Heyas,
first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc.... so then i -disabled susefirewall , i personally think it sucks.
is susefirewall2 so much different to susefirewall ?
we did susefirewall with up to three external interfaces which gives more problems in routing than in the chains. we had fixed ip and dynamic and dialups.
IMHO most of the problems come from the way how people work with their servers. They are used to the colorful click-and-forget GUIs of the Windoze-Desktop and believe they can work on a server the same way. That is one reason why there are more security holes on windoze servers than linux servers, ppl only scratch the surface of the problem and the gui makes it too easy tio get first results without telling them that the first results are not the best results. I tend to look into the concepts behind a solution before implementing it. That means in this case, I try to understand the concepts of routing, masquerading(NAT) and IPtables and Itry to figure out what a firewall is needed for (OFC, any good salesman will tell you that you need one but ask him what a firewall does and you get interesting results:-). If you know all the basics behind iptables, you can easily write your custom firewall script. Tools like shorewall or SuSEfirewall2 are a shortcut to save you time (when you know what you're doing) and protect you from typos. If you need graphical tools to set up your firewall, you can purchase a commercial product like the Firewall on CD (which basically provides an easy GUI for designing a firewall without knowing anything about linux) but there is nothing you can do with that gui what you can't do by editing a config file. Basically, what you need is to set up your server for routing (simple entry in /etc/rc.config on SuSE 7.3. and configure your clients to use your server as default gateway (either on each machine or in the DHCP config on your DHCP server). The next step is defining which services on your server are being used from the internal network and from the internet. That determines what settings you need to activate on your firewall. The whole setup is pretty easy then: FW_DEV_EXT="ppp0" # your modem FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" # assuming your internal network as 192.168.x.0/255.255.255.0 FW_MASQ_NETS="192.168.x.0/24" # allowing ssh, dns and www from external FW_SERVICES_EXT_TCP="domain ssh www" FW_SERVICES_EXT_UDP="domain" # allowing ssh, www, DNS and windoze protocols for internal machines FW_SERVICES_INT_TCP="ssh smtp domain www 137:139" FW_SERVICES_INT_UDP="domain 137:139" Basically this should be most of the work. As I mentioned before, some SuSE 7.3 did not check in the ip-up script for firewall2, so you might need to edit /etc/ppp/ip-up If you only find lines like this: test "$START_FW" = yes && /sbin/SuSEfirewall without mentioning test "$START_FW2" = yes somewhere above, you might need to modify the script to check for START_FW2 in rc.config and then start SuSEfirewall2 cya Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/