Re: [suse-security] use my own firewall script/disable SuSEfirewall2

newer
Bind patches?

older
WebWasher, protection of minors

patrick thempel

12 Nov 2002 12 Nov '02

17:15

--- "Frank W.Kooistra" wrote:

...

Hi Patrick

we are all stupid sometimes : But if you fail to get SuSEfirewall2 working, i wonder if you are rellay helped by introducing a strange script.

Why do you not send the settings you propose to use and there will be enough people ready here to guide you ?

...

Regards

Frank

hi frank, my main problem as you can see is how the port 25 (smtp) doesnt work. what i want: i have postfix running and would like it to flter mail and then forward it. but it never even sees the mails. which is why i am forwarding it now in and out without postfix. and thats one of the things that dont work the way theyre supposed to. ping the firewall intern and extern is still possible whatever i set is another issue. heres the firewall setting ( outer firewall): FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.xx.0/24 192.168.zz.11" # actaully outer of 2 firewalls, should receive and translate packets from inner router and the mailserver FW_PROTECT_FROM_INTERNAL="yes" FW_AUFW_SERVICES_EXT_TCP="ssh 443 25" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_INT_TCP="ssh 443 25" # should deliver mail to postfix, does not FW_TRUSTED_NETS="192.168.xx.yy,tcp,22 192.168.xx.yy,tcp,80 192.168.xx.yy,tcp, 10000 " # only few services from intern FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.57.11,0/0,tcp,25" FW_FORWARD_MASQ="0/0,192.168.57.11,tcp,25 192.168.57.11,194.25.242.123,tcp,25" # actions of desperation, mails either dont go in or out or both #FW_REDIRECT="0/0,62.157.172.14,tcp,25,25" # clever idea, redirect to local machine port 25 so #postfix can handle its mail. does not work # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="yes" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE- FW FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" # FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="yes" # FW_ALLOW_PING_EXT="no" # didnt try all combinations, but ping stll works outside -> fw and inside ->out ===== Mit freundlichen Gruessen Patrick Thempel mail:patrick_thempel@yahoo.com __________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

Show replies by date

Andrew Bennett

12 Nov 12 Nov

18:20

New subject: [suse-security] use my own firewall script/disable SuSEfirewall2

Hi, I am using SuSEfirewall V1, not V2 so I'm not sure I can help but, for my and other peoples benefit... 1. Are you intending to run postfix on just this machine acting as a masquerading firewall or forwarding all communications to another machine and running all services, (including postfix), on that. 2. When you say this machine, 'never even sees the mail' what actually is the output of 'tail -f /var/log/mail' and 'tail -f /var/log/messages'. 3. Again, to be clear, are you saying you cannot connect up to port 25 on the internal interface, i.e. 192.168.x.x More details of what you're trying to do, please. How many firewalls of what topology and architecture? Andy

...

...
...
...
...
...
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 11/12/02, 5:15:11 PM, patrick thempel wrote regarding Re: [suse-security] use my own firewall script/disable SuSEfirewall2:

...

--- "Frank W.Kooistra" wrote:

...
Hi Patrick

we are all stupid sometimes : But if you fail to get SuSEfirewall2 working, i wonder if you are rellay helped by introducing a strange script.

Why do you not send the settings you propose to use and there will be enough people ready here to guide you ?

...

...
Regards

Frank

...

hi frank, my main problem as you can see is how the port 25 (smtp) doesnt work. what i want: i have postfix running and would like it to flter mail and then forward it. but it never even sees the mails. which is why i am forwarding it now in and out without postfix. and thats one of the things that dont work the way theyre supposed to. ping the firewall intern and extern is still possible whatever i set is another issue. heres the firewall setting ( outer firewall):

...

FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.xx.0/24 192.168.zz.11"

...

# actaully outer of 2 firewalls, should receive and translate packets from inner router and the mailserver

...

FW_PROTECT_FROM_INTERNAL="yes" FW_AUFW_SERVICES_EXT_TCP="ssh 443 25" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_INT_TCP="ssh 443 25"

...

