Hi folks I followed the threads about configuring the firewall, but it was not really enlightning me (sorry). So some questions: 1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement. 2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514" When i leave away protocol and port what is (or should)open then? I'm using 7.3 Cheers Kurt
Hi,
In answer to 1
When you use FW_SERVICES_DMZ it opens up the ports you wish to allow. not
looking if it came from internal or external.
You do have to open up the ports on the external and internal services to
allow the traffic to come in in the first place .
In answer to 2
I don't think it opens up anything. It just forwards your request wether it
is UDP,TCP,IP or whatever to the destination IP if it has the source IP
address you specified.
correcet me if I am wrong. ...
but I think you have to open up the ports seperately too ...
Tricky question for me too...
regards
chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Kurt Minder"
Hi folks
I followed the threads about configuring the firewall, but it was not really enlightning me (sorry).
So some questions:
1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement.
2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
When i leave away protocol and port what is (or should)open then?
I'm using 7.3
Cheers Kurt
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi
-----Ursprüngliche Nachricht----- Von: Chris FitzGerald [mailto:mersco@pandora.be] Gesendet: Dienstag, 12. November 2002 12:17 An: Suse-Security (E-Mail) Betreff: Re: [suse-security] SuSEfirewall2 configuration
Hi, In answer to 1 When you use FW_SERVICES_DMZ it opens up the ports you wish to allow. not looking if it came from internal or external. You do have to open up the ports on the external and internal services to allow the traffic to come in in the first place .
Ok. I understand. What you let in from any (EXT, INT)interface may should access to the DMZ In my case it doesn't, nor the DMZ can access the services opened in the SERVICES_DMZ So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a conflict in the configuration? Obviously the DMZ rules are never applied because the packages ar dropped before.
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied. Hopefully someone knows something about the reasons. Cheers Kurt
Tricky question for me too...
regards
chris
_____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco
This is for real !!! ----- Original Message ----- From: "Kurt Minder"
To: "Suse-Security (E-Mail)" Sent: Tuesday, November 12, 2002 12:02 PM Subject: [suse-security] SuSEfirewall2 configuration Hi folks
I followed the threads about configuring the firewall, but it was not really enlightning me (sorry).
So some questions:
1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement.
2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
When i leave away protocol and port what is (or should)open then?
I'm using 7.3
Cheers Kurt
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi
-----Ursprüngliche Nachricht----- Von: Chris FitzGerald [mailto:mersco@pandora.be] Gesendet: Dienstag, 12. November 2002 12:17 An: Suse-Security (E-Mail) Betreff: Re: [suse-security] SuSEfirewall2 configuration
Hi, In answer to 1 When you use FW_SERVICES_DMZ it opens up the ports you wish to allow. not looking if it came from internal or external. You do have to open up the ports on the external and internal services to allow the traffic to come in in the first place .
Ok. I understand. What you let in from any (EXT, INT)interface may should access to the DMZ In my case it doesn't, nor the DMZ can access the services opened in the SERVICES_DMZ
So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a conflict in the configuration? Obviously the DMZ rules are never applied because the packages ar dropped before.
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS
If I remember correctly the list had a similar mail regarding SuSEfirewall2
and DMZ ...
And it was said FW_FORWARD had to be used to be able to connect to the
server on the DMZ-side.
I am not sure if it is possible without ...
so I believe it should say something like :
FW_FORWARD="sourece ip/net,destination ip,tcp,80"
and open up the ports :
FW_SERVICES_EXT_TCP="80"
FW_SERVICES_INT_TCP="80"
FW_SERVICES_DMZ_TCP="80"
(if your service is located on port 80)
when you say the packages are dropped, did you open op de respective ports
in the FW_SERVICES_EXT and FW_SERVICES_INT ?
because All traffic travelling to the DMZ HAS to pass the firewall ... no
matter what !
and not opening the ports on the int nic and ext nic could cause your
packets to be dropped.
Regards
Chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Kurt Minder"
it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied.
Hopefully someone knows something about the reasons.
