Hello community, here is the log from the commit of package SuSEfirewall2 checked in at Wed Mar 29 16:49:19 CEST 2006. -------- --- SuSEfirewall2/SuSEfirewall2.changes 2006-03-06 16:33:04.000000000 +0100 +++ SuSEfirewall2/SuSEfirewall2.changes 2006-03-28 16:20:04.000000000 +0200 @@ -1,0 +2,5 @@ +Tue Mar 28 16:19:52 CEST 2006 - lnussel@suse.de + +- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133) + +------------------------------------------------------------------- Old: ---- SuSEfirewall2-3.4_SVNr139.tar.bz2 New: ---- SuSEfirewall2-3.4_SVNr140.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ SuSEfirewall2.spec ++++++ --- /var/tmp/diff_new_pack.EqI8do/_old 2006-03-29 16:48:06.000000000 +0200 +++ /var/tmp/diff_new_pack.EqI8do/_new 2006-03-29 16:48:06.000000000 +0200 @@ -1,5 +1,5 @@ # -# spec file for package SuSEfirewall2 (Version 3.4_SVNr139) +# spec file for package SuSEfirewall2 (Version 3.4_SVNr140) # # Copyright (c) 2006 SUSE LINUX Products GmbH, Nuernberg, Germany. # This file and all modifications and additions to the pristine @@ -12,7 +12,7 @@ # icecream 0 Name: SuSEfirewall2 -Version: 3.4_SVNr139 +Version: 3.4_SVNr140 Release: 1 License: GPL Group: Productivity/Networking/Security @@ -205,6 +205,8 @@ rm -rf %{buildroot} %changelog -n SuSEfirewall2 +* Tue Mar 28 2006 - lnussel@suse.de +- introduce FW_FORWARD_ALWAYS_INOUT_DEV for use with XEN (#154133) * Mon Mar 06 2006 - lnussel@suse.de - log and drop multicast packets separately in order to prevent flooding other log targets (#155326) ++++++ SuSEfirewall2-3.4_SVNr139.tar.bz2 -> SuSEfirewall2-3.4_SVNr140.tar.bz2 ++++++ diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.4_SVNr139/EXAMPLES.html new/SuSEfirewall2-3.4_SVNr140/EXAMPLES.html --- old/SuSEfirewall2-3.4_SVNr139/EXAMPLES.html 2006-01-03 11:08:36.000000000 +0100 +++ new/SuSEfirewall2-3.4_SVNr140/EXAMPLES.html 2006-03-28 16:18:35.000000000 +0200 @@ -1,12 +1,12 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.0" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410433"></a>SuSEfirewall2 configuration examples</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2482864">1. Simple dialup</a></span></dt><dt><span class="section"><a href="#id2482885">2. Small home network</a></span></dt><dt><span class="section"><a href="#id2482907">3. Small home network with additional WLAN</a></span></dt><dt><span class="section"><a href="#id2460290">4. Small company with external mail and web server</a></span></dt><dt><span class="section"><a href="#id2460323">5. Company with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a href="#id2460397">6. Company with web server in DMZ</a></span></dt><dt><span class="section"><a href="#id2459845">7. Complex scenario</a></span></dt><dt><span class="section"><a href="#id2459967">8. Laptop in private network but with additional public IP adresses</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 configuration examples</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2412343"></a>SuSEfirewall2 configuration examples</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2483278">1. Simple dialup</a></span></dt><dt><span class="section"><a href="#id2483299">2. Small home network</a></span></dt><dt><span class="section"><a href="#id2483321">3. Small home network with additional WLAN</a></span></dt><dt><span class="section"><a href="#id2460778">4. Small company with external mail and web server</a></span></dt><dt><span class="section"><a href="#id2460811">5. Company with IPsec tunnel to subsidiary</a></span></dt><dt><span class="section"><a href="#id2460887">6. Company with web server in DMZ</a></span></dt><dt><span class="section"><a href="#id2460309">7. Complex scenario</a></span></dt><dt><span class="section"><a href="#id2460432">8. Laptop in private network but with additional public IP adresses</a></span></dt></dl></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> All options <span class="emphasis"><em>not</em></span> mentioned in a scenario should be left as they are in the default <code class="filename">sysconfig/SuSEfirewall2</code> config file. Backup default config: <code class="filename">/usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig</code> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2482864"></a>1. Simple dialup</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483278"></a>1. Simple dialup</h2></div></div></div><p> A user with his nice SUSE Linux PC wants to be protected when connected to the internet via the ISDN dialup of his ISP. He wants to offer no services to the internet. He is not connected to any other network, nor @@ -15,7 +15,7 @@ </p><div class="informalexample"><pre class="programlisting"> FW_DEV_EXT="ippp0"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2482885"></a>2. Small home network</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483299"></a>2. Small