Mailinglist Archive: opensuse (4348 mails)

< Previous Next >
Re: [SLE] SuSe Firewalling and protecting against hackers
  • From: PUTH CHAN CHOTH <choth@xxxxxxxxxxxxxxx>
  • Date: Wed, 02 Oct 2002 09:12:09 +0700
  • Message-id: <3D9A55F8.7C55D80@xxxxxxxxxxxxxxx>
Dear Gurus,

When I log in as root and fire the command SuSEconfig and then I see like the
following:
Started the SuSE-Configuration Tool.
Running in full featured mode.
Reading /etc/rc.config and updating the system...
XFree86 not configured yet! No graphical login. Check /etc/X11/XF86Config or
/etc/XF86Config.
Executing /sbin/conf.d/SuSEconfig.alljava...
Executing /sbin/conf.d/SuSEconfig.alsa...
Executing /sbin/conf.d/SuSEconfig.apache...
Executing /sbin/conf.d/SuSEconfig.fonts...
Updating fonts.scale for truetype
Updating fonts.scale for CID
Executing /sbin/conf.d/SuSEconfig.groff...
Executing /sbin/conf.d/SuSEconfig.java...
Executing /sbin/conf.d/SuSEconfig.kdm2...
Executing /sbin/conf.d/SuSEconfig.pam...
Executing /sbin/conf.d/SuSEconfig.pcmcia...
Executing /sbin/conf.d/SuSEconfig.perl...
Executing /sbin/conf.d/SuSEconfig.profiles...
Executing /sbin/conf.d/SuSEconfig.sendmail...

ATTENTION: You have modified /etc/sendmail.cf. Leaving it untouched...
You can find my version in /etc/sendmail.cf.SuSEconfig...

Executing /sbin/conf.d/SuSEconfig.susehilf...
Executing /sbin/conf.d/SuSEconfig.susewm...
Executing /sbin/conf.d/SuSEconfig.ypclient...
Processing index files of all manpages...
Finished.

And then when I fire the command: /sbin/SuSEfirewall start and then I see like the
following:
The firewall script needs to know the external (internet) interface!
SuSEfirewall: clearing rules now ... done

My eth1 is connected to the Internet and eth0 is connected to the LAN. I would
like to configure my firewall and can let the LAN be able to use Squid on port
3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access
only WWW:80, SMTP:25.

My /etc/rc.config.d/firewall.rc.config is like the following:
# Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Marc Heuse <marc@xxxxxxx>, 1999,2000
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and take also a look into /usr/share/doc/packages/SuSEfirewall/EXAMPLES
!
#
# If you are running SuSE < 7.0 then copy the ip-up script from
# /usr/share/doc/packages/SuSEfirewall/ip-up to /etc/ppp/ip-up !
#
# /etc/rc.config.d/firewall.rc.config
#
# for use with /sbin/SuSEfirewall version 4.2
#
# ------------------------------------------------------------------------
#
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
# * Secure all services you are offering to untrusted networks (internet)
# You can do this by using software which has been designed with
# security in mind (like postfix, apop3d, ssh), setting these up without
# misconfiguration and praying, that they have got really no holes.
# SuSEcompartment can help in most circumstances to reduce the risk.
# * Do not run untrusted software. (philosophical question, can you trust
# SuSE or any other software distributor?)
# * Harden your server(s) with the harden_suse package/script
# * Recompile your kernel with the openwall-linux kernel patch
# (former secure-linux patch, from Solar Designer) www.openwall.com
# * Check the security of your server(s) regulary
# * If you are using this server as a firewall/bastion host to the internet
# for an internal network, try to run proxy services for everything and
# disable routing on this machine.
# * If you run DNS on the firewall: disable untrusted zone transfers and
# either don't allow access to it from the internet or run it split-brained.
#
# Good luck!
#
# Yours,
# SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Note: For 2.4 kernels, you need to have ipchains support enabled.
# Compile it statically into the kernel or have the ipchains module
# loaded. The SuSEfirewall_init script tries to do it for you.
#
# ------------------------------------------------------------------------
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example.
#
#
# All types have to set START_FW in /etc/rc.config to "yes" ;-)
#
# If you are running SuSE <= 6.4 then copy the ip-up script from
# /usr/share/doc/packages/SuSEfirewall/ip-up to /etc/ppp/ip-up !
#
# If you are a end-user who is NOT connected to two networks you just have to
# reconfigure (all other settings are OK): 2), and maybe 9), 11), and 18).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are end end-user connected to the
# internet and to a internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 10), 11)
# 12), 14) and 18).
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 15), 18).
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to config 4), 9), 13) and maybe 19).
#
# If you know what you are doing, you may also change 8), 16), 17), 18)
# and the expert options 20), 21), 22) at the far end, but you should NOT.
#
# If you use diald or ISDN autodialing, you might want to set 18).
#
# To get programs like traceroutes to your firewall to work is a bit tricky,
# you have to set the following options to "yes" : 11 (UDP only), 19 and 20.
#
# If you want to load the full firewall rules for an interface even if it's not
# available, configure a static IP and netmask (see 2, 3 and 4 for an example).
#
# Please note that if you use service names, that they exist in /etc/services.
# There is no service "dns", it's called "domain"; email is called "smtp" etc.
#
# *Any* routing between interfaces except masquerading requires to set FW_ROUTE
# to "yes" and use FW_FORWARD_TCP and/or FW_FORWARD_UDP.
#
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" with your masquerade/external interface):
# ipchains -A forward -j MASQ -i ippp0
#
# ------------------------------------------------------------------------

