Hi Birgit,
(1) some users from outside report that the webserver is not accessible; connection attempts throw up DNS errors. I have no rejected packets for port 80 in the firewall log, and am therefore inclined to think that the problem is not with the server or firewall configuration. From within the university network, I have no problems connecting to the server on port 80.
--> Are you sure that the university allows you to setup webservers that are reachable from outside ? Can you compare the output of the command "nslookup servername" and "nslookup serverIP" from inside the university network and from outside ?
(2) the samba fileshares can't be accessed. Actually, there's only one fileshare. Only one particular username is accepted as valid, and the samba clients must belong to the IP block 222.222.222.xxx/25.
The firewall configuration file currently looks as follows:
FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_MASQUERADE="no" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="www ssh 139 137 138 445"
--> Here you need only those services that should be accessible from everywhere. If I understand you correctly, Samba shares should only be accessible from the TRUSTED NETS defined below, so "www ssh" should be enough here.
FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="222.222.222.0/25,tcp,137 222.222.222.0/25,tcp,138 222.222.222.0/25,tcp,139 222.222.222.0/25,tcp,445 222.222.222.0/25,udp,137 222.222.222.0/25,udp,138 222.222.222.0/25,udp,139"
--> What about port 445/udp ? Have you tried include it here ?
FW_ALLOW_INCOMING_HIGHPORTS_TCP="dns" FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_SAMBA="yes" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_EXT="no"
My idea was to define the ip block of the samba clients as a "trusted net", and to only open the required tcp/udp ports, which are (I believe) 137-139 and 445. I'm not sure whether my syntax for FW_TRUSTED_NETS is correct.
--> The syntax looks fine.
But would the general approach be ok? And are there any other non-sensical or counterproductive settings?
--> See comments above.
Thanks a lot; I'm very new at this (as one might perhaps have gathered from the configuration ...),
--> You have remembered to restart the firewall with "rcSuSEfirewall2 restart" each time you changed the configuration ? Good luck ! Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50