# should deliver mail to postfix, does not

...

FW_TRUSTED_NETS="192.168.xx.yy,tcp,22 192.168.xx.yy,tcp,80 192.168.xx.yy,tcp, 10000 "

...

# only few services from intern

...

FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"

...

FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes"

...

FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"

...

FW_FORWARD="192.168.57.11,0/0,tcp,25"

...

FW_FORWARD_MASQ="0/0,192.168.57.11,tcp,25 192.168.57.11,194.25.242.123,tcp,25"

...

# actions of desperation, mails either dont go in or out or both

...

#FW_REDIRECT="0/0,62.157.172.14,tcp,25,25"

...

# clever idea, redirect to local machine port 25 so #postfix can handle its mail. does not work

...

# FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="yes" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE- FW FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"

...

# FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="yes" # FW_ALLOW_PING_EXT="no"

...

# didnt try all combinations, but ping stll works outside -> fw and inside ->out

...

===== Mit freundlichen Gruessen

...

Patrick Thempel mail:patrick_thempel@yahoo.com

...

__________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

...

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

patrick thempel

13 Nov 13 Nov

05:43

New subject: [suse-security] use my own firewall script/disable SuSEfirewall2

Andrew Bennett wrote: Hi, I am using SuSEfirewall V1, not V2 so I'm not sure I can help but, for my and other peoples benefit... 1. Are you intending to run postfix on just this machine acting as a masquerading firewall or forwarding all communications to another machine and running all services, (including postfix), on that. #postfix on my firewall should just receive the mail, filter it, and then transfer to another machine in the secure part. this other machine runs m$ exchange ( not my idea, but there are reasons...) and should not be compromised to the internet . should be totally hidden 2. When you say this machine, 'never even sees the mail' what actually is the output of 'tail -f /var/log/mail' and 'tail -f /var/log/messages'. # thats exactly the point, mail says : postfix started.... and thats it 3. Again, to be clear, are you saying you cannot connect up to port 25 on the internal interface, i.e. 192.168.x.x # yes i can connect and send mail from the internal port . (telnet .... 25, helo, rcpt to... works More details of what you're trying to do, please. How many firewalls of what topology and architecture? #firewall one (outer) (thats the one whose script was included) <-> zone 1 <-> firewall2(inner) <-> intranet , with exchange server. #firewall2 should mainly just masqerade . #zone 1 will have some services running ( web and java app server) on separate machines Andy

...

heres the firewall setting ( outer firewall):

...

FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.xx.0/24 192.168.zz.11"

...

# actaully outer of 2 firewalls, should receive and translate packets from inner router and the mailserver

...

FW_PROTECT_FROM_INTERNAL="yes" FW_AUFW_SERVICES_EXT_TCP="ssh 443 25" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_INT_TCP="ssh 443 25"

...

# should deliver mail to postfix, does not

...

FW_TRUSTED_NETS="192.168.xx.yy,tcp,22 192.168.xx.yy,tcp,80 192.168.xx.yy,tcp, 10000 "

...

# only few services from intern

...

FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"

...

FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes"

...

FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"

...

FW_FORWARD="192.168.57.11,0/0,tcp,25"

...

FW_FORWARD_MASQ="0/0,192.168.57.11,tcp,25 192.168.57.11,194.25.242.123,tcp,25"

...

# actions of desperation, mails either dont go in or out or both

...

#FW_REDIRECT="0/0,62.157.172.14,tcp,25,25"

...

# clever idea, redirect to local machine port 25 so #postfix can handle its mail. does not work

...

# FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="yes" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE- FW FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"

...

# FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="yes" # FW_ALLOW_PING_EXT="no"

...

# didnt try all combinations, but ping stll works outside -> fw and inside ->out

...

===== Mit freundlichen Gruessen

...

Patrick Thempel mail:patrick_thempel@yahoo.com

...

__________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

...

