Prob: SuSEfirewall2 & FW_MASQ_NETS
Hi, I want to set up a firewall, which should only "protect" ONE MS-WWW-Server (that has no official IP). The server should not have ANY access to anything, the firewall should only offer a telnet from certain addresses (restricted by /etc/xinetd.conf). eth0 is the internet, the WWW-Server is connected to eth1 (the webserver has IP 192.168.0.2). Everytime, a request to port 80 of the firewall is done, it should be forwarded to the server, the answer should be sended back. I'm using SuSE 7.3 and SuSEfirewall2, my configuration file is: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.2" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="telnet" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,80 0/0,192.168.0.2,tcp,443" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" Now the problem is: It only works, when FW_MASQ_NETS is set to "192.168.0.2", but then the server has access to the internet, which I wanted to avoid! If I don't set FW_MAS_NETS to the internal server IP, all http requests are logged as "... ALLOWED ... DST=192.168.0.2 ..." (seems o.k.!) in /var/log/firewall, but there is no response from the server. What can I do? Thank You, Marc
* Marc Mueller wrote on Fri, May 10, 2002 at 19:05 +0200:
I want to set up a firewall, which should only "protect" ONE MS-WWW-Server (that has no official IP). The server should not have ANY access to anything,
That is simple. Just unplug the networking cable.
the firewall should only offer a telnet from certain addresses (restricted by /etc/xinetd.conf).
The firewall offers telnet services?! Why do not use SSH?
What can I do?
Maybe set up a port forwarder manually. Should be like this: local="1.2.3.4" remote="192.168.0.2" for port in 80 443 ; do ipmasqadm portfw -a -P tcp -L $local $port -R $remote $port done; You may want to explicitly masq that traffic with something like: ipchains -A forward -s $remote $port -d 0/0 -i $dev -j MASQ Another possibility is a transparent proxy, I think here it's called a http accelerator, which could be used i.e. to block some requests and other protocol stuff (at least in http). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Marc Mueller
-
Steffen Dettmer