hysterion wrote:
I just got cable access and set up SuSEfirewall for masquerading, and I second the recommendation. It's very easy to set up - just a few instructions in the config file, and it automatically generates appropriate ipchain rules (97 of them, in my case) at boot time. Probably the best examples you could study anyway...
One caveat I found, however: it seems that I also need to connect to my isp (using dhcp) *at boot time*. Otherwise SuSEfirewall produces a different set of rules, one of which seems to get in the way when I later try to connect and ping:
<snip>
This seems to indicate that the culprit rule (#37) (which reads: -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j DENY -l) gets in the way of dhcp and dns services -- even though I did set FW_SERVICE_DHCLIENT="yes" and FW_INCOMING_HIGHPORTS_UDP="dns". (The "10.118.32.1" seems very strange, too, but that's consistently what I get.)
If I let connection happen at boot time, on the other hand, this rule disappears from the list, and everything works fine.
I am on 56k dial up so I really can't offer any more advice on your question than join the suse-security list or mail Marc himself. He is quick to respond as are the list members. My own problems with the firewall2 have been related to me having a dial-up and running the squid proxy server (which I recommend for speedy web surfing along with the junkbuster proxy for eradicating advertisments!). This problem of mine was solved once I worked out the order and timing of each package. My firewall fails on boot up because I am not connected to the net, but when I dial up, it fires up and all is dandy. I am using the latest version of his firewall2 for 2.4 so maybe he will alter it so I don't get failed messages. He is aware of it and said it's normal and nothing to worry about.
Questions:
- Is it true that the firewall prevents (dhcp-)connecting to the internet, except at boot time?
If yes, I would suggest emphasizing this in the documentation (I couldn't find it). If no, I'll gladly send more details of exactly what I did - the above seems 100% reproducible.
- Do later versions of the firewall behave in the same way? (I am using the stock versions from SuSE 7.0 ppc - kernel 2.2.16 and firewall 2.6.)
- Any other reason I should upgrade to a later version? (The .rpm updates mentioned at http://www.suse.de/~marc/SuSE.html don't seem to exist on the ppc side.)
The firewall is not architecture specific, just kernel version specific. I just downloaded the appropriate tar.gz and ran the install script. It was just as easy to install as a RPM. I think people on the suse-security list trust Marc's latest firewalls. He is certainly very confident about them. Don't think you have to stick with RPMs. Remember that his latest versions are unofficial updates to the SuSE rpms, so I personally would trust them more. good luck Joss