Joss Winn wrote:
On Mon, Jun 25, 2001 at 09:26:17AM +0100, Smith, Bradley wrote:
Hi,
What's the easiest way for me to configure a firewall (SuSE 7.1, 2001 iMac)?
I *will* get around to reading up on ipchain etc. but for the moment it's most important that I have something protecting me from those nasty hackers!
Cheers Brad
You can (I think it is turned on by default anyway), use the Personal Firewall. It uses the 2.2 ipchains.
I just got cable access and set up SuSEfirewall for masquerading, and I second the recommendation. It's very easy to set up - just a few instructions in the config file, and it automatically generates appropriate ipchain rules (97 of them, in my case) at boot time. Probably the best examples you could study anyway... One caveat I found, however: it seems that I also need to connect to my isp (using dhcp) *at boot time*. Otherwise SuSEfirewall produces a different set of rules, one of which seems to get in the way when I later try to connect and ping: $ /sbin/dhcpcd -d -h CC******-A eth0 produces messages like Jun 26 22:17:12 gris dhcpcd[886]: broadcasting DHCP_DISCOVER Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43879 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: broadcastAddr option is missing in DHCP server response. Assuming *.*.*.255 Jun 26 22:17:12 gris dhcpcd[886]: broadcasting second DHCP_DISCOVER Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43881 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: DHCP_OFFER received from (24.2.0.9) Jun 26 22:17:12 gris dhcpcd[886]: broadcasting DHCP_REQUEST for *.*.*.* Jun 26 22:17:12 gris kernel: Packet log: input DENY eth0 PROTO=17 10.118.32.1:67 *.*.*.*:68 L=576 S=0x00 I=43883 F=0x0000 T=255 (#37) Jun 26 22:17:12 gris dhcpcd[886]: DHCP_ACK received from (24.2.0.9) $ ping www.suse.de then produces (no output and) messages like Jun 26 22:18:14 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.33:53 *.*.*.*:1024 L=246 S=0x00 I=12157 F=0x0000 T=52 (#37) Jun 26 22:18:19 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.34:53 *.*.*.*:1024 L=246 S=0x00 I=8282 F=0x0000 T=52 (#37) Jun 26 22:18:24 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.33:53 *.*.*.*:1024 L=246 S=0x00 I=14064 F=0x0000 T=52 (#37) Jun 26 22:18:29 gris kernel: Packet log: input DENY eth0 PROTO=17 24.2.160.34:53 *.*.*.*:1024 L=246 S=0x00 I=10180 F=0x0000 T=52 (#37) This seems to indicate that the culprit rule (#37) (which reads: -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j DENY -l) gets in the way of dhcp and dns services -- even though I did set FW_SERVICE_DHCLIENT="yes" and FW_INCOMING_HIGHPORTS_UDP="dns". (The "10.118.32.1" seems very strange, too, but that's consistently what I get.) If I let connection happen at boot time, on the other hand, this rule disappears from the list, and everything works fine. Questions: - Is it true that the firewall prevents (dhcp-)connecting to the internet, except at boot time? If yes, I would suggest emphasizing this in the documentation (I couldn't find it). If no, I'll gladly send more details of exactly what I did - the above seems 100% reproducible. - Do later versions of the firewall behave in the same way? (I am using the stock versions from SuSE 7.0 ppc - kernel 2.2.16 and firewall 2.6.) - Any other reason I should upgrade to a later version? (The .rpm updates mentioned at http://www.suse.de/~marc/SuSE.html don't seem to exist on the ppc side.) hysterion
hysterion wrote:
I just got cable access and set up SuSEfirewall for masquerading, and I second the recommendation. It's very easy to set up - just a few instructions in the config file, and it automatically generates appropriate ipchain rules (97 of them, in my case) at boot time. Probably the best examples you could study anyway...