home network</h2></div></div></div><p> A family owns multiple PCs, a SUSE Linux PC is connected to the internet via DSL. The family's LAN uses private IPs therefore masquerading has to be used. The Firewall provides no services whatsoever. The address of the @@ -27,7 +27,7 @@ FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2482907"></a>3. Small home network with additional WLAN</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483321"></a>3. Small home network with additional WLAN</h2></div></div></div><p> Same network as above but additionally the Firewall is also connected to a wireless network. Hosts in the wireless network should get internet access but are not allowed to communicate with the internal network. The @@ -41,7 +41,7 @@ FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24 192.168.20.0/24"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460290"></a>4. Small company with external mail and web server</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460778"></a>4. Small company with external mail and web server</h2></div></div></div><p> A company uses it's SUSE Linux PC to access the internet via an ISDN dialup of it's ISP. It has got a static IP address and a web server running on the PC plus it's mail-/pop3-server for the company. Squid is @@ -56,7 +56,7 @@ FW_SERVICES_INT_UDP="domain" FW_PROTECT_FROM_INT="yes"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460323"></a>5. Company with IPsec tunnel to subsidiary</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460811"></a>5. Company with IPsec tunnel to subsidiary</h2></div></div></div><p> A small company wants access to the internet for it's client PCs. Additionally the subsidiariaries client PCs should get access to the local network through an IPsec tunnel. Internet traffic should be @@ -83,7 +83,7 @@ flow. </p></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460397"></a>6. Company with web server in DMZ</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460887"></a>6. Company with web server in DMZ</h2></div></div></div><p> This company has got a more complex setup: @@ -149,7 +149,7 @@ target port of 53 (DNS) or 25 (Mail) to the local servers on the firewall. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2459845"></a>7. Complex scenario</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460309"></a>7. Complex scenario</h2></div></div></div><p> </p><pre class="screen"> Internet @@ -207,7 +207,7 @@ # internet access to web server and trusted company access to internal Server FW_FORWARD_MASQ="0/0,10.0.10.2,tcp,80 0/0,10.0.10.2,tcp,443 \ 192.168.1.0/24,10.0.2.3,tcp,22"</pre></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2459967"></a>8. Laptop in private network but with additional public IP adresses</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460432"></a>8. Laptop in private network but with additional public IP adresses</h2></div></div></div><p> </p><pre class="screen"> Internet diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.4_SVNr139/FAQ.html new/SuSEfirewall2-3.4_SVNr140/FAQ.html --- old/SuSEfirewall2-3.4_SVNr139/FAQ.html 2006-01-03 11:08:39.000000000 +0100 +++ new/SuSEfirewall2-3.4_SVNr140/FAQ.html 2006-03-28 16:18:39.000000000 +0200 @@ -1,37 +1,37 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.0" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410433"></a>SuSEfirewall2 FAQ</h1></div></div><hr /></div><div class="qandaset"><dl><dt>1. <a href="#id2459642"> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2412343"></a>SuSEfirewall2 FAQ</h1></div></div><hr /></div><div class="qandaset"><dl><dt>1. <a href="#id2483245"> How do I allow access to my application XYZ on my firewall? - </a></dt><dt>2. <a href="#id2482887"> + </a></dt><dt>2. <a href="#id2483302"> How can I reduce the generated rule set as much as possible? - </a></dt><dt>3. <a href="#id2460331"> + </a></dt><dt>3. <a href="#id2460818"> How can I be sure that the firewall rules are active when I connect to the internet? - </a></dt><dt>4. <a href="#id2460385"> + </a></dt><dt>4. <a href="#id2460873"> How many interfaces are supported for each zone (EXT/DMZ/INT)? - </a></dt><dt>5. <a href="#id2460403"> + </a></dt><dt>5. <a href="#id2460891"> Why is communication between two interfaces in the same zone not working? - </a></dt><dt>6. <a href="#id2459774"> + </a></dt><dt>6. <a href="#id2460920"> I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? - </a></dt><dt>7. <a href="#id2459807"> + </a></dt><dt>7. <a href="#id2460271"> What if my Server has a private IP address, how do I enable external access then? - </a></dt><dt>8. <a href="#id2459855">Some service does not work when the firewall is enabled. How do I find out what's wrong? - </a></dt><dt>9. <a href="#id2459929"> + </a></dt><dt>8. <a href="#id2460318">Some service