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here Mit freundlichen Gruessen Patrick Thempel mail:patrick_thempel@yahoo.com --------------------------------- Do you Yahoo!? U2 on LAUNCH - Exclusive medley & videos from Greatest Hits CD

Andrew Bennett

10:34

New subject: [suse-security] use my own firewall script/disable SuSEfirewall2

Hi, Couple of points just looking through quickly - Aren't you forwarding all IP packets to another machine for port 25 with this script??? I would try and simplify things by switching off all forwarding. Even simpler, what happens when you switch the firewall script off, i.e. SuSEfirewall stop, or similar for V2. If you can't even receive mail with it switched off there's not much chance of receiving it switched on. Also - have a look at the output from iptraf when you are running the system. Bit busy now but I hope that provides a few suggestions. Andy

...

...
...
...
...
...
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 11/13/02, 5:43:08 AM, patrick thempel wrote regarding Re: [suse-security] use my own firewall script/disable SuSEfirewall2:

...

Andrew Bennett wrote: Hi,

...

I am using SuSEfirewall V1, not V2 so I'm not sure I can help but, for my and other peoples benefit...

...

1. Are you intending to run postfix on just this machine acting as a masquerading firewall or forwarding all communications to another machine and running all services, (including postfix), on that.

...

#postfix on my firewall should just receive the mail, filter it, and then transfer to another machine in the secure part. this other machine runs m$ exchange ( not my idea, but there are reasons...) and should not be compromised to the internet . should be totally hidden

...

2. When you say this machine, 'never even sees the mail' what actually is the output of 'tail -f /var/log/mail' and 'tail -f /var/log/messages'.

...

# thats exactly the point, mail says : postfix started.... and thats it

...

3. Again, to be clear, are you saying you cannot connect up to port 25 on the internal interface, i.e. 192.168.x.x

...

# yes i can connect and send mail from the internal port . (telnet .... 25, helo, rcpt to... works

...

More details of what you're trying to do, please. How many firewalls of what topology and architecture?

...

#firewall one (outer) (thats the one whose script was included) <-> zone 1 <-> firewall2(inner) <-> intranet , with exchange server.

...

#firewall2 should mainly just masqerade .

...

#zone 1 will have some services running ( web and java app server) on separate machines

...

Andy

...

...
heres the firewall setting ( outer firewall):

...

...
FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.xx.0/24 192.168.zz.11"

...

...
# actaully outer of 2 firewalls, should receive and translate packets from inner router and the mailserver

...

...
FW_PROTECT_FROM_INTERNAL="yes" FW_AUFW_SERVICES_EXT_TCP="ssh 443 25" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_INT_TCP="ssh 443 25"

...

...
# should deliver mail to postfix, does not

...

...
FW_TRUSTED_NETS="192.168.xx.yy,tcp,22 192.168.xx.yy,tcp,80 192.168.xx.yy,tcp, 10000 "

...

...
# only few services from intern

...

...
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"

...

...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes"

...

...
FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"

...

...
FW_FORWARD="192.168.57.11,0/0,tcp,25"

...

...
FW_FORWARD_MASQ="0/0,192.168.57.11,tcp,25 192.168.57.11,194.25.242.123,tcp,25"

...

...
# actions of desperation, mails either dont go in or out or both

...

...
#FW_REDIRECT="0/0,62.157.172.14,tcp,25,25"

...

...
# clever idea, redirect to local machine port 25 so #postfix can handle its mail. does not work

...

...
# FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="yes" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE- FW FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"

...

...
# FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="yes" # FW_ALLOW_PING_EXT="no"

...

...
# didnt try all combinations, but ping stll works outside -> fw and inside ->out

...

...
===== Mit freundlichen Gruessen

...

...
Patrick Thempel mail:patrick_thempel@yahoo.com

...

...
__________________________________________________ Do you Yahoo!? U2 on LAUNCH - Exclusive greatest hits videos http://launch.yahoo.com/u2

...

...
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

...

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

...