Mailinglist Archive: opensuse (3442 mails)
| < Previous | Next > |
Re: [SLE] Installing SuSE Firewall 2
- From: Bruce Marshall <bmarsh@xxxxxxxxxx>
- Date: Wed, 5 Dec 2001 20:55:16 -0500
- Message-id: <200112060155.fB61tG104015@xxxxxxxxxxxxxxxxx>
On Wednesday 05 December 2001 19:16 pm, Christopher Mahmood wrote:
> * David (dg@xxxxxxxxxxxxxxxxxxxxx) [011205 15:24]:
> > On Wed, 5 Dec 2001 12:19:09 -0800, Christopher Mahmood wrote:
> > >* David (dg@xxxxxxxxxxxxxxxxxxxxx) [011205 12:07]:
> > >>That seems to get it to work, but does not allow any outside
> > >> communication.
> > >
> > >That's a firewall.
> >
> > That's being pedantic - surely you know what I mean.
>
> Yes, but that is what's supposed to do.
>
Not necessarily.... One advantage of iptables is that it keeps track of
connections made from the 'inside out' and therefore will let the responses
back in. Firewall2 should be much easier to work with in trying to do
special functions from within the firewall... such as using a VPN to some
other machine on the net. It remains aware of what the local machine is
doing with the net and allows it to take place without having to set up
special rules.
> > >Why are you trying to use the SuSEfirewall2 and not the personal
> > > firewall?
> >
> > That was the consensus of the advice here. As I understand it, it uses
> > iptables instead of ipchains, the former being more secure
>
> That's very debatable. In theory, yes iptables has lots of nice
> features like stateful inspection that that ipchains doesn't. In
> reality, the 2.4 kernel hasn't seen nearly the amount of abuse that
> 2.2 has and undoubtedly has lots of bugs yet to be found. Unless
> you there's a feature of iptables that you must have, I'd
> reconsider. I haven't followed this thread so I'm probably missing
> something, but it sounds like you don't really know much about this
> sort of thing and don't care to--you just want a simple, easy to
> configure firewall so you can get on with actually using your system
> instead of twidling with a firewall script that is overkill for what
> you need. That is exactly what the personal one is designed for.
>
> > >>Are there any basic settings I can use?
> > >
> > >See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
> >
> > In any case taking the first example which is FW_DEV_EXT="pppo" causes
> > the firewall fail to load, so the examples cannot be trusted.
>
> That's '0', not an 'o'.
>
> So what you want is to setup your linux box as a firewall and also
> use it to masquerade a private network for your windows machine(s).
> I.e.,
>
> (big bad world)
>
> | __windows 1
>
> (linux box)---<__ windows 2
> ^
> \ (there will be a switch or hub
> there probably)
>
> I don't know what your connection is to outside but I'll assume it's
> DSL or cable modem so that you have two ethernet cards in the
> machine. Then, should only have to set
>
> FW_DEV_WORLD="eth0" # it might be eth1 depending on the ordering
> # of your cards
> FW_DEV_INT="eth1" # eth0 if FW_DEV_WORLD=eth1
> FW_ROUTE="yes" # this will allow routing between eth1 and eth0
> FW_MASQUERADE="yes"
> FW_MASQ_NETS="192.168.0.0/24"
>
> That last one allows you to have a private class C network for your
> windows machines so your windows machines can use 192.168.0.2
> through 192.168.0.254 with a netmask of 255.255.255.0 and a gateway
> of 192.168.0.1 or whatever ip address on the 192.168.0.0/24 network
> you give the internal interface on the linux box.
>
> The rest you can leave with the default values.
--
+----------------------------------------------------------------------------+
+ Bruce S. Marshall bmarsh@xxxxxxxxxx Bellaire, MI 12/05/01 20:53 +
+----------------------------------------------------------------------------+
"If God had really intended men to fly, he'd make it easier to get to the
airport." - George Winters
> * David (dg@xxxxxxxxxxxxxxxxxxxxx) [011205 15:24]:
> > On Wed, 5 Dec 2001 12:19:09 -0800, Christopher Mahmood wrote:
> > >* David (dg@xxxxxxxxxxxxxxxxxxxxx) [011205 12:07]:
> > >>That seems to get it to work, but does not allow any outside
> > >> communication.
> > >
> > >That's a firewall.
> >
> > That's being pedantic - surely you know what I mean.
>
> Yes, but that is what's supposed to do.
>
Not necessarily.... One advantage of iptables is that it keeps track of
connections made from the 'inside out' and therefore will let the responses
back in. Firewall2 should be much easier to work with in trying to do
special functions from within the firewall... such as using a VPN to some
other machine on the net. It remains aware of what the local machine is
doing with the net and allows it to take place without having to set up
special rules.
> > >Why are you trying to use the SuSEfirewall2 and not the personal
> > > firewall?
> >
> > That was the consensus of the advice here. As I understand it, it uses
> > iptables instead of ipchains, the former being more secure
>
> That's very debatable. In theory, yes iptables has lots of nice
> features like stateful inspection that that ipchains doesn't. In
> reality, the 2.4 kernel hasn't seen nearly the amount of abuse that
> 2.2 has and undoubtedly has lots of bugs yet to be found. Unless
> you there's a feature of iptables that you must have, I'd
> reconsider. I haven't followed this thread so I'm probably missing
> something, but it sounds like you don't really know much about this
> sort of thing and don't care to--you just want a simple, easy to
> configure firewall so you can get on with actually using your system
> instead of twidling with a firewall script that is overkill for what
> you need. That is exactly what the personal one is designed for.
>
> > >>Are there any basic settings I can use?
> > >
> > >See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
> >
> > In any case taking the first example which is FW_DEV_EXT="pppo" causes
> > the firewall fail to load, so the examples cannot be trusted.
>
> That's '0', not an 'o'.
>
> So what you want is to setup your linux box as a firewall and also
> use it to masquerade a private network for your windows machine(s).
> I.e.,
>
> (big bad world)
>
> | __windows 1
>
> (linux box)---<__ windows 2
> ^
> \ (there will be a switch or hub
> there probably)
>
> I don't know what your connection is to outside but I'll assume it's
> DSL or cable modem so that you have two ethernet cards in the
> machine. Then, should only have to set
>
> FW_DEV_WORLD="eth0" # it might be eth1 depending on the ordering
> # of your cards
> FW_DEV_INT="eth1" # eth0 if FW_DEV_WORLD=eth1
> FW_ROUTE="yes" # this will allow routing between eth1 and eth0
> FW_MASQUERADE="yes"
> FW_MASQ_NETS="192.168.0.0/24"
>
> That last one allows you to have a private class C network for your
> windows machines so your windows machines can use 192.168.0.2
> through 192.168.0.254 with a netmask of 255.255.255.0 and a gateway
> of 192.168.0.1 or whatever ip address on the 192.168.0.0/24 network
> you give the internal interface on the linux box.
>
> The rest you can leave with the default values.
--
+----------------------------------------------------------------------------+
+ Bruce S. Marshall bmarsh@xxxxxxxxxx Bellaire, MI 12/05/01 20:53 +
+----------------------------------------------------------------------------+
"If God had really intended men to fly, he'd make it easier to get to the
airport." - George Winters
| < Previous | Next > |