does not work when the firewall is enabled. How do I find out what's wrong? + </a></dt><dt>9. <a href="#id2460392"> Some web site that offers port scanning claims my system is not protected properly as it still responds to ICMP echo requests (ping) - </a></dt><dt>10. <a href="#id2459952"> + </a></dt><dt>10. <a href="#id2460416"> Can't the evil guys detect whether my host is online if it responds to ICMP echo requests? - </a></dt><dt>11. <a href="#id2459972"> + </a></dt><dt>11. <a href="#id2460436"> SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my machine. Isn't that a security hole? - </a></dt><dt>12. <a href="#id2459993"> + </a></dt><dt>12. <a href="#id2460457"> The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec traffic to a different zone now? - </a></dt><dt>13. <a href="#id2460044"> + </a></dt><dt>13. <a href="#id2460508"> Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore? - </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2459642"></a><a id="id2459644"></a><b>1.</b></td><td align="left" valign="top"><p> + </a></dt></dl><table border="0" summary="Q and A Set"><col align="left" width="1%" /><tbody><tr class="question"><td align="left" valign="top"><a id="id2483245"></a><a id="id2483247"></a><b>1.</b></td><td align="left" valign="top"><p> How do I allow access to my application XYZ on my firewall? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -48,7 +48,7 @@ into <code class="varname">FW_SERVICES_EXT_TCP</code> and execute <span><strong class="command">SuSEfirewall2</strong></span> again. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2482887"></a><a id="id2482889"></a><b>2.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2483302"></a><a id="id2483304"></a><b>2.</b></td><td align="left" valign="top"><p> How can I reduce the generated rule set as much as possible? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><div class="itemizedlist"><ul type="disc"><li><p> Set <code class="varname">FW_PROTECT_FROM_INTERNAL</code> to <code class="literal">"no"</code> @@ -65,7 +65,7 @@ Then you will have got much less rules, but also a lesser security. Better spend 50$ on a faster processor and more ram instead of using an old 486 as firewall. - </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460331"></a><a id="id2460333"></a><b>3.</b></td><td align="left" valign="top"><p> + </p></li></ul></div></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460818"></a><a id="id2460820"></a><b>3.</b></td><td align="left" valign="top"><p> How can I be sure that the firewall rules are active when I connect to the internet? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -78,11 +78,11 @@ packet filtering rules are actually installed with the command <span><strong class="command">SuSEfirewall2 status</strong></span> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460385"></a><a id="id2460387"></a><b>4.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460873"></a><a id="id2460875"></a><b>4.</b></td><td align="left" valign="top"><p> How many interfaces are supported for each zone (EXT/DMZ/INT)? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> Any number you want - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460403"></a><a id="id2460405"></a><b>5.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460891"></a><a id="id2460893"></a><b>5.</b></td><td align="left" valign="top"><p> Why is communication between two interfaces in the same zone not working? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -93,7 +93,7 @@ traffic with <code class="varname">FW_FORWARD</code>. Keep in mind that this affects all interfaces in all zones. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459774"></a><a id="id2459776"></a><b>6.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460920"></a><a id="id2460922"></a><b>6.</b></td><td align="left" valign="top"><p> I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let people on the internet access my pages? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -103,7 +103,7 @@ just configure <code class="varname">FW_FORWARD_TCP</code> like this: </p><div class="informalexample"><pre class="programlisting">FW_FORWARD="0/0,1.1.1.1,tcp,80"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459807"></a><a id="id2459809"></a><b>7.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460271"></a><a id="id2460273"></a><b>7.</b></td><td align="left" valign="top"><p> What if my Server has a private IP address, how do I enable external access then? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -118,7 +118,7 @@ FW_MASQUERADE="yes" FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459855"></a><a id="id2459857"></a><b>8.</b></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong? + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460318"></a><a id="id2460320"></a><b>8.