I just got cable access and set up SuSEfirewall for
and I second the recommendation. It's very easy to set up - just
a few instructions in the config file, and it automatically
generates appropriate ipchain rules (97 of them, in my case) at
boot time. Probably the best examples you could study anyway...
One caveat I found, however: it seems that I also need to connect
to my isp (using dhcp) *at boot time*. Otherwise SuSEfirewall
produces a different set of rules, one of which seems to get in
the way when I later try to connect and ping:
This seems to indicate that the culprit rule (#37) (which reads:
-A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j DENY -l)
gets in the way of dhcp and dns services -- even though I did set
FW_SERVICE_DHCLIENT="yes" and FW_INCOMING_HIGHPORTS_UDP="dns".
(The "10.118.32.1" seems very strange, too, but that's consistently
what I get.)
If I let connection happen at boot time, on the other hand, this
rule disappears from the list, and everything works fine.
I am on 56k dial up so I really can't offer any more advice on your
question than join the suse-security list or mail Marc himself. He is
quick to respond as are the list members.
My own problems with the firewall2 have been related to me having a
dial-up and running the squid proxy server (which I recommend for speedy
web surfing along with the junkbuster proxy for eradicating
advertisments!). This problem of mine was solved once I worked out the
order and timing of each package.
My firewall fails on boot up because I am not connected to the net, but
when I dial up, it fires up and all is dandy. I am using the latest
version of his firewall2 for 2.4 so maybe he will alter it so I don't
get failed messages. He is aware of it and said it's normal and nothing
to worry about.
- Is it true that the firewall prevents (dhcp-)connecting to the
internet, except at boot time?
If yes, I would suggest emphasizing this in the documentation (I
couldn't find it). If no, I'll gladly send more details of
exactly what I did - the above seems 100% reproducible.
- Do later versions of the firewall behave in the same way?
(I am using the stock versions from SuSE 7.0 ppc - kernel 2.2.16
and firewall 2.6.)
- Any other reason I should upgrade to a later version? (The .rpm
updates mentioned at http://www.suse.de/~marc/SuSE.html
seem to exist on the ppc side.)
The firewall is not architecture specific, just kernel version specific.
I just downloaded the appropriate tar.gz and ran the install script.
It was just as easy to install as a RPM. I think people on the
suse-security list trust Marc's latest firewalls. He is certainly very
confident about them. Don't think you have to stick with RPMs. Remember
that his latest versions are unofficial updates to the SuSE rpms, so I
personally would trust them more.