Hi Fine. Things clearup.
-----Ursprüngliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Gesendet: Dienstag, 12. November 2002 15:06 An: Suse-Security (E-Mail) Betreff: Re: [suse-security] SuSEfirewall2 configuration
No FW_SERVICES_DMZ_* means the services defined on these parameters are allowed to use the firewall
For example FW_SERVICES_DMZ_UDP="syslog" means DMZ is allowed to send syslog packets to the Firewall since Firewall is the Sylog server. It does not mean open the UDP port 514 in the DMZ (would be dangerous if you do so)
Ok. I thought when its inside the firewall the routing roules of /etc/route.conf are applied. So with the SERVICES_DMZ or TRUSTED_NETS i give access to the firewall and with the FORWARD rule the routing from one net to the other is done. That makes sense.
So i'm back on the solution to use FW_FORWARD. Is this
conflict in the configuration? Obviously the DMZ rules are never applied because the
normal? or is it a packages ar dropped
before.
You can use FW_FORWARD as long as the machine that you are forwarding has a Public IP , if you are using Private IP then you should be using FW_FORWARD_MASQ
As i understand (and also using) its not depending on public or private address, but wheter the net you wish to route is masqueraded. So its depending what you set in MASQ_DEV. See config file 14.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? In my case only the external net is masqueraded. For routing INT to DMZ i use FW_FORWARD For EXT to DMZ i use FORWARD_MASQ (I'm poor i only have one public ip).
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare
protocols that are allowed when you add the port number
limiting the than only the
protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied.
DMZ is the sacrificed goat it can not be trusted,
I will not. -- Thank you for your help. I understand now more how the firewall works and thats the point in security issues, not to know where to set a magic flag. Whitch port number i have to open i still can figure out by looking at /etc/services and the firewall log. Cheers Kurt
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here