</b></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> Enable logging of all dropped packets and disable the log limit in @@ -146,7 +146,7 @@ If everything works again don't forget to set the log options back to normal to not fill up you log files. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459929"></a><a id="id2459931"></a><b>9.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460392"></a><a id="id2460394"></a><b>9.</b></td><td align="left" valign="top"><p> Some web site that offers port scanning claims my system is not protected properly as it still responds to ICMP echo requests (ping) </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -155,20 +155,20 @@ seriously impact the ability to track down network problems. It is therefore not considered nice behaviour for an internet citizen to drop pings. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459952"></a><a id="id2459954"></a><b>10.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460416"></a><a id="id2460418"></a><b>10.</b></td><td align="left" valign="top"><p> Can't the evil guys detect whether my host is online if it responds to ICMP echo requests? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> Yes but they can detect that anyways. The router at your provider behaves different depending on whether someone is dialed in or not. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459972"></a><a id="id2459975"></a><b>11.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460436"></a><a id="id2460438"></a><b>11.</b></td><td align="left" valign="top"><p> SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my machine. Isn't that a security hole? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> You machine is never fully invisible, see previous question. The purpose of dropping packets is not to hide your machine but to slow down port scans. - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2459993"></a><a id="id2459996"></a><b>12.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460457"></a><a id="id2460459"></a><b>12.</b></td><td align="left" valign="top"><p> The <code class="literal">ipsec0</code> interface I had with kernel 2.4 is gone. How do I assign IPsec traffic to a different zone now? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> @@ -184,7 +184,7 @@ FW_SERVICES_EXT_UDP="isakmp" FW_PROTECT_FROM_INT="no"</pre></div><p> - </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460044"></a><a id="id2460046"></a><b>13.</b></td><td align="left" valign="top"><p> + </p></td></tr><tr class="question"><td align="left" valign="top"><a id="id2460508"></a><a id="id2460510"></a><b>13.</b></td><td align="left" valign="top"><p> Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore? </p></td></tr><tr class="answer"><td align="left" valign="top"><b></b></td><td align="left" valign="top"><p> diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.4_SVNr139/README.html new/SuSEfirewall2-3.4_SVNr140/README.html --- old/SuSEfirewall2-3.4_SVNr139/README.html 2006-01-03 11:08:42.000000000 +0100 +++ new/SuSEfirewall2-3.4_SVNr140/README.html 2006-03-28 16:18:42.000000000 +0200 @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> -<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.0" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2410433"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2459640">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2482919">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2482924">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2460296">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2460355">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2459800">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2459824">5. Links</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2459640"></a>1. Introduction</h2></div></div></div><p> +<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.69.1" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h1 class="title"><a id="id2412343"></a>SuSEfirewall2</h1></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#id2460133">1. Introduction</a></span></dt><dt><span class="section"><a href="#id2483332">2. Quickstart</a></span></dt><dd><dl><dt><span class="section"><a href="#id2483337">2.1. YaST2 firewall module</a></span></dt><dt><span class="section"><a href="#id2460784">2.2. Manual configuration</a></span></dt></dl></dd><dt><span class="section"><a href="#id2460842">3. Some words about security</a></span></dt><dt><span class="section"><a href="#id2460264">4. Reporting bugs</a></span></dt><dt><span class="section"><a href="#id2460288">5. Links</a></span></dt></dl></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460133"></a>1. Introduction</h2></div></div></div><p> <code class="literal">SuSEfirewall2</code> is a shell script wrapper for the Linux firewall