Mailinglist Archive: opensuse-security (575 mails)
| < Previous | Next > |
Re: [suse-security] SuSEfirewall2 configuration
- From: "Chris FitzGerald" <mersco@xxxxxxxxxx>
- Date: Tue, 12 Nov 2002 15:04:18 +0100
- Message-id: <018e01c28a54$65cd3b30$5301440a@xxxxxxxxxxxx>
If I remember correctly the list had a similar mail regarding SuSEfirewall2
and DMZ ...
And it was said FW_FORWARD had to be used to be able to connect to the
server on the DMZ-side.
I am not sure if it is possible without ...
so I believe it should say something like :
FW_FORWARD="sourece ip/net,destination ip,tcp,80"
and open up the ports :
FW_SERVICES_EXT_TCP="80"
FW_SERVICES_INT_TCP="80"
FW_SERVICES_DMZ_TCP="80"
(if your service is located on port 80)
when you say the packages are dropped, did you open op de respective ports
in the FW_SERVICES_EXT and FW_SERVICES_INT ?
because All traffic travelling to the DMZ HAS to pass the firewall ... no
matter what !
and not opening the ports on the int nic and ext nic could cause your
packets to be dropped.
Regards
Chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Kurt Minder" <kurtminder@xxxxxxxxxx>
To: "Suse-Security (E-Mail)" <suse-security@xxxxxxxx>
Sent: Tuesday, November 12, 2002 2:43 PM
Subject: AW: [suse-security] SuSEfirewall2 configuration
> Hi
>
> > -----Ursprüngliche Nachricht-----
> > Von: Chris FitzGerald [mailto:mersco@xxxxxxxxxx]
> > Gesendet: Dienstag, 12. November 2002 12:17
> > An: Suse-Security (E-Mail)
> > Betreff: Re: [suse-security] SuSEfirewall2 configuration
> >
> >
> > Hi,
> > In answer to 1
> > When you use FW_SERVICES_DMZ it opens up the ports you wish
> > to allow. not
> > looking if it came from internal or external.
> > You do have to open up the ports on the external and internal
> > services to
> > allow the traffic to come in in the first place .
>
> Ok. I understand. What you let in from any (EXT, INT)interface may should
> access to the DMZ
> In my case it doesn't, nor the DMZ can access the services opened in the
> SERVICES_DMZ
>
> So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a
> conflict in the configuration?
> Obviously the DMZ rules are never applied because the packages ar dropped
> before.
>
> > Togan wrote:
> > I would say wide open by defining TCP/UDP/IGMP you rare limiting the
> > protocols that are allowed when you add the port number than only the
> > protocol along with the matching port is allowed.
>
> I agree with you. For the MASQ_NETS (restrict access from INT to EXT)
> section it works like this, but when i use this in the TRUSTED_NETS
section
> it won't. I configured the whole INT and DMZ as trusted net
> (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is
> dropped or denied.
>
> Hopefully someone knows something about the reasons.
>
> Cheers Kurt
>
>
> >
> > Tricky question for me too...
> >
> > regards
> >
> > chris
> >
> > _____________________________________________
> > Make money while you work !!! No surfing required!
> > http://www.degoo.com/index.php?refid=mersco
> >
> > This is for real !!!
> > ----- Original Message -----
> > From: "Kurt Minder" <kurtminder@xxxxxxxxxx>
> > To: "Suse-Security (E-Mail)" <suse-security@xxxxxxxx>
> > Sent: Tuesday, November 12, 2002 12:02 PM
> > Subject: [suse-security] SuSEfirewall2 configuration
> >
> >
> > > Hi folks
> > >
> > > I followed the threads about configuring the firewall, but
> > it was not
> > really
> > > enlightning me (sorry).
> > >
> > > So some questions:
> > >
> > > 1.)
> > > Does the FW_SERVICE_DMZ open only a connection form DEV_EXT
> > to DEV_DMZ ?
> > > Because when i want to access the DMZ from internal i have
> > to use the
> > > FW_FORWARD statement.
> > >
> > > 2.)
> > > A question to the notation
> > > # A forwarding rule consists of 1) source IP/net and 2)
> > destination IP
> > > # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
> > > # Optional is a protocol, seperated by a comma, e.g.
> > "5.5.5.5,6.6.6.6,igmp"
> > > # Optional is a port after the protocol with a comma, e.g.
> > "0/0,0/0,udp,514"
> > >
> > > When i leave away protocol and port what is (or should)open then?
