Mailinglist Archive: opensuse-security (363 mails)
| < Previous | Next > |
Re: [suse-security] WEB port forwarding
- From: Jeff Harris <linux@xxxxxxxxxxxxxxx>
- Date: Fri, 13 Jun 2003 22:13:35 -0700 (PDT)
- Message-id: <Pine.LNX.4.44.0306132205001.23360-100000@xxxxxxxxxxxxxxxxxxx>
> > On Fri, 13 Jun 2003, Istvan Hollo wrote:
> >
> >> Hello List,
> >>
> >> SuSE 8.2
> >>
> >> Currently my webserver is running on the Firewall machine but I want to
> >> move
> >> it to another machine, behind the firewall.
> >>
> >> Settings on the firewall:
> >> FW_ROUTE="yes"
> >> FW_MASQ_NETS="1.2.3.0/24"
> >> FW_FORWARD="0/0,1.2.3.4,tcp,80 0/0,1.2.3.4,tcp,443"
> >> FW_REDIRECT="1.2.3.0/24,0/0,tcp,53,53"
> >> IP forwarning is enabled.
> >> Apache is stopped on the firewall machine.
> >>
> >> But it does not want to work.
> >> Can someone of you point me to the right direction?
> >>
> >> thanks,
> >> istvan
> >
> > This should be section 14) of /etc/sysconfig/SuSEfirewall2
> >
> > Try something like this:
> > where request comes from, where request should go, protocol, port request,
> > port forwarded to on other machine
> > FW_FORWARD_MASQ="0/0,196.16.0.50,tcp,80,80"
> > # Beware to use this!
On Fri, 13 Jun 2003, Ken Hughes wrote:
>
> Stoopid question time: why "Beware to use this!"? What would be the safe
> and sane way to do this?
>
> Thanks,
>
> Ken
"# Beware to use this!" is a quote straight out of
/etc/sysconfig/SuSEFirewall2, so I suppose the best person to answer this
would be the "Author: Marc Heuse <marc@xxxxxxx>."
The safe way to use it is to not. The next least safe way to do it is to
make sure that the hole you punched in your firewall is going to a highly
restricted DMZ. Regardless of what you do, don't open up any more than is
absolutely necessary.
If Istvan is opening up an insecure webserver behind his firewall, he may
have a false sense of security by thinking, "It's protected by the
firewall."
--
Registered Linux user #304026.
"lynx -source http://www.rallycentral.us/~linux/jharris.asc | gpg --import"
or "gpg --keyserver pgp.mit.edu --recv-key BD23A31E"
Key fingerprint = FB8C 3210 8DE1 78F4 6505 5918 0C34 BE94 BD23 A31E
> >
> >> Hello List,
> >>
> >> SuSE 8.2
> >>
> >> Currently my webserver is running on the Firewall machine but I want to
> >> move
> >> it to another machine, behind the firewall.
> >>
> >> Settings on the firewall:
> >> FW_ROUTE="yes"
> >> FW_MASQ_NETS="1.2.3.0/24"
> >> FW_FORWARD="0/0,1.2.3.4,tcp,80 0/0,1.2.3.4,tcp,443"
> >> FW_REDIRECT="1.2.3.0/24,0/0,tcp,53,53"
> >> IP forwarning is enabled.
> >> Apache is stopped on the firewall machine.
> >>
> >> But it does not want to work.
> >> Can someone of you point me to the right direction?
> >>
> >> thanks,
> >> istvan
> >
> > This should be section 14) of /etc/sysconfig/SuSEfirewall2
> >
> > Try something like this:
> > where request comes from, where request should go, protocol, port request,
> > port forwarded to on other machine
> > FW_FORWARD_MASQ="0/0,196.16.0.50,tcp,80,80"
> > # Beware to use this!
On Fri, 13 Jun 2003, Ken Hughes wrote:
>
> Stoopid question time: why "Beware to use this!"? What would be the safe
> and sane way to do this?
>
> Thanks,
>
> Ken
"# Beware to use this!" is a quote straight out of
/etc/sysconfig/SuSEFirewall2, so I suppose the best person to answer this
would be the "Author: Marc Heuse <marc@xxxxxxx>."
The safe way to use it is to not. The next least safe way to do it is to
make sure that the hole you punched in your firewall is going to a highly
restricted DMZ. Regardless of what you do, don't open up any more than is
absolutely necessary.
If Istvan is opening up an insecure webserver behind his firewall, he may
have a false sense of security by thinking, "It's protected by the
firewall."
--
Registered Linux user #304026.
"lynx -source http://www.rallycentral.us/~linux/jharris.asc | gpg --import"
or "gpg --keyserver pgp.mit.edu --recv-key BD23A31E"
Key fingerprint = FB8C 3210 8DE1 78F4 6505 5918 0C34 BE94 BD23 A31E
| < Previous | Next > |