Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] SuSE Firewall Config...
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Fri, 16 Aug 2002 11:04:39 +0200
  • Message-id: <004a01c24503$f3820c80$52ef5b86@xxxxxxxxxxxxxxxxxx>
> either set
> FW_PROTECT_FROM_INTERNAL="no"
> or add ports 25 and 110 to FW_SERVICES_INTERNAL_TCP

Nice Try, but totally insecure!
FW_SERVICES_INTERNAL_TCP opens Ports on the firewall.

As I understood the mailserver is not on the firewall!

#9.)
FW_SERVICES_EXTERNAL_TCP=""
FW_SERVICES_EXTERNAL_UDP=""

FW_SERVICES_INTERNAL_TCP="22 25 110"
FW_SERVICES_INTERNAL_UDP=""

Open ssh, smtp and pop on firewall.
Change Rules in 10.) to followin:

#10.)

FW_TRUSTED_NETS="10.0.0.0/24"
FW_SERVICES_TRUSTED_TCP="22 25 110"

This allows only access from internal and only from IP 10.0.0.0 .. 255

#11.)

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

If this is a firewall on which access should be allowed to the outside
world, you better say here "Yes".
This allows connections to internal IP's from external requests (e.g.:
TCP: www (www.freenet.de) -> 2345 (10.0.0.x)).
This is independant from the firewall!

#14.)

FW_FORWARD_MASQ_TCP="w.x.y.z,10.0.0.102,25
w.x.y.z,10.0.0.102,110
w.x.y.z,10.0.0.102,143
w.x.y.z,10.0.0.102,80"

Forwards IP 10.0.0.102 to smtp, pop3,imap,www from IP w.x.y.z to allow
serverservice over masquerading.

You use SuSEfirewall and not SuSEfirewall2 (ipchains instead of
iptables).
If you want more Protocols to be supported, update to Kernel 2.4.? and
install SuSEfirewall2 and iptables.
Iptables can do NAT (Network Address Translation), ipchains can do
Masquerading only (not all Protocols supported e.g. Netmeeting).
Masquerading cannot do Netmeeting, ... NAT can do these protocols.
Check for Updates on http://www.suse.de/~marc/SuSE.html if you use older
distribution of SuSE!

Philippe



< Previous Next >