Mailinglist Archive: opensuse-factory (824 mails)
| < Previous | Next > |
Re: [opensuse-factory] Firewall not consistent..
- From: "M9." <monkey9@xxxxxx>
- Date: Sat, 15 Sep 2007 17:47:34 +0200
- Message-id: <46EBFE96.6020201@xxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
jdd schreef:
> M9. wrote:
>
> so, if I understand well you have only one lan (192.168.1.x) with all
> the PC on it.
Yes that is correct ;-)
>
> previously you said:
>
> "This morning i had to shut down the firewall to enter my Lan.
> Printing was impossible, and also accessing the other pc's and laptops
> in the network.
>
> What i do not understand is why this firewall prevents me from entering
> other pc's in the network, while others can acces mine easily?"
>
> It looks like you (or any event) swapped the internal and external
> network in the config
>
> try setting with defaults - usually defaults are good
I used the defaults, after putting back the network interface back to
the external zone again.
>
>> About /etc/scripts/SuSEfirewall2, there are many files there, i do not
>> know which one you want to see.
>
> it's not a folder but a file in my computer (but the one I have just at
> hand is a 10.1, may be the file was spread in several ones later)
>
> this file is commented internally, and the comments are the only
> firewall notice I know of
>
>> IMHO should a firwall be configured once, and work in silence,
>> protecting a pc or laptop against attack fro 'outside'.
>
> it's what SuSEfirewall2 do usually :-)
>
>> It should not block the trusted hosts, and block the untrusted ones.
>
> not clear in your config wich is what
In my config there are only trusted hosts...
(in a windows case there are constantly hosts that are informed by
dataminers, in windows one should be able to block them...)
>
>> A warning should be displayed, with an option to grant or denie an
>> attempt to enter the pc, with a discription of the host and the ip
>> adress, so that one can decide to let pass once or forever, which does
>> not mean that 'forever' can not be changed to denie.
>
> it's really too easy to clic on "yes" without caution and very difficult
> to go back after, and should any user be allowed to do so?
Normaly, if you have a good firewall, there is a discription of the
host, its ip adress, and the purpose for entering from or towards the pc.
The streams are visible if you want: in, out, and which ports are used.
each programm is listed, and the ports they use.
>
>>
>> A realy good firewall can work with passwords, just as a server can.
>
> I think somewhat your definition of "firewall" is wrong. a firewall is
> used to open or close "ports"
exactly!
, not communication
yes it has to let me know who is going out and going in, and i must be
able to shut whatever port i like, in principle..
(your firewalls don't
> do NAT, as you have an other router).
>
> whatever you do with these ports is irrelevant.
If some host wants to enter my pc, i want to know this, and be able to
close the gate (port) if i do not want it entering for whatever reason i
have.
If i give a password to a host, it can enter without noticing me, as
long as i want to let the firewall exept the password.
>
> a firewall works at the packet level, not at the logical one, it knows
> nothing of passwords. It protect networks, so if you want a part with
> trusted pc, it must be the internal and untrusted the external or the
> dmz if they are in your house, but this needs an other net card (an
> other lan).
A good firewall can handele this perfectly, with just one card.
>
> you can set some filtering based on IP, but I'm not sure it's secure and
> anyway it's difficult to setup.
>
> finally you said "This morning i had to shut down the firewall to enter
> my Lan.", so the day before the firewall was nice, what did change in
> between?
Not one thing, that is why i call the firewall inconsistent..
>
> I beg you use an samba network and windows samba is buggy and needs to
> open nearly anything to work as was said from the beginning by an other
> writer.
I use samba on the Linux-side,
>
> http://lists.opensuse.org/opensuse-factory/2007-09/msg00335.html
>
> but if I understand well, doing so is nearly the same as stopping the
> firewall.
As i understand, only for the ports used by samba for the LAN?
>
> use of samba server on suse fixes the permission problem.
Samba server i did not use before...
>
> jdd
>
If you want to know what i mean, you should download the free sygate
firewall from norton, and use it on a windows box.
- --
Have a nice day,
M9. Now, is the only time that exists.
OS: Linux 2.6.22.5-10-default x86_64
Huidige gebruiker: monkey9@tribal-sfn2
Systeem: openSUSE 10.3 (X86-64) Beta3
KDE: 3.5.7 "release 58"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFG6/6WX5/X5X6LpDgRAk/MAKDHiYPzxAqnJA1sqEvChupx03ySHQCghFAw
K7nudtOjDVT7Uz2in5rMOUA=
=PE8L
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
Hash: SHA1
jdd schreef:
> M9. wrote:
>
> so, if I understand well you have only one lan (192.168.1.x) with all
> the PC on it.
