Hello I´m trying to set up a linux firewall box with 3 network devices. The first points to the internet gateway, the second to the DMZ(192.168.1.x) and the third to the internal network(192.168.2.x). I´m using Suse 7.0 and have installed the firewall script and squid proxy server. The squid runs fine html,ftp works. In the firewall script I have disabled routing and masquerading. Now I want to ping the internet from my internal network. But no request gets an answer. I have set the following options to yes fw_allow_ping_fw = yes fw_allow_incoming_highports_udp=yes fw_allow_fw_traceroute=yes Referencing to the technical dokumentation these 3 options set to yes allows the icmp ping to pass the firewall. But it didn´t work :-( Has anyone an idea? Thx for any help Regards Björn Berger
Does this effect us suse 7.2 pro users? http://securityportal.com/research/exploits/linux/suse/20000703-suse-tmp.txt Second , I used to have a seperate /tmp partition but suse needed more space, and I wasn't ready to pop another 2G window partition to give it between 500M and 1G for a freaking temp directory. What is the benefit to having a seperate partition for the /tmp directory Note: I am not talking about /home/usr/tmp but /tmp and I am thinking it would need to be 1.0G right? my old partitions prior to suse were (at the time I had 128MB of ram) : /dev/hdc15 3.2G 1.5G 1.6G 48% / none 0 0 0 - /proc /dev/hdc3 63M 2.8M 59M 5% /boot none 0 0 0 - /dev/pts /dev/hdc14 242M 3.3M 226M 1% /home /dev/hda1 2.0G 584M 1.4G 29% /mnt/win_c /dev/hdc1 2.0G 416k 2.0G 0% /mnt/win_c2 /dev/hda5 2.0G 64k 2.0G 0% /mnt/win_d /dev/hdc5 2.0G 64k 2.0G 0% /mnt/win_d2 /dev/hda6 2.0G 64k 2.0G 0% /mnt/win_e /dev/hdc6 2.0G 64k 2.0G 0% /mnt/win_e2 /dev/hda7 2.0G 64k 2.0G 0% /mnt/win_f /dev/hdc7 1.8G 64k 1.8G 0% /mnt/win_f2 /dev/hdc8 2.0G 64k 2.0G 0% /mnt/win_g /dev/hdc9 2.0G 64k 2.0G 0% /mnt/win_h /dev/hdc10 2.0G 64k 2.0G 0% /mnt/win_i /dev/hdc13 242M 4.0M 255M 2% /root /dev/hdc11 241M 17k 228M 0% /tmp Current setup is suse and (512MB ram) : /dev/hdc12 7.0G 5.8G 888M 87% / proc 0 0 0 - /proc devpts 0 0 0 - /dev/pts /dev/hdc3 65M 2.4M 59M 4% /boot /dev/hdc10 688M 355M 299M 55% /home /dev/hdc11 242M 7.1M 222M 4% /root shmfs 665M 0 664M 0% /dev/shm /dev/hda1 2.0G 2.0G 73M 97% /windows/C /dev/hda5 2.0G 1.4G 639M 69% /windows/D /dev/hda6 2.0G 1.7G 391M 81% /windows/E /dev/hda7 1.8G 1.8G 86M 96% /windows/F /dev/hdc1 2.0G 619M 1.3G 31% /windows/G /dev/hdc5 2.0G 1.4G 649M 69% /windows/H /dev/hdc6 2.0G 1.9G 156M 93% /windows/I /dev/hdc7 2.0G 93M 1.9G 5% /windows/J /dev/hdc8 2.0G 567M 1.4G 28% /windows/K also what is shmfs? is that swap?
Does this effect us suse 7.2 pro users? http://securityportal.com/research/exploits/linux/suse/20000703-suse-tmp.txt
That article is wrong. default shell users _FOR_SURE_ do not have a home located in /tmp (they must believe we're complete morons...). This thing is rather old news. It was changed with the 7.0 already, and the announcement from SuSE explains how to change the homes of the system users to a directory owned by the respective user. This is the right measure to fix the problem.
Second ,
I used to have a seperate /tmp partition but suse needed more space, and I wasn't ready to pop another 2G window partition to give it between 500M and 1G for a freaking temp directory. What is the benefit to having a seperate partition for the /tmp directory
Note: I am not talking about /home/usr/tmp but /tmp and I am thinking it would need to be 1.0G right?
shmfs is swap, yes, so-to-say.
Thanks,
Roman.
--
- -
| Roman Drahtmüller
On Mon, 16 Jul 2001, phil wrote:
Does this effect us suse 7.2 pro users? http://securityportal.com/research/exploits/linux/suse/20000703-suse-tmp.txt
Does the date in the URL give you a clue? Did you read SuSE security announcements and the archives? Did you install security updates recently?
Thanks for your response, Yes I have tried all the tips you suggested, and I still have not found clear answers to my questions. I will start a "deep web" search instead of a "surface web" search and thanks again for taking the time to answer my questions. On Monday 16 July 2001 03:32 pm, you wrote:
On Mon, 16 Jul 2001, phil wrote:
Does this effect us suse 7.2 pro users? http://securityportal.com/research/exploits/linux/suse/20000703-suse-tmp. txt
Does the date in the URL give you a clue?
Did you read SuSE security announcements and the archives? Did you install security updates recently?
Hi, pardon me for jumping in ;-), but there is an interesting article regarding file system considerations on Linux on http://www.securityportal.com/lskb/10000000/kben10000036.html, maybe it would be worth reading it. phil wrote:
Thanks for your response,
Yes I have tried all the tips you suggested, and I still have not found clear answers to my questions. I will start a "deep web" search instead of a "surface web" search and thanks again for taking the time to answer my questions.
On Monday 16 July 2001 03:32 pm, you wrote:
On Mon, 16 Jul 2001, phil wrote:
Does this effect us suse 7.2 pro users? http://securityportal.com/research/exploits/linux/suse/20000703-suse-tmp. txt
Does the date in the URL give you a clue?
Did you read SuSE security announcements and the archives? Did you install security updates recently?
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi,
pardon me for jumping in ;-), but there is an interesting article regarding file system considerations on Linux on http://www.securityportal.com/lskb/10000000/kben10000036.html, maybe it would be worth reading it.
Unfortunately, the article fails to mention that the noexec mount option
is basically useless.
$ /lib/ld-linux.so.2 /bin/echo eins
eins
$
...while /bin is on a noexec-mounted filesystem.
Roman.
--
- -
| Roman Drahtmüller
network. But no request gets an answer. Are you using private address space or public space? if it is private then you have to turn on masquerading for the internal network. However if your network is using public ip addresses, then it is ok. However in both cases you should turn on ip forwarding if the two networks are on different interfaces on your machine. This can be done by editing /etc/rc.config and setting ip_forward=yes or in the firewall preferably both. Or you can do it manually whenever you need to with echo 1> /proc/sys/net/ipv4/ip_forward and tunr it off with echo 0> /proc/sys/net/ipv4/ip_forward
Noah.
participants (6)
-
Gerd Bitzer
-
maillist
-
Matthias Andree
-
phil
-
Roman Drahtmueller
-
semat