#
# 1.)
# Should the Firewall be started?
#
# This setting is done in /etc/rc.config (START_FW="yes")
#################
#START_FW="yes" I have already configured START_FW="yes" in /etc/rc.config so I
commented this out
#################
#
# 2.)
# Which is the interface that points to the internet?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1"
#
#FW_DEV_WORLD=""
#######################
#FW_DEV_WORLD="eth1"
#######################
#
# You *may* configure a static IP and netmask to force rule loading even if the
# interface is not up and running: set a variable called
# FW_DEV_WORLD_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_WORLD first!
#
#FW_DEV_WORLD_ippp0="10.0.0.1 255.255.255.0" # e.g. for exernal interface ippp0
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1" or ""
#
FW_DEV_INT=""
###########################
#FW_DEV_INT="eth0"
###########################
#
# You may configure a static IP and netmask to force rule loading even if the
# interface is not up and running: set a variable called
# FW_DEV_INT_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_INT first!
#
#FW_DEV_INT_eth0="192.168.1.1 255.255.255.0" # e.g. for internal interface eth0
##############################################
#FW_DEV_INT_eth0="192.168.110.2 255.255.255.0"
##############################################
#
# 4.)
# Which is the interface that points to the dmz network?
#
# Enter all the network devices here which point to the dmz.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD_TCP and FW_FORWARD_UDP to
# define the services which should be available to the internet and set
# FW_ROUTE to yes.
# Very special note: servers/networks in FW_MASQ_NETS may access the DMZ to
# the same extent they are allowed to access the internet! No FW_FORWARD_*
# needed ...
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1" or ""
#
FW_DEV_DMZ=""
#
# You may configure a static IP and netmask to force rule loading even if the
# interface is not up and running: set a variable called
# FW_DEV_INT_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_DMZ first!
#
#FW_DEV_DMZ_eth1="192.168.1.1 255.255.255.0" # e.g. for dmz interface eth1

#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD_TCP and/or
# FW_FORWARD_UDP to define what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="no"

#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="no"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Please note this config changed in firewals-2.3: You may either use just
# hosts/nets to allow all traffic from them to the internet, or use an extended
# syntax, to restrict internet access to certain services!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A protocol and service is appended by a comma to the host/network.
# e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with unrestricted access
# "10.0.1.0/24,tcp,80 10.0.1.0/24,tcp,21" allows the 10.0.1.0 network to use
# www/ftp to the internet. "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# You may NOT set this variable to "0/0" !
#
FW_MASQ_NETS=""
#
# If you want (and you should) you may also set the FW_MASQ_DEV option, to
# specify the outgoing interface to masquerade on. (You would normally use
# the external interface(s), the FW_DEV_WORLD device(s), e.g. "ippp0")
#
FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD"

#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_GLOBAL_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_PROTECT_FROM_INTERNAL="yes"
##############################
#FW_PROTECT_FROM_INTERNAL="no"
##############################
#
# 8.)
# Do you want to autoprotect all global running services?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# which are not bound to a special IP address will be prevented (except to
# those which you explicitly allow, see below: FW_*_SERVICES_*)
# Example: "0.0.0.0:23" would be protected, but "10.0.0.1:53" not.
#
# Choice: "yes" or "no", defaults to "yes"
#
##########################
#FW_AUTOPROTECT_GLOBAL_SERVICES="yes" # "yes" is a good choice
###############################
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall)
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXTERNAL_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this, from 1 to 10: "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain
FW_SERVICES_EXTERNAL_UDP="" # Common: domain
FW_SERVICES_EXTERNAL_IP="" # For VPN/Routing which END at the firewall!!
#
FW_SERVICES_DMZ_TCP="" # Common: smtp domain
FW_SERVICES_DMZ_UDP="" # Common: domain syslog
FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!!
#
FW_SERVICES_INTERNAL_TCP="" # Common: ssh smtp domain
FW_SERVICES_INTERNAL_UDP="" # Common: domain syslog
FW_SERVICES_INTERNAL_IP="" # For VPN/Routing which END at the firewall!!