Cheers Kurt
Tricky question for me too...
regards
chris
_____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco
This is for real !!! ----- Original Message ----- From: "Kurt Minder"
To: "Suse-Security (E-Mail)" Sent: Tuesday, November 12, 2002 12:02 PM Subject: [suse-security] SuSEfirewall2 configuration Hi folks
I followed the threads about configuring the firewall, but it was not really enlightning me (sorry).
So some questions:
1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement.
2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
When i leave away protocol and port what is (or should)open then?
I'm using 7.3
Cheers Kurt
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Kurt Minder;
Hi
Ok. I understand. What you let in from any (EXT, INT)interface may should access to the DMZ In my case it doesn't, nor the DMZ can access the services opened in the SERVICES_DMZ
No FW_SERVICES_DMZ_* means the services defined on these parameters are allowed to use the firewall For example FW_SERVICES_DMZ_UDP="syslog" means DMZ is allowed to send syslog packets to the Firewall since Firewall is the Sylog server. It does not mean open the UDP port 514 in the DMZ (would be dangerous if you do so)
So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a conflict in the configuration? Obviously the DMZ rules are never applied because the packages ar dropped before.
You can use FW_FORWARD as long as the machine that you are forwarding has a Public IP , if you are using Private IP then you should be using FW_FORWARD_MASQ
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied.
DMZ is the sacrificed goat it can not be trusted, -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi Fine. Things clearup.
-----Ursprüngliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Gesendet: Dienstag, 12. November 2002 15:06 An: Suse-Security (E-Mail) Betreff: Re: [suse-security] SuSEfirewall2 configuration
No FW_SERVICES_DMZ_* means the services defined on these parameters are allowed to use the firewall
For example FW_SERVICES_DMZ_UDP="syslog" means DMZ is allowed to send syslog packets to the Firewall since Firewall is the Sylog server. It does not mean open the UDP port 514 in the DMZ (would be dangerous if you do so)
Ok. I thought when its inside the firewall the routing roules of /etc/route.conf are applied. So with the SERVICES_DMZ or TRUSTED_NETS i give access to the firewall and with the FORWARD rule the routing from one net to the other is done. That makes sense.
So i'm back on the solution to use FW_FORWARD. Is this
conflict in the configuration? Obviously the DMZ rules are never applied because the
normal? or is it a packages ar dropped
before.
You can use FW_FORWARD as long as the machine that you are forwarding has a Public IP , if you are using Private IP then you should be using FW_FORWARD_MASQ
As i understand (and also using) its not depending on public or private address, but wheter the net you wish to route is masqueraded. So its depending what you set in MASQ_DEV. See config file 14.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? In my case only the external net is masqueraded. For routing INT to DMZ i use FW_FORWARD For EXT to DMZ i use FORWARD_MASQ (I'm poor i only have one public ip).
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare
protocols that are allowed when you add the port number
limiting the than only the
protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied.
DMZ is the sacrificed goat it can not be trusted,
I will not. -- Thank you for your help. I understand now more how the firewall works and thats the point in security issues, not to know where to set a magic flag. Whitch port number i have to open i still can figure out by looking at /etc/services and the firewall log. Cheers Kurt
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Kurt Minder;
As i understand (and also using) its not depending on public or private address, but wheter the net you wish to route is masqueraded. So its depending what you set in MASQ_DEV.
See config file 14.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)?
In my case only the external net is masqueraded. For routing INT to DMZ i use FW_FORWARD For EXT to DMZ i use FORWARD_MASQ (I'm poor i only have one public ip).
Correct with the interpretation AFAIK. I am poor also in regards to IP's :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
* Kurt Minder;
1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement.
My understanding is as which ports coming from the DMZ to the FIREWALL machine is ACCEPTED. (hence the need to FW_FORWARD rules to let access to the services offered in the DMZ)
2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
When i leave away protocol and port what is (or should)open then?
I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (3)
-
Chris FitzGerald
-
Kurt Minder
-
Togan Muftuoglu