Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] SuSE Firewall Config...
  • From: "Mathias Homann" <admin@xxxxxxxxxx>
  • Date: Thu, 15 Aug 2002 19:47:04 +0200 (CEST)
  • Message-id: <1053.217.228.147.170.1029433624.squirrel@xxxxxxxxxxxxxxxx>

> ...can anyone tell me what is wrong...
> #
> # 7.)
> # Do you want to protect the firewall from the internal network?
> # REQUIRES: FW_DEV_INT
> #
> # If you set this to "yes", internal machines may only access services
> on
> # the machine you explicitly allow. They will be also affected from the
> # FW_AUTOPROTECT_GLOBAL_SERVICES option.
> # If you set this to "no", any user can connect (and attack) any service
> on
> # the firewall.
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_PROTECT_FROM_INTERNAL="yes"
>
> #
> # 8.)
> # Do you want to autoprotect all global running services?
> #
> # If set to "yes", all network access to services TCP and UDP on this
> machine
> # which are not bound to a special IP address will be prevented (except
> to
> # those which you explicitly allow, see below: FW_*_SERVICES_*)
> # Example: "0.0.0.0:23" would be protected, but "10.0.0.1:53" not. #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_AUTOPROTECT_GLOBAL_SERVICES="yes" # "yes" is a good choice
>
> #
> # 9.)
> # Which services ON THE FIREWALL should be accessible from either the
> internet
> # (or other untrusted networks), the dmz or internal (trusted networks)?
> # (see no.13 & 14 if you want to route traffic through the firewall) #
> # Enter all ports or known portnames below, seperated by a space.
> # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and #
> UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
> # e.g. if a webserver on the firewall should be accessible from the
> internet:
> # FW_SERVICES_EXTERNAL_TCP="www"
> # e.g. if the firewall should receive syslog messages from the dmz: #
> FW_SERVICES_DMZ_UDP="syslog"
> # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to
> set
> # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
> #
> # Choice: leave empty or any number of ports, known portnames (from #
> /etc/services) and port ranges seperated by a space. Port ranges are #
> written like this, from 1 to 10: "1:10"
> # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For
> FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
> #
> FW_SERVICES_EXTERNAL_TCP=""
> FW_SERVICES_EXTERNAL_UDP=""
> FW_SERVICES_EXTERNAL_IP="" # For VPN/Routing which END at the
> firewall!!
> #
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the
> firewall!!
> #
> FW_SERVICES_INTERNAL_TCP="ssh"
> FW_SERVICES_INTERNAL_UDP=""
> FW_SERVICES_INTERNAL_IP="" # For VPN/Routing which END at the
> firewall!!


either set
FW_PROTECT_FROM_INTERNAL="no"
or add ports 25 and 110 to FW_SERVICES_INTERNAL_TCP


bye,
[MH]
--
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und §823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O
201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten
sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!



< Previous Next >
Follow Ups
References