SuSEfirewall2 and multiple IPs for interface
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi everyone, on SuSEfirewall2 with SuSE 9.0 and an interface with 2 IPs assigned to it the following setting: FW_SERVICES_*_TCP="www" does seem to translate to: "allow incoming port 80 on the outside interface for the primary IP". What if I want to allow it for both IPs? Do I have to write my own rule into SuSEfirewall2-custom? Thanks a lot, Ralf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAM52OLbWu9MVtJiYRAj6HAJsEYF8BCw4BmxLoMGDvNGa7r1xX0wCfam1c gi+As0RG3LlH2mvml1c7xdg= =KM/B -----END PGP SIGNATURE-----
Ralf Ronneburger schrieb:
on SuSEfirewall2 with SuSE 9.0 and an interface with 2 IPs assigned to it the following setting:
FW_SERVICES_*_TCP="www"
does seem to translate to: "allow incoming port 80 on the outside interface for the primary IP". What if I want to allow it for both IPs? Do I have to write my own rule into SuSEfirewall2-custom?
I have the following working setup on SuSE 9.0: FW_DEV_EXT="eth1 eth1:1" FW_SERVICES_EXT_TCP="80 443" Regards, André *checked by MailMarshal*
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi André, hi list, André Sänger wrote: | I have the following working setup on SuSE 9.0: | | FW_DEV_EXT="eth1 eth1:1" | FW_SERVICES_EXT_TCP="80 443" thank you, that works perfect for me! I've set my network up as above, now outgoing traffic is always masqueraded to the IP of eth1 in the above example. Is there a way to avoid this and tell SuSEfirewall2 where to masquerade it to? Greetings, Ralf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFANPFXLbWu9MVtJiYRAsHxAKCc3hOrd/Ae6ZffnICTCd6Ls19RxwCdEu5q Ak4TrS5yqLq5Z2KuTWIXwbo= =Da5W -----END PGP SIGNATURE-----
Hello Ralf, you should have a look at Shorewall instead of SuSEfirewall2 ! Download: germany.shorewall.net I personally find it much easier to manage and even more powerful than SuSE's scripts, I'm sorry ! I abandoned SuSEfirewall2 and since I use shorewall-scripts I am able to manage almost everything like vpn (ipsec or openvpn, you could even define your own ...), building dmz's with more complex setups like 4 interfaces or such things .... I really like this tool ! Greetings, Philipp Ralf Ronneburger schrieb:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi André, hi list,
André Sänger wrote: | I have the following working setup on SuSE 9.0: | | FW_DEV_EXT="eth1 eth1:1" | FW_SERVICES_EXT_TCP="80 443"
thank you, that works perfect for me!
I've set my network up as above, now outgoing traffic is always masqueraded to the IP of eth1 in the above example. Is there a way to avoid this and tell SuSEfirewall2 where to masquerade it to?
Greetings,
Ralf -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFANPFXLbWu9MVtJiYRAsHxAKCc3hOrd/Ae6ZffnICTCd6Ls19RxwCdEu5q Ak4TrS5yqLq5Z2KuTWIXwbo= =Da5W -----END PGP SIGNATURE-----
you should have a look at Shorewall instead of SuSEfirewall2 !
There are also openwall and ipcop. Smoothwall however is out, as far as I am concerned, because of http://www.linux.net.nz/lists/NZLUG/2001/12/0176.html I don't know how they're all related. Personally I find web-configrable firewalls a pain and a half. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me.
Volker, Concerning "Smoothwall" I absolutely agree with you, I heard of the writers attitude before and couldn't get by with it as well. IPcop seems to be a little "stuck" in development, latest change at sourceforge was on 19.4.2003, which seems rather old to me when it comes to security related things like a firewall. Hmm, openwall doesn't seem to be designed to "simplify" things, to me it looks a little over- complicated at first sight, but I didn't try it for long ;-) What I *like* with shorewall compared to SuSE-fw is the concept of having a layout of "tables", which are reflected by different config files in exactly that manner, how they are constructed form the config-docs. To me it is a very clear thing to look at these files and see what's happening here or there. Another nice tool is Astaro firewall, but this is commercial and I don't like those graphical config-tools as well. Helau, Philipp Volker Kuhlmann schrieb:
you should have a look at Shorewall instead of SuSEfirewall2 !
There are also openwall and ipcop. Smoothwall however is out, as far as I am concerned, because of http://www.linux.net.nz/lists/NZLUG/2001/12/0176.html I don't know how they're all related.
Personally I find web-configrable firewalls a pain and a half.
Volker
-----Original Message----- From: Volker Kuhlmann [mailto:hidden@paradise.net.nz] Sent: 21 February 2004 23:24 To: suse-security@suse.com Subject: Re: [suse-security] SuSEfirewall2 and multiple IPs for interface
you should have a look at Shorewall instead of SuSEfirewall2 !
There are also openwall and ipcop. Smoothwall however is out, as far as I am concerned, because of http://www.linux.net.nz/lists/NZLUG/2001/12/0176.html I don't know how they're all related.
I always used to read Richard Morrell's postings with a certain amount of amusement, especially when ppl asked how to modify the product. Anyway, he's left Smoothwall now so you needn't worry about his attitude any more! Tom.
participants (5)
-
André Sänger
-
Philipp Rusch
-
Ralf Ronneburger
-
Tom Knight
-
Volker Kuhlmann