Re: [suse-security] SuSEfirewall v2.0
Look at Scenarios 5 and 6 in the EXAMPLES file (in a normal install this is /usr/share/doc/packages/SuSEfirewall2).
Good luck, you should be able to do this fairly easily.
Jim
11/11/01 11:03:06 AM, Scheme Loh
--- Marc Heuse
wrote: Hi folks,
SuSEfirewall2 v2.0 will shortly be available at www.suse.de/~marc/suse
Thanks so much for firewall2.
A quick question if I may. I use firewall2 to masq an internal network of w2k machines and Mac so they may surf, ftp and ssh.
Could I also use firewall2 to send requests to a web server behind the firewall? What if there are two webservers?
Don't need a full answer so much as a hint that's it's possible and maybe a hint as to procedure.
Me and someone else on the suse-linux-e list are about to look into this.
Again, thanks for the good work!
===== Daniel Woodard
__________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- James Bliss
Look at Scenarios 5 and 6 in the EXAMPLES file (in a normal install this is /usr/share/doc/packages/SuSEfirewall2).
Good luck, you should be able to do this fairly easily.
Jim
Was very easy. Too easy perhaps? Here's my setup: SuSE 7.2 minimal install with: SuSEfirewall2 iptables eth0 to the world eth1 to internal I have about a dozen computers on my internal network. 192.168.1.x I put the webserver (w2k running IIS/CF/Generator2) at 192.168.1.90 I edited FW_FORWARD_MASQ to include: 0/0.192.168.1.90,tcp,80 Poof, the webserver can be seen from the internet at large. I'm a graphics/video guy, but my heart of hearts tells me that this is not the optimal set-up- to have my web server on the same network as my internal computers. My idea is to add a third ethernet card (eth2) and have it on another network 10.0.0.x. Then change FW_FORWARD_MASQ to go to 10.0.0.x and leave my 192.168.1.x network the way it is now. In a nutshell, what is a DMZ? Thanks everyone! ===== Daniel Woodard __________________________________________________ Do You Yahoo!? Find a job, post your resume. http://careers.yahoo.com
* Scheme Loh wrote on Sun, Nov 11, 2001 at 14:06 -0800:
In a nutshell, what is a DMZ?
demilitarized zone. It's a network with routable (non-RFC1918) IP addresses but behind a firewall. In the DMZ are the servers located, with offer services for the internet or wich are act as proxies for the internal hosts. An idea is to block all connections from the internal lan to the internet. By this, every connection must be relayed (i.e. by a proxy). An attacker needs to get a host in the DMZ to be able to attack the internal lan, since anythink else get blocked. To make the attack against the DMZ not easy, it's firewalled too. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
i get this message from one of my log messages Nov 13 19:27:20 cyclops named[351]: refused query on non-query socket from [192.168.1.22].1279 Nov 13 19:27:20 cyclops last message repeated 62 times Nov 13 19:27:20 cyclops kernel: svc: unknown program 100000 (me 100021) Nov 13 19:27:20 cyclops kernel: svc: unknown program 100001 (me 100021) what could it mead? kenneth
i get this message from one of my log messages Nov 13 19:27:20 cyclops named[351]: refused query on non-query socket from [192.168.1.22].1279 Nov 13 19:27:20 cyclops last message repeated 62 times
This one is from your nameserver: You seem to have configured it to not answer any queries from the internal 192.168.1 network. That's why it complains: It gets some. If you say that 192.168.1.22 is a webserver then it seems that the webserver somehow uses dns.
Nov 13 19:27:20 cyclops kernel: svc: unknown program 100000 (me 100021) Nov 13 19:27:20 cyclops kernel: svc: unknown program 100001 (me 100021)
Do an rpcinfo -p on both cyclops and the other machine that you tried to mount from or that mounted from cyclops. It seems to be HP/UX or Solaris.
what could it mead?
kenneth
Roman.
--
- -
| Roman Drahtmüller
participants (5)
-
James Bliss
-
Roman Drahtmueller
-
Scheme Loh
-
Steffen Dettmer
-
test@cyclops.eahd.or.ug