Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Configuring SuSEfirewall2 on SuSE 9.0 as a personal firewall
  • From: Marc Saric <marc.saric@xxxxxxxxxxxxxxxx>
  • Date: Thu, 11 Mar 2004 15:50:31 +0100
  • Message-id: <40507CB7.3070407@xxxxxxxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi all,

I try to use SuSEfirewall2 as included in SuSE 9.0 to secure the
eth0-connection of a server-machine (only one interface, connected to
the university network, no routing, NAT, bridging, etc.) but I'm a bit
confused about the options and the available documentation (especially
regarding differences between the current and older versions of
SuSEfirewall2):

What I have read (but maybe not fully understood :-)) so far:
=============================================================

~ * http://seismo.ethz.ch/linux/firewall.html, which deals with SuSE up
to version 8.1 (which has obviously differences to the current version)

~ * http://susefaq.sourceforge.net/articles/firewall/fw_manual.html a
nice manual about the same package also up to version 8.1

~ * the archive of this mailinglist

~ * Googled the usual newsgroups/pages for more help.

What I want to do:
==================

Secure a server which should be used as a department server running
SAMBA, NFS (maybe not), Netatalk, Apache, ssh/scp/sftp, xntpd (i.e. a
plain simple standard intranet- and fileserver) against access from the
outside world.

The setup:
==========

All machines are directly connected to the Internet (via the university
network thanks to the University of Tuebingen not running their own
firewall), therefore I want to grant/deny access to the server based on

~ * IP-address (i.e. "FW_TRUSTED_NETS") individually (per machine)
~ * possibly MAC-address (possible to set this in the firewall-config??)
~ * login and password-protection for services of course (not part of the
~ firewall)

and deny access to all services except ssh for the rest of the world.

In http://seismo.ethz.ch/linux/firewall.html I found the following entry
which seems to be ok for me

FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # Adjust
FW_SERVICES_TRUSTED_TCP="1:65535" # Should be adjusted to needed
services per machine, not globaly everything.

FW_SERVICES_TRUSTED_UDP="1:65535" # see above

in connection with

FW_QUICKMODE="no"
FW_DEV_EXT="eth0"
FW_DEV_INT="" # Do I have to set eth0 here as well???
FW_SERVICES_EXT_TCP="" # drop all
FW_SERVICES_EXT_UDP="" # drop all
FW_AUTOPROTECT_SERVICES="yes"
FW_PROTECT_FROM_INTERNAL="yes"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="yes"
...

(among others) to deny everything else from unknown computers.

The problem is, that the variables "FW_SERVICES_TRUSTED*" seem to be
absent in SuSEfirewall2-3.1-206 (as installed with SuSE 9.0).

Can someone point me in the right direction to solve this problem? How
to enable (more or less) fine-grained access controll to a computer on
IP-address-basis (or better IP and MAC)?

Thanks in advance.

- --
Bye,
Marc Saric

Dr. Marc Saric, Bioinformatik, Proteom Centrum Tübingen,
Paul-Ehrlich-Str. 15, D-72076 Tübingen, Germany,
Tel: +49 (0)7071 29 77645, marc.saric@xxxxxxxxxxxxxxxx
http://www.proteom-centrum-tuebingen.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAUHy3BLD6PjSWyL4RAk9sAJ9RhHC0uVBfaRTWPPi/NV1OYyJNOwCeLOQ7
9HQHFLZ2fEBBRnt3ziatNF8=
=tasY
-----END PGP SIGNATURE-----


< Previous Next >
Follow Ups