/SuSEfirewall2_setup: init script to configure the firewall, apparently.
  • /etc/sysconfig/SuSEfirewall2: The config file (actually a script).

The init scripts have to run in the right order, and they call /sbin/SuSEfirewall2 to do the actual work. The init scripts offer a bunch of subcommands, but some of the listed subcommands are unimplemented -- presumably SuSE has a spec that says these must be provided, but the programmer didn't believe that means they had to do anything.

nori:~ # service SuSEfirewall2_setup
Usage: /etc/init.d/SuSEfirewall2_setup {start|stop|status|restart|reload|force-reload}
nori:~ # service SuSEfirewall2_setup status
Checking the status of SuSEfirewall2                                 unused

My script is in the simplest iptables format -- a bunch of lines like -A INPUT -j ACCEPT -p tcp --dport 80, with a header and COMMIT footer to make it a valid ruleset -- on Red Hat this goes in /etc/sysconfig/iptables, and the system loads it fine.

But this is not suitable, because SUSE expects a script. So I commented out SuSE's command to load the firewall script, and replaced it with iptables-restore, which is present (but unused) on SuSE because it's a part of netfilter. I have to do some more testing, but it looks like this way SuSE will start netfilter and load my rules, without me having to figure out what they were thinking.

nori:~ # diff -u /etc/init.d/SuSEfirewall2_setup.orig /etc/init.d/SuSEfirewall2_setup
--- /etc/init.d/SuSEfirewall2_setup.orig    2009-01-30 10:17:49.000000000 -0500
+++ /etc/init.d/SuSEfirewall2_setup 2009-01-30 10:19:40.000000000 -0500
@@ -2,6 +2,9 @@
 # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany.
 # Author: Marc Heuse <marc@suse.de>
+# Hacked by Pepper, 2009
 # /etc/init.d/SuSEfirewall2_setup
@@ -39,7 +42,10 @@
    echo -n "Starting Firewall Initialization "
    echo -n '(phase 2 of 2) '
    rm -f "$BOOTLOCKFILE"
-   $SUSEFWALL -q start
+   #$SUSEFWALL -q start
+   iptables-restore < /etc/sysconfig/iptables.conf
    rc_status -v

I find the rules Red Hat's lokkit generates inexplicable and painful to parse, but at least simple rules written by hand are valid, and the system happily uses them. Neither lokkit nor yast (SuSE's configuration utility) is flexible enough for our requirements, but that's fine. It's just forcing users to deal with such a needlessly complicated system that I resent.