Mailinglist Archive: opensuse (4288 mails)
| < Previous | Next > |
Re: [SLE] Firewall Redux
- From: Nick Selby <php@xxxxxxxxxxxxx>
- Date: Wed, 8 May 2002 18:48:53 +0200
- Message-id: <200205081848.53245.php@xxxxxxxxxxxxx>
Hi,
I hope we're almost there and appreciate the advice so far.
And your comment not to give up.
I have to leave the office in a few minutes for a couple of hours...
On Wednesday 08 May 2002 18:40, Togan Muftuoglu wrote:
> * Nick Selby; <php@xxxxxxxxxxxxx> on 08 May, 2002 wrote:
> >that Iwas not letting that happen:
> >
> >FW_MASQUERADE="no"
>
> set this to "yes"
>
> >FW_MASQ_DEV=""
>
> set this $DEV_WORLD
>
> and set the MASQ_NETS to your network scheme and try again
Er... My network scheme?
Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
So if my machines all have a 192.168.X.X in there, how would I enter that ?
With 192.0.0.0 ? I have several machines connected on the network with Samba
allowing the windows machine to talk to me. All of us are connected to a Suse
7.2 machine running the iSDN and the masq/ip forward.
>
> >QUESTION 1:
> >The FAQ and the config file say this:
> ># If set to "yes", all network access to services TCP and UDP on this
> > machine # will be prevented (except to those which you explicitly allow,
> > see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
> >#
> ># Choice: "yes" or "no", defaults to "yes"
> >#
> >FW_AUTOPROTECT_SERVICES="yes"
> >
> >
> >Okay, now I have a network running here, over which I must access the
> > internet from another machine which dials and provides IP forwarding and
> > masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP
> > network.
> >
> >Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and
> > hence stop me from using my local network to access the internet? Or is
> > that just too simple?
>
> no when you say autodetetect and basicly running netstat lsof and a
> combination of awk, shell scripts SuSEfirewall2 finds out the services
> that you are rınning on the firewall machine like smtp ssh ftp www and
> protects default if you define the services at
> FW_SERVICES_EXTERNAL_TCP="ssh" for instance it will let access to ssh
> otherwise everything is protected. Actually pretty neat
Ah. Funny you should mention that because I foresaw a daywhen I'd like to SSH
into it and added that!!
I hope we're almost there and appreciate the advice so far.
And your comment not to give up.
I have to leave the office in a few minutes for a couple of hours...
On Wednesday 08 May 2002 18:40, Togan Muftuoglu wrote:
> * Nick Selby; <php@xxxxxxxxxxxxx> on 08 May, 2002 wrote:
> >that Iwas not letting that happen:
> >
> >FW_MASQUERADE="no"
>
> set this to "yes"
>
> >FW_MASQ_DEV=""
>
> set this $DEV_WORLD
>
> and set the MASQ_NETS to your network scheme and try again
Er... My network scheme?
Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
So if my machines all have a 192.168.X.X in there, how would I enter that ?
With 192.0.0.0 ? I have several machines connected on the network with Samba
allowing the windows machine to talk to me. All of us are connected to a Suse
7.2 machine running the iSDN and the masq/ip forward.
>
> >QUESTION 1:
> >The FAQ and the config file say this:
> ># If set to "yes", all network access to services TCP and UDP on this
> > machine # will be prevented (except to those which you explicitly allow,
> > see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
> >#
> ># Choice: "yes" or "no", defaults to "yes"
> >#
> >FW_AUTOPROTECT_SERVICES="yes"
> >
> >
> >Okay, now I have a network running here, over which I must access the
> > internet from another machine which dials and provides IP forwarding and
> > masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP
> > network.
> >
> >Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and
> > hence stop me from using my local network to access the internet? Or is
> > that just too simple?
>
> no when you say autodetetect and basicly running netstat lsof and a
> combination of awk, shell scripts SuSEfirewall2 finds out the services
> that you are rınning on the firewall machine like smtp ssh ftp www and
> protects default if you define the services at
> FW_SERVICES_EXTERNAL_TCP="ssh" for instance it will let access to ssh
> otherwise everything is protected. Actually pretty neat
Ah. Funny you should mention that because I foresaw a daywhen I'd like to SSH
into it and added that!!
| < Previous | Next > |