SuSE-firewall with webserver and samba
Hello, I'm trying to configure a webserver (SuSE 9.1), with a SUSE firewall, and perhaps also with samba fileshares, though I'm not sure there's a reasonably secure way of doing this. ssh should also be accessible. There is no internal (private) network. The server, and the machines accessing the fileshares, are part of a university network. All machines access the internet through that network; nothing from them (or to them) goes through the firewall, which should only protect the machine running the webserver and the samba shares. The server host and the samba clients belong to the same DNS subdomain, and have an IP address block like 222.222.222.2 - 222.222.222.126. The clients all run Windows NT 4.0, Windows 2000, or Windows XP. As I've currently configured the system, I have two problems: (1) some users from outside report that the webserver is not accessible; connection attempts throw up DNS errors. I have no rejected packets for port 80 in the firewall log, and am therefore inclined to think that the problem is not with the server or firewall configuration. From within the university network, I have no problems connecting to the server on port 80. Could it be that it just takes some time until the DNS information for the server spreads around, or does this entail that there's something wrong with the DNS entry for the server? (2) the samba fileshares can't be accessed. Actually, there's only one fileshare. Only one particular username is accepted as valid, and the samba clients must belong to the IP block 222.222.222.xxx/25. The firewall configuration file currently looks as follows: FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_MASQUERADE="no" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="www ssh 139 137 138 445" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="222.222.222.0/25,tcp,137 222.222.222.0/25,tcp,138 222.222.222.0/25,tcp,139 222.222.222.0/25,tcp,445 222.222.222.0/25,udp,137 222.222.222.0/25,udp,138 222.222.222.0/25,udp,139" FW_ALLOW_INCOMING_HIGHPORTS_TCP="dns" FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_SAMBA="yes" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_EXT="no" My idea was to define the ip block of the samba clients as a "trusted net", and to only open the required tcp/udp ports, which are (I believe) 137-139 and 445. I'm not sure whether my syntax for FW_TRUSTED_NETS is correct. But would the general approach be ok? And are there any other non-sensical or counterproductive settings? Thanks a lot; I'm very new at this (as one might perhaps have gathered from the configuration ...), best regards, Birgit Kellner
Hi Birgit,
(1) some users from outside report that the webserver is not accessible; connection attempts throw up DNS errors. I have no rejected packets for port 80 in the firewall log, and am therefore inclined to think that the problem is not with the server or firewall configuration. From within the university network, I have no problems connecting to the server on port 80.
--> Are you sure that the university allows you to setup webservers that are reachable from outside ? Can you compare the output of the command "nslookup servername" and "nslookup serverIP" from inside the university network and from outside ?
(2) the samba fileshares can't be accessed. Actually, there's only one fileshare. Only one particular username is accepted as valid, and the samba clients must belong to the IP block 222.222.222.xxx/25.
The firewall configuration file currently looks as follows:
FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_MASQUERADE="no" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="www ssh 139 137 138 445"
--> Here you need only those services that should be accessible from everywhere. If I understand you correctly, Samba shares should only be accessible from the TRUSTED NETS defined below, so "www ssh" should be enough here.
FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="222.222.222.0/25,tcp,137 222.222.222.0/25,tcp,138 222.222.222.0/25,tcp,139 222.222.222.0/25,tcp,445 222.222.222.0/25,udp,137 222.222.222.0/25,udp,138 222.222.222.0/25,udp,139"
--> What about port 445/udp ? Have you tried include it here ?
FW_ALLOW_INCOMING_HIGHPORTS_TCP="dns" FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_SAMBA="yes" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_EXT="no"
My idea was to define the ip block of the samba clients as a "trusted net", and to only open the required tcp/udp ports, which are (I believe) 137-139 and 445. I'm not sure whether my syntax for FW_TRUSTED_NETS is correct.
--> The syntax looks fine.
But would the general approach be ok? And are there any other non-sensical or counterproductive settings?
--> See comments above.
Thanks a lot; I'm very new at this (as one might perhaps have gathered from the configuration ...),
--> You have remembered to restart the firewall with "rcSuSEfirewall2 restart" each time you changed the configuration ? Good luck ! Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
participants (2)
-
Armin Schoech
-
Birgit Kellner