> > >
> > > I'm using 7.3
> > >
> > >
> > > Cheers Kurt
> > >
> > >
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > > Security-related bug reports go to security@xxxxxxx, not here
> > >
> > >
> >
> >
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
and DMZ ...
And it was said FW_FORWARD had to be used to be able to connect to the
server on the DMZ-side.
I am not sure if it is possible without ...
so I believe it should say something like :
FW_FORWARD="sourece ip/net,destination ip,tcp,80"
and open up the ports :
FW_SERVICES_EXT_TCP="80"
FW_SERVICES_INT_TCP="80"
FW_SERVICES_DMZ_TCP="80"
(if your service is located on port 80)
when you say the packages are dropped, did you open op de respective ports
in the FW_SERVICES_EXT and FW_SERVICES_INT ?
because All traffic travelling to the DMZ HAS to pass the firewall ... no
matter what !
and not opening the ports on the int nic and ext nic could cause your
packets to be dropped.
Regards
Chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Kurt Minder" <kurtminder@xxxxxxxxxx>
To: "Suse-Security (E-Mail)" <suse-security@xxxxxxxx>
Sent: Tuesday, November 12, 2002 2:43 PM
Subject: AW: [suse-security] SuSEfirewall2 configuration
> Hi
>
> > -----Ursprüngliche Nachricht-----
> > Von: Chris FitzGerald [mailto:mersco@xxxxxxxxxx]
> > Gesendet: Dienstag, 12. November 2002 12:17
> > An: Suse-Security (E-Mail)
> > Betreff: Re: [suse-security] SuSEfirewall2 configuration
> >
> >
> > Hi,
> > In answer to 1
> > When you use FW_SERVICES_DMZ it opens up the ports you wish
> > to allow. not
> > looking if it came from internal or external.
> > You do have to open up the ports on the external and internal
> > services to
> > allow the traffic to come in in the first place .
>
> Ok. I understand. What you let in from any (EXT, INT)interface may should
> access to the DMZ
> In my case it doesn't, nor the DMZ can access the services opened in the
> SERVICES_DMZ
>
> So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a
> conflict in the configuration?
> Obviously the DMZ rules are never applied because the packages ar dropped
> before.
>
> > Togan wrote:
> > I would say wide open by defining TCP/UDP/IGMP you rare limiting the
> > protocols that are allowed when you add the port number than only the
> > protocol along with the matching port is allowed.
>
> I agree with you. For the MASQ_NETS (restrict access from INT to EXT)
> section it works like this, but when i use this in the TRUSTED_NETS
section
> it won't. I configured the whole INT and DMZ as trusted net
> (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is
> dropped or denied.
>
> Hopefully someone knows something about the reasons.
>
> Cheers Kurt
>
>
> >
> > Tricky question for me too...
> >
> > regards
> >
> > chris
> >
> > _____________________________________________
> > Make money while you work !!! No surfing required!
> > http://www.degoo.com/index.php?refid=mersco
> >
> > This is for real !!!
> > ----- Original Message -----
> > From: "Kurt Minder" <kurtminder@xxxxxxxxxx>
> > To: "Suse-Security (E-Mail)" <suse-security@xxxxxxxx>
> > Sent: Tuesday, November 12, 2002 12:02 PM
> > Subject: [suse-security] SuSEfirewall2 configuration
> >
> >
> > > Hi folks
> > >
> > > I followed the threads about configuring the firewall, but
> > it was not
> > really
> > > enlightning me (sorry).
> > >
> > > So some questions:
> > >
> > > 1.)
> > > Does the FW_SERVICE_DMZ open only a connection form DEV_EXT
> > to DEV_DMZ ?
> > > Because when i want to access the DMZ from internal i have
> > to use the
> > > FW_FORWARD statement.
> > >
> > > 2.)
> > > A question to the notation
> > > # A forwarding rule consists of 1) source IP/net and 2)
> > destination IP
> > > # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
> > > # Optional is a protocol, seperated by a comma, e.g.
> > "5.5.5.5,6.6.6.6,igmp"
> > > # Optional is a port after the protocol with a comma, e.g.
> > "0/0,0/0,udp,514"
> > >
> > > When i leave away protocol and port what is (or should)open then?
> > >
> > > I'm using 7.3
> > >
> > >
> > > Cheers Kurt
> > >
> > >
> > >
> > > --
> > > Check the headers for your unsubscription address
> > > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > > Security-related bug reports go to security@xxxxxxx, not here
> > >
> > >
> >
> >
> >
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>
| < Previous | Next > |