Option 1: Trusted Zone (Recommended for Dedicated Storage Networks)
For dedicated storage networks, disable firewall filtering on storage interfaces to eliminate CPU overhead from packet inspection. This is important for high-throughput iSCSI storage.
Why disable filtering on storage interfaces:
-
CPU overhead: Firewall packet inspection adds latency and consumes CPU cycles.
-
Performance impact: At high IOPS, filtering overhead becomes significant.
-
Network isolation: Dedicated storage VLANs provide security at the network layer.
-
Simplicity: No port rules to maintain for storage traffic.
Using firewalld (SLES 15+)
# Add storage interfaces to trusted zone (no packet filtering)
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=trusted --add-interface=ens1f1
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=trusted --list-all
Option 2: Port Filtering (For Shared or Non-Isolated Networks)
Use port filtering only when storage interfaces share a network with other traffic or when additional host-level security is required by policy.
Port filtering adds CPU overhead for every packet. For production storage with high IOPS requirements, use Option 1 with network-level isolation instead.
Using firewalld (SLES 15+)
# Enable firewalld
sudo systemctl enable --now firewalld
# Check status
sudo firewall-cmd --state
# Allow iSCSI traffic
sudo firewall-cmd --permanent --add-service=iscsi-target
# Or add port directly
sudo firewall-cmd --permanent --add-port=3260/tcp
# Reload firewall
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --list-all
Zone-Based Configuration with Port Filtering
Dedicated storage zone with port filtering:
# Create storage zone
sudo firewall-cmd --permanent --new-zone=storage
# Add storage interfaces to zone
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f0
sudo firewall-cmd --permanent --zone=storage --add-interface=ens1f1
# Allow iSCSI in storage zone
sudo firewall-cmd --permanent --zone=storage --add-port=3260/tcp
# Set target to DROP (deny by default except allowed ports)
sudo firewall-cmd --permanent --zone=storage --set-target=DROP
# Reload
sudo firewall-cmd --reload
# Verify
sudo firewall-cmd --zone=storage --list-all
Using YaST for Firewall Configuration
Configure firewall with YaST:
# Launch YaST firewall configuration
sudo yast firewall
# Or use YaST CLI
sudo yast firewall services add service=iscsi-target zone=public
# Verify
sudo firewall-cmd --list-all