#
# 10.)
# Which services should be accessible from trusted hosts/nets on the internet?
#
# Define trusted networks on the internet, and the TCP and/or UDP services
# they are allowed to use.
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1", "172.20.0.0/16"
#
#FW_TRUSTED_NETS=""
###################################
#FW_TRUSTED_NETS="192.168.110.0/24"
###################################
#
# leave FW_SERVICES_TRUSTED_* empty or any number of ports, known portnames
# (from /etc/services) and port ranges seperated by a space.
# e.g. "25", "ssh", "1:65535", "1 3:5"
#
FW_SERVICES_TRUSTED_TCP="" # Common: ssh
FW_SERVICES_TRUSTED_UDP="" # Common: syslog time ntp
FW_SERVICES_TRUSTED_IP="" # For VPN/Routing which END at the firewall!!

#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set the TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXTERNAL_UDP ...).
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
#
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!)
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "DNS" or "domain ntp"

#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
#
FW_SERVICE_DNS="no" # if yes, FW_SERVICES_*_TCP needs to have port 53
# (or "domain") set to allow incoming queries.
# also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address
# you have to set this to "yes" !
FW_SERVICE_DHCPD="no" # set to "yes" if this server is a DHCP server
FW_SERVICE_SAMBA="no" # set to "yes" if this server uses samba as client
# or server. As a server, you still have to set
# FW_SERVICES_{WORLD,DMZ,INT}_TCP="139"
# Everyone may send you udp 137/138 packets if set
# to yes! (samba on the firewall is not a good idea!)

#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern)
# and 3) destination port (or IP protocol), seperated by a comma (","), e.g.
# "4.0.0.0/8,1.1.1.1,22" [means: net 4.0.0.0 with netmask 255.0.0.0 is
# allowed to connect to the single server 1.1.1.1 on port 22 (which is SSH)]
# "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22"
# For FW_FORWARD_IP it is "4.0.0.0/8,1.1.1.1,igmp" or "4.0.0.0/8,1.1.1.1,1"
#
FW_FORWARD_TCP="" # Beware to use this!
FW_FORWARD_UDP="" # Beware to use this!
FW_FORWARD_IP="" # Beware to use this!

#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE, FW_MASQUERADE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD_* from internal to DMZ for the service as well!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern) and 3) destination port, seperated by a comma (","), e.g.
# "4.0.0.0/8,1.1.1.1,22",
# "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22"
#
FW_FORWARD_MASQ_TCP="" # Beware to use this!
FW_FORWARD_MASQ_UDP="" # Beware to use this!
# it is not possible to masquerade other IP protocols, hence no _IP variable

#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) original destination port and 4) local port to redirect the traffic to,
# seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080"
#
FW_REDIRECT_TCP=""
FW_REDIRECT_UDP=""
#####################################################FW_REDIRECT_TCP="192.168.110.0/24,0/0,80,3128
0/0,192.168.110.2,80,3128"
#FW_REDIRECT_TCP="192.168.110.0/24,0/0,3128,3128"
#####################################################
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DENY_CRIT="yes"
FW_LOG_DENY_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"

#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet?
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"

##
# END of rc.firewall
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="no"

#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#
# 22.)
# Which masquerading modules should be loaded?
# REQUIRES: FW_ROUTE, FW_MASQUERADE
#
# (omit the path or "ip_masq_" prefix as well as the ".o" suffix!)
#
FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"

#
# 23.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config"

Thank you so much for your assistance.

Best regards,

Choth



jaakko tamminen wrote:

> Hi
>
> In Your previous e-mail You said:
> > > > FW_DEV_EXT="eth1"
> So the external interface is devined... Maybe You need to run "SuSEconfig" as
> root, and then try again.
>
> If You want to stop the firewall, it is best done with "SuSEfirewall stop".
> There is nothing against that You "flush" them manually with "-F" option, but
> the script is only one simple command. It actually uses the "-F" for clearing
> the firewall rules.
>
> If You want to check the firewall, one good place is http://www.grc.com,
> select "shields up", then again find "shields up", then select "test my
> shields", wait for output, and run also "probe my ports".
>
> This will give You quite good indication of Your protection level.
>
> But to go more deep into protecting Your system, this is just the beginning...
>
> Enjoy!
>
> Jaska.
>
> On Tuesday 01 October 2002 13:27, PUTH CHAN CHOTH wrote:
> > Dear Gurus,
> >
> > When I do what I said and then I fire the following command:
> > $ /sbin/SuSEfirewall start
> > and it says:
> > The firewall script needs to know the external (internet) interface!
> > SuSEfirewall: clearing rules now ... done
> >
> > How to clear the firewall, I means when I use ipchains I fire the command:
> > $ipchains -F
> > $ipchains -X
> > But what about SuSe is it
> > $ /sbin/SuSEfirewall stop
> >
> > How can I know that when I use this firewall and my ports are not open to
> > the outside world again? Thank you so much for your assistance.
> >
> > Regards,
> >
> > Choth


< Previous Next >
Follow Ups