Mailinglist Archive: opensuse (3506 mails)

< Previous Next >
Re: [SLE] Firewall zones
  • From: Paul Abrahams <abrahams@xxxxxxx>
  • Date: Tue, 26 Sep 2006 21:58:34 +0000 (UTC)
  • Message-id: <200609261758.19246.abrahams@xxxxxxx>
On Tuesday 26 September 2006 5:01 pm, Theo v. Werkhoven wrote:
> Mon, 25 Sep 2006, by abrahams@xxxxxxx:
> > I want to configure the SuSE firewall so that communication within my LAN
> > is uninhibited but communication outside the LAN is fully protected.
> > Looking at the firewall configuration in Yast, I see that the external
> > zone is protected but the internal zone is not. However, I don't see how
> > to specify that the internal zone consists of hosts with addresses
> > 192.168.0.x. This would seem to be a pretty common requirement.
>
> Please be more specific about your setup. Do you have a network-card
> with an alias IP address or something?

My network card is assigned its IP address by the router using DHCP.
Incoming traffic is processed using Network Address Translation. I have
several Linux machines with this setup, each cabled to the router.

> > It appears that the firewall configurator can specify that an interface
> > is external or internal, but I have only one interface (network card).
> > It connects to the LAN and to the router; the router in turn talks to the
> > world. It's a very common setup.

I should have phrased this better. The network card is cabled to the router,
which on its external side is cabled to a broadband modem.
>
> Perhaps, but that doesn't make it the best setup.
> Having your LAN systems on the same segment and IP range as the
> "firewall" means that there's nothing between the Internet and the
> 'other' systems, except the router's rules for port-forwarding etc.

The router (a standard D-Link 4-porter) has an internal net address of
192.168.0.1 and assigns the computers on the LAN addresses of the form
192.168.0.x. Seen externally, it has an IP address assigned by Comcast, my
broadband provider, also using DHCP, which Comcast requires.

All the systems on the LAN are supposed to have the same firewall protection,
using SuSE firewall (or in some cases the Windows firewall). So each machine
has two levels of protection: the router, which itself provides pretty good
protection, and the firewall on the individual machine. The main weakness of
the router firewall is that it doesn't filter outgoing packets, only incoming
ones.

> If you want to have a better protection I'd look for a "real" router, that
> can be configured for multiple LAN IP ranges, or setup the Linux
> machine as such.

I'd settle for any degree of protection as long as I can share files with
other machines on the LAN. Sharing could be either with NFS or with Samba.

Thanks for your help.

Paul

< Previous Next >