Hello, firewall-newbie here.
After I posted the following message to suse-ppc, Joss Winn kindly
suggested that I also ask for advice here. Thanks in advance for any
and all insights...
hysterion
-------- Original Message --------
Subject: Re: [suse-ppc] Firewall
Date: Wed, 27 Jun 2001 22:10:02 -0400
From: hysterion
On Mon, Jun 25, 2001 at 09:26:17AM +0100, Smith, Bradley wrote:
Hi,
What's the easiest way for me to configure a firewall (SuSE 7.1, 2001 iMac)?
I *will* get around to reading up on ipchain etc. but for the moment it's most important that I have something protecting me from those nasty hackers!
Cheers Brad
You can (I think it is turned on by default anyway), use the Personal Firewall. It uses the 2.2 ipchains.
I just got cable access and set up SuSEfirewall for masquerading, and I second the recommendation. It's very easy to set up - just a few instructions in the config file, and it automatically generates appropriate ipchain rules (97 of them, in my case) at boot time. Probably the best examples you could study anyway... One caveat I found, however: it seems that I also need to connect to my isp (using dhcp) *at boot time*. Otherwise SuSEfirewall produces a different set of rules, one of which seems to get in the way when I later try to connect and ping: $ /sbin/dhcpcd -d -h CC******-A eth0 produces messages like Jun 26 22:17:12 gris dhcpcd[886]: broadcasting DHCP_DISCOVER Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43879 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: broadcastAddr option is missing in DHCP server response. Assuming *.*.*.255 Jun 26 22:17:12 gris dhcpcd[886]: broadcasting second DHCP_DISCOVER Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43881 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: DHCP_OFFER received from (24.2.0.9) Jun 26 22:17:12 gris dhcpcd[886]: broadcasting DHCP_REQUEST for *.*.*.* Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43883 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: DHCP_ACK received from (24.2.0.9) $ ping www.suse.de then produces (no output and) messages like Jun 26 22:18:14 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.33:53 *.*.*.*:1024 L=246 S=0x00 I=12157 F=0x0000 T=52 (#37) Jun 26 22:18:19 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.34:53 *.*.*.*:1024 L=246 S=0x00 I=8282 F=0x0000 T=52 (#37) Jun 26 22:18:24 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.33:53 *.*.*.*:1024 L=246 S=0x00 I=14064 F=0x0000 T=52 (#37) Jun 26 22:18:29 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.34:53 *.*.*.*:1024 L=246 S=0x00 I=10180 F=0x0000 T=52 (#37) This seems to indicate that the culprit rule (#37) (which reads: -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j DENY -l) gets in the way of dhcp and dns services -- even though I did set FW_SERVICE_DHCLIENT="yes" and FW_INCOMING_HIGHPORTS_UDP="dns". (The "10.118.32.1" seems very strange, too, but that's consistently what I get.) If I let connection happen at boot time, on the other hand, this rule disappears from the list, and everything works fine. Questions: - Is it true that the firewall prevents (dhcp-)connecting to the internet, except at boot time? If yes, I would suggest emphasizing this in the documentation (I couldn't find it). If no, I'll gladly send more details of exactly what I did - the above seems 100% reproducible. - Do later versions of the firewall behave in the same way? (I am using the stock versions from SuSE 7.0 ppc - kernel 2.2.16 and firewall 2.6.) - Any other reason I should upgrade to a later version? (The .rpm updates mentioned at http://www.suse.de/~marc/SuSE.html don't seem to exist on the ppc side.) hysterion