Hi ! I recently asked for help regarding a secure setup for the SuSEfirewall2 on a router for a small LAN with public IPs. I received the following advice which I implemented :
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \ 100.120.55.18,100.120.204.56,tcp,7127 \ 100.120.55.18,100.120.204.58,tcp,7127"
FW_KERNEL_SECURITY="yes"
The problem is, if I do this, every connection out of my LAN into the Net is down, the firewall blocks everything. The firewall also doubles as a mail and DNS server for the LAN, so these services have to be reachable. What I want it to do is to block everything but certain well defined connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the outside world has to have access to a webserver on 100.120.55.2. If I understand it correctly, this would mean FW_FORWARD rules like : 100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via http, other services similarly and 0/0, 100.120.55.2,tcp,80 # for web server availability but it doesn´t seem to work. What do I miss ? My original working but probably insecure setup is as follows : FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="100.120.55.0/6,0/0,tcp,80 / 100.120.55.0/6,0/0,tcp,110 / 100.120.55.0/6,0/0,tcp,22 / 100.120.55.0/6,0/0,tcp,25 / 100.120.55.0/6,0/0,udp,53 / 100.120.55.0/6,0/0,tcp,53 / 100.120.55.0/6,0/0,tcp,995 / 0/0,100.120.55.2,tcp,80 / 100.120.204.51,100.120.55.18,tcp,7127 / 100.120.204.56,100.120.55.18,tcp,7127 / 100.120.204.58,100.120.55.18,tcp,7127 " FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" Any suggestion is appreciated, Thanks in advance !