Problems with SuSEfirewall2 on SuSE 7.2
-----BEGIN PGP SIGNED MESSAGE-----
Hello,
I 've some problems with the SuSEfirewall2.
In my setup it allows access to ports ( like telnet mysql... ) which I have
NOT opened to the outside. I use also autoprotection but it does not help.
Does anyone have an idea how i get my firewall working?
( configurations below )
bye...
- --
Thomas Gaertner ( host leela )
Brandenburg Technical University at Cottbus
Student Assistent at the Software and Systems Engineering Group
- ---------------------------------------------------------------
Please send only plain ASCII-Mail. In case your Mail will be turned down, use
On Fri, Aug 30, 2002 at 09:31:18AM +0200, Thomas Gaertner wrote:
Hello,
I 've some problems with the SuSEfirewall2. In my setup it allows access to ports ( like telnet mysql... ) which I have NOT opened to the outside. I use also autoprotection but it does not help.
Does anyone have an idea how i get my firewall working?
[...]
# 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="141.43.23.123/16"
If I remember right, these trusted nets have *full* access to your firewall. If you tested your firewall from one of these IPs, you certainly haven't tested all your external rules. Besides, I wouldn't trust so much hosts. -- Michel Messerschmidt 9messers@informatik.uni-hamburg.de http://www.michel-messerschmidt.de
On Fri, 30 Aug 2002, Thomas Gaertner wrote:
I 've some problems with the SuSEfirewall2. In my setup it allows access to ports ( like telnet mysql... ) which I have NOT opened to the outside. I use also autoprotection but it does not help.
Are you clear why you wrote these entries in section 9? They seem to open up a lot of 'external' ports. This is not the cause of your problem but it concerns me a little.
# 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)?
FW_SERVICES_EXT_TCP="domain 22 talk ntalk 3000 6105 6106" # Common: domain FW_SERVICES_EXT_UDP="domain talk ntalk 3000 6105 6106" # Common: domain
Try to write for yourself a short definition of the purpose of your firewall - the little text diagrams that some people send to the list are always helpful for troubleshooters too - see which diagram in /usr/share/doc/packages/SuSEfirewall2/EXAMPLES best matches your plan. If you are still stuck, share your progress with the list -- but don't put the fw into production until your are comfortable :-) dproc
participants (3)
-
dproc@dol.net
-
Michel Messerschmidt
-
Thomas Gaertner