[opensuse-factory] SPAM: Warning! SuseFirewall2 by default allow any port for INCOMING!
let's me tell you in these steps (sorry for my bad english): 1. I have 2 NIC: 1 internal and 1 external. the external is using public IP. 2. on yast, i check masquerading 3. external and internal allowed service ONLY listed: http 4. but my clients can access any outside POP/SMTP server (including yahoo using Ypops in their local PC), and maybe many others services. here i attach the sf2 config file. i need this feature in yast: 1. able to create groups, i.e: IT group and USER group 2. able to assign certain access to groups, i.e: a. IT group can access: www, ftp, pop b. USER group can acess: www, pop 3. list more service by their name, i.e: - icq instead typing port 5901, yahoo messanger for 5050. currently only: htttp, https, pop, pops, etc. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Wed, 2006-07-19 at 23:08 -0700, The Nice Spider wrote:
let's me tell you in these steps (sorry for my bad english): 1. I have 2 NIC: 1 internal and 1 external. the external is using public IP. 2. on yast, i check masquerading 3. external and internal allowed service ONLY listed: http 4. but my clients can access any outside POP/SMTP server (including yahoo using Ypops in their local PC), and maybe many others services.
If you want to control _outbound_ access look into using squid, that is what it was designed for. The firewall is designed mainly for _inbound_ access control. KS --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Kenneth Schneider wrote:
On Wed, 2006-07-19 at 23:08 -0700, The Nice Spider wrote:
let's me tell you in these steps (sorry for my bad english): 1. I have 2 NIC: 1 internal and 1 external. the external is using public IP. 2. on yast, i check masquerading 3. external and internal allowed service ONLY listed: http 4. but my clients can access any outside POP/SMTP server (including yahoo using Ypops in their local PC), and maybe many others services.
If you want to control _outbound_ access look into using squid, that is what it was designed for. The firewall is designed mainly for _inbound_ access control.
and here, inbound mean the inside of the server itself (hence the http for external _and_ internal branches of the network) usually any call from the internal branch of the net is accepted (natted) and any answer to it. jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
On Thu, Jul 20, 2006 at 02:13:19PM +0200, jdd wrote:
If you want to control _outbound_ access look into using squid, that is what it was designed for. The firewall is designed mainly for _inbound_ access control.
and here, inbound mean the inside of the server itself (hence the http for external _and_ internal branches of the network)
Inbound normaly means from outside of somthing into something. "Incomming" is perhaps a better or easier word. So it goes from outside of the server, into the server. Wether this is WAN or LAN is irrelevant. It is perfectly possible to have inbount traffic from WAN to LAN, because you need to look from the point of view of the server. Is it trafic generated by the server then it is outbound. If it is traffic for the server, then it is inbound. If the server IS the firewall, then a connection from WAN to LAN will be both inbound and outbound. Client asks the server access on port 80 -> Inbound. Server passes it on the the crrect place -> Outbound. -- We all came out to Montreux Frank Zappa and the Mothers On the Lake Geneva shoreline Were at the best place around To make records with a mobile But some stupid with a flare gun We didn't have much time Burned the place to the ground --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
houghi wrote:
On Thu, Jul 20, 2006 at 02:13:19PM +0200, jdd wrote:
If you want to control _outbound_ access look into using squid, that is what it was designed for. The firewall is designed mainly for _inbound_ access control.
and here, inbound mean the inside of the server itself (hence the http for external _and_ internal branches of the network)
Inbound normaly means from outside of somthing into something. "Incomming" is perhaps a better or easier word.
So it goes from outside of the server, into the server. Wether this is WAN or LAN is irrelevant. It is perfectly possible to have inbount traffic from WAN to LAN, because you need to look from the point of view of the server.
Is it trafic generated by the server then it is outbound. If it is traffic for the server, then it is inbound. If the server IS the firewall, then a connection from WAN to LAN will be both inbound and outbound. Client asks the server access on port 80 -> Inbound. Server passes it on the the crrect place -> Outbound.
you are correct, in essence, but we must try to stay as near as possible of the SUSE words. I already noted that the documentation of SuSEfirewall2 is extremely ambiguous on this respect. there, in and out are defined by the interface number (why not), but the server itself is never defined, so it's very difficult to really understand the thing. this is very important nowaday where VPN's makes it dufficult to identify what machine is in and what is out :-() may be I will work on this, but given my actual agenda, it's not in a near future :-( jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
jdd wrote:
[...] I already noted that the documentation of SuSEfirewall2 is extremely ambiguous on this respect.
Where? Send patches to me. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
Ludwig Nussel wrote:
jdd wrote:
[...] I already noted that the documentation of SuSEfirewall2 is extremely ambiguous on this respect.
Where? Send patches to me.
cu Ludwig
how can I? I don't know the inerts of SuSEFirewall2. there is very few doc, mostly the text in the config file and this is very difficult to understand As said elsewhere, I can see many problems here and then, but can't fix all by myself, the others have to do some work :-) jdd -- http://www.dodin.net http://dodin.org/galerie_photo_web/expo/index.html http://lucien.dodin.net http://fr.susewiki.org/index.php?title=Gérer_ses_photos --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
houghi wrote:
[...] Is it trafic generated by the server then it is outbound. If it is traffic for the server, then it is inbound. If the server IS the firewall, then a connection from WAN to LAN will be both inbound and outbound. Client asks the server access on port 80 -> Inbound. Server passes it on the the crrect place -> Outbound.
from iptables' point of view it's neither. Packets not destined for the host itself travel through the FORWARD chain and don't show up in INPUT nor OUTPUT. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org
participants (5)
-
houghi -
jdd -
Kenneth Schneider -
Ludwig Nussel -
The Nice Spider