Hello
First, thanks a lot for all the answers.
Unfortunately it does not work yet and sincerely I
have no clue anymore why it should not work.
Anyway again all the data and the new modified
configuration file for the firewall2. I also will
print the messages I get in the logfile
/var/log/firewall when running the firewall2 in test
mode.
Kernel 2.4.16 (updated from 2.4.4, Suse 7.2)
Firewall2 installed, then firewall1 and personal
firewall uninstalled.
One question at this point. Do I need personal
firewall installed?
Or can it be that I have not the correct rights for
some files?
external card on eth0 - 192.168.0.1/255.255.255.255
internal card on eth1 - 192.168.159.0/24
Firewall2-Configuration file: If you find something
wrong could you pls correct the corresponding line....
After this you will find the messages again which I
get when trying to connect to the internet (just plain
www)
FW_DEV_EXT="ppp0" # <-- is that right? Well with eth0
it did not work either.....
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.159.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="ssh" # Common: smtp domain
FW_SERVICES_EXT_UDP="" # Common: domain
FW_SERVICES_EXT_IP="" # For VPN/Routing which END
at the firewall!!
#
FW_SERVICES_DMZ_TCP="" # Common: smtp domain
FW_SERVICES_DMZ_UDP="" # Common: domain
FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at
the firewall!!
#
FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp
domain
FW_SERVICES_INT_UDP="" #Common: domain syslog
FW_SERVICES_INT_IP="" # For VPN/Routing which END at
the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services
below when starting
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_INTERNET="yes"
##
# END of rc.firewall
##
#
#
#-------------------------------------------------------------------------#
#
#
# EXPERT OPTIONS - all others please don't change
these! #
#
#
#-------------------------------------------------------------------------#
#
#
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE
GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/rc.config.d/firewall2-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Well now the messages: One for trying to connect from
a machine on the LAN (trusted, local) and one messages
for trying to connect from my Linux router to the
internet.
Mar 28 21:35:12 linux kernel:
SuSE-FW-UNALLOWED-ROUTING IN=ppp0 OUT=eth1
SRC=207.46.28.116 DST=192.168.159.11 LEN=40 TOS=0x08
PREC=0x00 TTL=52 ID=10637 DF PROTO=TCP SPT=80 DPT=4022
WINDOW=17400 RES=0x00 ACK URGP=0
Mar 28 21:35:21 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=80.135.123.51 DST=217.89.17.95
LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=7443 DF PROTO=TCP
SPT=3413 DPT=1214 WINDOW=45680 RES=0x00 SYN URGP=0 OPT
(020405AC0103030301010402)
Thank you for your help
Greeting Thomas
--- Robert Klein
Hi Peter,
Ps: I am not sure about the external devices. I have one external card which is eth0. But I tried this setting with just eth0 too and it did not work. That is why I did put ppp0 as well.
Your external device is ppp0. You may leave eth0 out.
FW_DEV_EXT="ppp0"
FW_MASQ_NETS="192.168.159.0/24"
as Thorsten Preuss already has noted in another mail. Sorry, I've been asleep here.. He's also right about not needing the IP_FORWARD variable in /etc/rc.config anymore. Sorry for the confusion.. Thanks Thorsten, for setting me right.
NB: Those entries below were _examples_. You have to insert those services you have running _on_ your firewall. Add only those services you want to be accessible from outside *EXT* or from inside *INT* your network. For example, I have some installations using the following entries:
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 "
FW_SERVICES_INT_TCP="ssh"
This means, I want ssh access to the firewall from the outside as well as the inside (entry ssh). Furthermore, this machine is the entry to a VPN (virtual private network), (UDP port 500 for key exchange and IP protocol 50 is used to transport the encrypted packets).
Leave those fields empty, if you don't have any services running on the firewall (I'd recommend at least "ssh" or in FW_SERVICES_INT_TCP --- you might want to do some configuring from another computer in your network. Saves the monitor for the firewall :)
Robert
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain FW_SERVICES_EXT_UDP="ssh http" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp domain FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/