Comments on: Firewall Zone Switcher

By: Oleg Artemiev

Oleg Artemiev — Wed, 05 Aug 2009 04:25:31 +0000

Nice for these who change environment & need diffrent network configurations w/ default OpenSuSE firewall. Though I don’t need diffrent configs – always paranoid. 😉

I also notice you about a bug in previouse report on adding entire drive encryption to Open SuSE from the box here:: http://lizards.opensuse.org/2009/03/18/encrypted-root-file-system-on-lvm/. Sorry – comments there seem to be closed.

Value of variable ‘root_luks’ must be device you’ve encription on. In this case root_luks=/dev/sda2 . Value ‘1’ works only when booting from /dev/sda1 & makes me on each boot enter cryptsetup luksOpen /dev/sda2 root & so on.
From this we can guess that with value of curluks ‘root’ the $(eval echo $luks_root) should give /dev/sda2 (or your specific device):
olli@linux-82d5:~> cat /lib/mkinitrd/scripts/boot-luks.sh | grep curluks
for curluks in $luks; do
/sbin/cryptsetup luksOpen $(eval echo \$luks_${curluks}) $curluks
olli@linux-82d5:~>

Also I had trouble with getting initrd w/ luks future by default at least on one of my notebooks (having all done by your howto).
To get this work anyway I found that variable:
olli@linux-82d5:~> grep ADDITIONAL_FEATURES /lib/mkinitrd/scripts/ -r | grep %
/lib/mkinitrd/scripts/setup-prepare.sh:#%param_f: “Features to be enabled when generating initrd.\nAvailable features are:\niscsi, md, mpath, lvm, lvm2, evms” “\”feature list\”” ADDITIONAL_FEATURES
olli@linux-82d5:~>

Also to get the things work I had to modify INITRD_MODULES in sysconfig/kernel – append all crypto modules I needed to cryptsetup luksOpen .
So my configuraation looks now this way:

olli@linux-82d5:~> cat /etc/sysconfig/kernel | grep INITRD_
INITRD_MODULES=”processor thermal ata_piix ata_generic ide_pci_generic fan jbd ext3 dm_mod edd aes_generic arc4 cbc aes-i586 dm_crypt crypto_blkcipher ecb sha256_generic”
DOMU_INITRD_MODULES=”xennet xenblk”
olli@linux-82d5:~> cat /etc/sysconfig/initrd
luks_root=/dev/sda2
luks=root
ADDITIONAL_FEATURES=”luks usb”
olli@linux-82d5:~>

One more mminor notice: within advanced options in GUI for grub installation it is possible to append ‘luks_root=/dev/sda2’, this will lead in appearing this string in all needed strings in sysconfig/bootloader.& save a few seconds. 🙂

Also for those who will use usb keys to boot: I had to use root=(hd0,1) (not hd1,1) w/ grub, since after booting from usb the usb beconmes a 1st drive for grub (in loaded linux it was second for me).

Thanks for your howto, BTW, really – now I can enjoy openSuSE & giveup my tries to find something w/ entire encryption support & good enough for my needs.

Please update howto w/ notices above – after this changes my system is booted from usb key & prompts for password for /dev/sda2 w/o noisy messages & shell prompt. =)

By: Ludwig Nussel

Ludwig Nussel — Sat, 11 Jul 2009 15:04:31 +0000

it’s not a gnome app. plain (python-)gtk.

By: Ludwig Nussel

Ludwig Nussel — Sat, 11 Jul 2009 15:03:55 +0000

yes 🙂

By: Ludwig Nussel

Ludwig Nussel — Sat, 11 Jul 2009 15:03:10 +0000

Yes, connecting this to NetworkManager would be nice. Esp since
NetworkManager knows when it is about to start a new connection so
it can prepare SuSEfirewall2 already before the interface is set up.

Enhancements for samba are already implemented and will be available
as online update soon. The SuSEfirewall2 version in the fwzs repo
has those enhancements too.

By: jrdls

jrdls — Fri, 10 Jul 2009 22:42:15 +0000

It’s not openSUSE, it is Novell who’s GNOME-focused. Even though they’re still patrons of KDE, they still have a lot of KDE devs and they still implement KDE very well, GNOME has taken KDE’s place especially in SLED. Look at iFolder. AFAIK it is written using mono and Gtk#. Even though it is not a gnome library, you know which DE you’re targetting if you write an app with Gtk# and where it’ll fit the best. The same applies to banshee, f-spot and tomboy. Furthermore, they sponsor OpenOffice.org and Evolution (and this one is a GNOME app). However Novell doesn’t sponsor a KDE app or a qt app (except yast, of course). They sponsor KDE as a project (just as they sponsor GNOME as a project), but not individual apps. I hope in the future Novell will develop an app using mono and qt (which is perfectly possible) or will sponsor a qt/KDE app as well (BTW this is not meant to offend anybody or to start a flame war, this is what I see and my opinion and it is perfectly debatable).
As to the feature itself, even if this is shown in gnome, it doesn’t mean the community won’t develop a plasmoid (or won’t add this feature to NM’s plasmoid as suggested by others) and still remains a useful one.

By: lefty.crupps

lefty.crupps — Fri, 10 Jul 2009 17:12:43 +0000

When did SuSE move to creating GNOME apps/applets? I thought it was a KDE-focused distro. Shame, seems to me that SuSE is trying to out-do Ubuntu with the same limited interface.

By: Jakub Steiner

Jakub Steiner — Fri, 10 Jul 2009 15:29:28 +0000

Ideal UI suggestion — Have a property of a wifi network to be ‘safe’ in NM’s ‘edit connections’ and have NM turn off the firewall automatically. No need to expose any UI for switching and polluting the systray with yet another icon.

By: Martin Vidner

Martin Vidner — Fri, 10 Jul 2009 13:59:45 +0000

Hmm, food for the D-Bus junkie! It looks like this is the git repo. (Still empty so far)

By: Livio

Livio — Fri, 10 Jul 2009 12:23:05 +0000

Move proof-of-concept to NetworkManager. Just not to make a tray-mess like in Windows 😉 .

I wonder if firewall configuration for Samba could work… Currently Samba makes user need to do manual firewall config. Add IPs, enable broadcast…

By: Xila

Xila — Fri, 10 Jul 2009 12:08:32 +0000

oooh this looks just what the doctor ordered, simple but so usefull ! thanks !!