Hi, On Wednesday 08 May 2002 16:11, Togan Muftuoglu wrote:
# Common: smtp domain FW_SERVICES_EXT_TCP="http https pop3 pop3s rsync smtp ssh telnet"
are you really running telnet on your firewall machine and you are letting people in then why bother with ssh ?
I have read the FAQ and the README. I have removed the above to read: FW_SERVICES_EXT_TCP="" I did this: # Common: ssh smtp domain FW_SERVICES_INT_TCP="139" After reading that ""Masquerading" means that all your internal machines which use services on the internet seem to come from your firewall." I made sure that Iwas not letting that happen: FW_MASQUERADE="no" And FW_MASQ_DEV="" I then stopped the previous test mode and started it again /etc/sbin/SuSEfirewall2 test I got no warnings other than the fact that I was in text mode. When I looked in in the log (/var/log/firewall), it was a reassuring block o' gibberish that augered well May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2801 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2802 PROTO=UDP SPT=53 DPT=1070 LEN=141 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=179 TOS=0x00 PREC=0x00 TTL=64 ID=2803 PROTO=UDP SPT=53 DPT=1071 LEN=159 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2804 PROTO=UDP SPT=53 DPT=1072 LEN=141 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2811 PROTO=UDP SPT=53 DPT=1073 LEN=141 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2812 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2813 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:02 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=2816 PROTO=UDP SPT=67 DPT=68 LEN=308 May 8 17:50:05 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2823 PROTO=UDP SPT=53 DPT=1073 LEN=126 linux:/var/log # /sbin/SuSEfirewall2 stop I then stopped the test and started the firewall like this: /etc/sbin/SuSEfirewall2 start And it said it did. And I couldn't acess the internet!! QUESTION 1: The FAQ and the config file say this: # 8.) # Do you want to autoprotect all running network services on the firewall? # # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes" Okay, now I have a network running here, over which I must access the internet from another machine which dials and provides IP forwarding and masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP network. Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and hence stop me from using my local network to access the internet? Or is that just too simple? TIA, Nick