setup tool (<code class="literal">iptables</code>). It's controlled by a @@ -12,14 +12,14 @@ </p><div class="itemizedlist"><ul type="disc"><li><p>sets up secure filter rules by default</p></li><li><p>easy to configure</p></li><li><p>requires only a small configuration effort</p></li><li><p>zone based setup. Interfaces are grouped into zones</p></li><li><p>supports an arbitrary number of zones</p></li><li><p>supports forwarding, masquerading, port redirection</p></li><li><p>supports RPC services with dynamically assigned ports</p></li><li><p>allows special treatment of IPsec packets</p></li><li><p>IPv6 support (no forwarding/masquerading)</p></li><li><p>allows insertion of custom rules through hooks</p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2482919"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2482924"></a>2.1. YaST2 firewall module</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2483332"></a>2. Quickstart</h2></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2483337"></a>2.1. YaST2 firewall module</h3></div></div></div><p> The YaST2 firewall module is the recommended tool for configuring SuSEfirewall2. It offers the most common features with a nice user interface and help texts. It also takes care of proper activation of the init scripts. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2460296"></a>2.2. Manual configuration</h3></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="id2460784"></a>2.2. Manual configuration</h3></div></div></div><p> Enable the SuSEfirewall2 boot scripts: @@ -37,7 +37,7 @@ <code class="filename">EXAMPLES</code> file in <code class="filename">/usr/share/doc/packages/SuSEfirewall2</code> - </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460355"></a>3. Some words about security</h2></div></div></div><p> + </p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460842"></a>3. Some words about security</h2></div></div></div><p> SuSEfirewall2 is a frontend for iptables which sets up kernel packet filters, nothing more and nothing less. This means that you are not @@ -76,13 +76,13 @@ Check your log files regularly for unusual entries. </p></li></ul></div><p> - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2459800"></a>4. Reporting bugs</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460264"></a>4. Reporting bugs</h2></div></div></div><p> Report any problems via <a href="http://www.suse.de/feedback" target="_top">http://www.suse.de/feedback</a>. For discussion about SuSEfirewall2 join the <a href="http://www.suse.com/us/private/support/online_help/mailinglists/index.html" target="_top">suse-security</a> mailinglist. - </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2459824"></a>5. Links</h2></div></div></div><p> + </p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="id2460288"></a>5. Links</h2></div></div></div><p> <a href="EXAMPLES.html" target="_top">Examples</a> </p><p> <a href="FAQ.html" target="_top">Frequently Asked Questions</a> diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.4_SVNr139/SuSEfirewall2 new/SuSEfirewall2-3.4_SVNr140/SuSEfirewall2 --- old/SuSEfirewall2-3.4_SVNr139/SuSEfirewall2 2006-03-06 16:30:49.000000000 +0100 +++ new/SuSEfirewall2-3.4_SVNr140/SuSEfirewall2 2006-03-28 16:17:06.000000000 +0200 @@ -570,6 +570,16 @@ done } +xen_forward_hack() +{ + local dev iptables + for iptables in "$IPTABLES" "$IP6TABLES"; do + for dev in $FW_FORWARD_ALWAYS_INOUT_DEV; do + $iptables -A FORWARD -i $dev -o $dev -j ACCEPT + done + done +} + function set_basic_rules() { load_modules ip_tables ip_conntrack $FW_LOAD_MODULES @@ -632,6 +642,8 @@ $IP6TABLES -A INPUT -j "$ACCEPT" -i lo $IP6TABLES -A OUTPUT -j "$ACCEPT" -o lo + xen_forward_hack + # workaround for ip6tables without state matching if [ "$IP6TABLES_HAVE_STATE" != 1 ]; then for itype in $stateless_icmpv6_types $safe_icmpv6_replies; do diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/SuSEfirewall2-3.4_SVNr139/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.4_SVNr140/SuSEfirewall2.sysconfig --- old/SuSEfirewall2-3.4_SVNr139/SuSEfirewall2.sysconfig 2006-03-02 14:44:33.000000000 +0100 +++ new/SuSEfirewall2-3.4_SVNr140/SuSEfirewall2.sysconfig 2006-03-28 16:29:10.000000000 +0200 @@ -950,3 +950,20 @@ # FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp" # FW_LOAD_MODULES= + +## Type: string +## Default: +# +# 33.) +# Bridge interfaces without IP address +# +# Traffic on bridge interfaces like the one used by xen appears to +# enter and leave on the same interface. Add such interfaces here in +# order to install special permitting rules for them. +# +# Format: list of interface names separated by space +# +# Example: +# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0" +# +FW_FORWARD_ALWAYS_INOUT_DEV= ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun...
participants (1)
-
root@suse.de