Yes that is correct ;-)
>
> previously you said:
>
> "This morning i had to shut down the firewall to enter my Lan.
> Printing was impossible, and also accessing the other pc's and laptops
> in the network.
>
> What i do not understand is why this firewall prevents me from entering
> other pc's in the network, while others can acces mine easily?"
>
> It looks like you (or any event) swapped the internal and external
> network in the config
>
> try setting with defaults - usually defaults are good
I used the defaults, after putting back the network interface back to
the external zone again.
>
>> About /etc/scripts/SuSEfirewall2, there are many files there, i do not
>> know which one you want to see.
>
> it's not a folder but a file in my computer (but the one I have just at
> hand is a 10.1, may be the file was spread in several ones later)
>
> this file is commented internally, and the comments are the only
> firewall notice I know of
>
>> IMHO should a firwall be configured once, and work in silence,
>> protecting a pc or laptop against attack fro 'outside'.
>
> it's what SuSEfirewall2 do usually :-)
>
>> It should not block the trusted hosts, and block the untrusted ones.
>
> not clear in your config wich is what
In my config there are only trusted hosts...
(in a windows case there are constantly hosts that are informed by
dataminers, in windows one should be able to block them...)
>
>> A warning should be displayed, with an option to grant or denie an
>> attempt to enter the pc, with a discription of the host and the ip
>> adress, so that one can decide to let pass once or forever, which does
>> not mean that 'forever' can not be changed to denie.
>
> it's really too easy to clic on "yes" without caution and very difficult
> to go back after, and should any user be allowed to do so?
Normaly, if you have a good firewall, there is a discription of the
host, its ip adress, and the purpose for entering from or towards the pc.
The streams are visible if you want: in, out, and which ports are used.
each programm is listed, and the ports they use.
>
>>
>> A realy good firewall can work with passwords, just as a server can.
>
> I think somewhat your definition of "firewall" is wrong. a firewall is
> used to open or close "ports"
exactly!
, not communication
yes it has to let me know who is going out and going in, and i must be
able to shut whatever port i like, in principle..
(your firewalls don't
> do NAT, as you have an other router).
>
> whatever you do with these ports is irrelevant.
If some host wants to enter my pc, i want to know this, and be able to
close the gate (port) if i do not want it entering for whatever reason i
have.
If i give a password to a host, it can enter without noticing me, as
long as i want to let the firewall exept the password.
>
> a firewall works at the packet level, not at the logical one, it knows
> nothing of passwords. It protect networks, so if you want a part with
> trusted pc, it must be the internal and untrusted the external or the
> dmz if they are in your house, but this needs an other net card (an
> other lan).
A good firewall can handele this perfectly, with just one card.
>
> you can set some filtering based on IP, but I'm not sure it's secure and
> anyway it's difficult to setup.
>
> finally you said "This morning i had to shut down the firewall to enter
> my Lan.", so the day before the firewall was nice, what did change in
> between?
Not one thing, that is why i call the firewall inconsistent..
>
> I beg you use an samba network and windows samba is buggy and needs to
> open nearly anything to work as was said from the beginning by an other
> writer.
I use samba on the Linux-side,
>
> http://lists.opensuse.org/opensuse-factory/2007-09/msg00335.html
>
> but if I understand well, doing so is nearly the same as stopping the
> firewall.
As i understand, only for the ports used by samba for the LAN?
>
> use of samba server on suse fixes the permission problem.
Samba server i did not use before...
>
> jdd
>
If you want to know what i mean, you should download the free sygate
firewall from norton, and use it on a windows box.
- --
Have a nice day,
M9. Now, is the only time that exists.
OS: Linux 2.6.22.5-10-default x86_64
Huidige gebruiker: monkey9@tribal-sfn2
Systeem: openSUSE 10.3 (X86-64) Beta3
KDE: 3.5.7 "release 58"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org
iD8DBQFG6/6WX5/X5X6LpDgRAk/MAKDHiYPzxAqnJA1sqEvChupx03ySHQCghFAw
K7nudtOjDVT7Uz2in5rMOUA=
=PE8L
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx
| < Previous | Next > |