Re: [suse-security] Problems with a simple Firewall2 config
There are no services ON THE FIREWALL that need to be accessed (I allready ran into this problem ;-), they are all on serveres in either network.
Oops, i misunderstood you.
I changed my configuration, just to test. This is how (excerpt) it looked: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
Looks good so far
Test-configuration FW_MASQ_NETS="172.19.0.0/16" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
This is opening any destination port/protocol(icmp,udp,tcp) for inside boxes to get routed through the firewall.
It will work with my test-configuration, but then again, any user could use any service on the external net, and that is not wanted only FTP and HTTP.
How can I solve this, whitout doing something like this: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" ???
Using the firewall-script this ist the right way to limit the services to be accessed from the inside. The other way ist to disable masquaring und routing for the internal network completely and to setup following: http://www.squid-cache.org/ http://dansguardian.org/ (cacade, if you want so) and ftp-proxy from here http://www.suse.de/en/whitepapers/proxy_suite/ It is, all in all, the better and more secure solution and you can setup this fully tranparent to internal network. Hope that helps. Yours Michael
1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces from the remote network to the Samba service installed on the same computer, and to access ssh from anywhere. Nothing else. Thanx.
* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 16:57 +0300:
1 Suse 8.0, 2 NIC's, freeswan VPN. All I want is to use the VPN, have acces from the remote network to the Samba service installed on the same computer, and to access ssh from anywhere. Nothing else. Thanx.
I have SuSE 8.2 as roadwarrior with freeswan + SuSEfirewall2. The SuSEfirewall2 seems to make a lot of assumptions. It seems you either live with it, or don't use it :-) for instance, FW_SERVICE_AUTODETECT="yes" seems to work only if the services are running locally (otherwise, I couldn't imagine how it should work). Please correct me if I'm wrong and give improved examples! Setup: ipsec0 with 192.168.1.0/24 <-> 192.168.2.0/24. eth1 internal LAN. 1. if you allow something from ext, you have to allow it for everyone. set: FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" to allow everyone (!) to access ISAKMP and ESP/AH. 2. make ipsec0 an internal interface: FW_DEV_INT="eth1 ipsec0" 3. Try to make it working. I set FW_PROTECT_FROM_INTERNAL="no" FW_TRUSTED_NETS="192.168.1.0/24 192.168.2.0/24" (it seems to be assumed, that trusted networks are on the internal interfaces only, because it seems an explicit DROP rule is cerated on external interface) 4. FW_KERNEL_SECURITY="no" to disable "rp_filter" feature. It seems to be assumed that you either want many or none of the kernel security features. 5. Because I just have one external interface and no DMZ, I set: FW_ALLOW_CLASS_ROUTING="yes" I didn't found a FW_ALLOW_INTERNAL_ROUTING or FW_ALLOW_TRUSTED_ROUTING. Finally, the portscan from external looks good so I can live with it :-) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Thank you very much. You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT, not in FW_DEV_INT. I put it there because the SuSEfirewall2 manual says: "Also, you need to add ipsec0 to the FW_DEV_EXT variable". Will this be a security issue??????? Thanx again
* Kostyal Daniel wrote on Wed, Jul 16, 2003 at 19:34 +0300:
Thank you very much. You were right. The problem was that the ipsec0 interface was in FW_DEV_EXT, not in FW_DEV_INT.
I do not know if this is right for you also. In my case, there is exactly one trusted VPN peer. I don't want to filter anything between all the LANs, so for me it is right :-)
I put it there because the SuSEfirewall2 manual says: "Also, you need to add ipsec0 to the FW_DEV_EXT variable". Will this be a security issue???????
Well, I must admit that I do not understand SuSEfirewall2. I just saw some EXT/DMZ/INT structure. I do not know if EXT/EXT/INT/INT or more complex topologies are supported, well, I doubt that for a desktop linux system such things are neccesary - a own script should be needed anyway. Well, for 2.0.x and 2.2.x I had an own script. Beside controlling of some general features such as rp_filter and friends, it's configuration file consists of "rules", basically in the form: #DHCP input: any:68 any:67 udp ACCEPT -i eth0 #NTP (dont try this @home :-)) input: ntps2-0:123 any:123 udp ACCEPT input: ntps2-1:123 any:123 udp ACCEPT input: ntps2-2:123 any:123 udp ACCEPT #some other LAN forward: 192.168.9.0/24 192.168.101.0/24 all ACCEPT -b and so on. I cannot imagine how this can be easily abstracted except with ACL-style things. Well, and for the guys that have multiple cascaded firewalls, as companies, they can buy a Firewall-on-cd licence for it (don't know, if you need a licence for every firewall, this can get expensive). I guess it is supported to configure end-to-end connections, the some tool calculates which firewalls need which rules, but I don't know. I had never the time to look at the firewall on cd and I read not so many things about that here. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (3)
-
GentooRulez -
Kostyal Daniel -
Steffen Dettmer