One caveat I found, however: it seems that I also need to connect to my isp (using dhcp) *at boot time*. Otherwise SuSEfirewall produces a different set of rules, one of which seems to get in the way when I later try to connect and ping:
<snip>
This seems to indicate that the culprit rule (#37) (which reads: -A input -s 0.0.0.0/0.0.0.0 -d 0.0.0.0/0.0.0.0 -p 17 -j DENY -l) gets in the way of dhcp and dns services -- even though I did set FW_SERVICE_DHCLIENT="yes" and FW_INCOMING_HIGHPORTS_UDP="dns". (The "10.118.32.1" seems very strange, too, but that's consistently what I get.)
If I let connection happen at boot time, on the other hand, this rule disappears from the list, and everything works fine.
I am on 56k dial up so I really can't offer any more advice on your question than join the suse-security list or mail Marc himself. He is quick to respond as are the list members. My own problems with the firewall2 have been related to me having a dial-up and running the squid proxy server (which I recommend for speedy web surfing along with the junkbuster proxy for eradicating advertisments!). This problem of mine was solved once I worked out the order and timing of each package. My firewall fails on boot up because I am not connected to the net, but when I dial up, it fires up and all is dandy. I am using the latest version of his firewall2 for 2.4 so maybe he will alter it so I don't get failed messages. He is aware of it and said it's normal and nothing to worry about.
Questions:
- Is it true that the firewall prevents (dhcp-)connecting to the internet, except at boot time?
If yes, I would suggest emphasizing this in the documentation (I couldn't find it). If no, I'll gladly send more details of exactly what I did - the above seems 100% reproducible.
- Do later versions of the firewall behave in the same way? (I am using the stock versions from SuSE 7.0 ppc - kernel 2.2.16 and firewall 2.6.)
- Any other reason I should upgrade to a later version? (The .rpm updates mentioned at http://www.suse.de/~marc/SuSE.html don't seem to exist on the ppc side.)
The firewall is not architecture specific, just kernel version specific. I just downloaded the appropriate tar.gz and ran the install script. It was just as easy to install as a RPM. I think people on the suse-security list trust Marc's latest firewalls. He is certainly very confident about them. Don't think you have to stick with RPMs. Remember that his latest versions are unofficial updates to the SuSE rpms, so I personally would trust them more. good luck Joss
Joss Winn wrote:
I am on 56k dial up so I really can't offer any more advice on your question than join the suse-security list or mail Marc himself. He is quick to respond as are the list members.
Will do!
My firewall fails on boot up because I am not connected to the net, but when I dial up, it fires up and all is dandy.
Ah, that's more like what I would have expected to happen in my case too, if I connect only later in the session.
- Any other reason I should upgrade to a later version? (The .rpm updates mentioned at http://www.suse.de/~marc/SuSE.html don't seem to exist on the ppc side.)
The firewall is not architecture specific, just kernel version specific. I just downloaded the appropriate tar.gz and ran the install script. It was just as easy to install as a RPM. I think people on the suse-security list trust Marc's latest firewalls. He is certainly very confident about them. Don't think you have to stick with RPMs. Remember that his latest versions are unofficial updates to the SuSE rpms, so I personally would trust them more.
good luck Joss
Thanks for the advice - I've downloaded SuSEfirewall 4.8 from Marc's page, and will probably end up installing it. It's just that I was a bit more confident in my own ability to *uninstall* an .rpm, in case anything goes wrong :-) (Also, I felt not quite ready to use a "beta" for my first firewall experience.) The 7.1 distribution has a SuSEfirewall.rpm, but it's not so easy to figure out what version/files it contains, which kernel it supports, and what the dependencies are. Is this info readily available anywhere on the web, à la rpmfind? At least not in these natural places, ftp://ftp.suse.com/pub/suse/ppc/7.1/full-names/ppc/ or http://suse.de/en/produkte/susesoft/ppc/Pakete/SuSEfirewall.html (I hope I don't come across as a whiner for deploring this. Of course, *now* that my Linux box is online, I can find out all this information by ftping an rpm query, but this kind of assumes that all problems have already been solved, right? Also it seems to assume that I dug the German database, http://sdb.suse.de/sdb/de/html/sm_masq2.html, to find out that the 7.0 "firewals.rpm" has become "SuSEfirewall.rpm" in 7.1.) Hmmm, as long as it's working, I better stop bitching :-) Thanks a lot for the response, hysterion
On Wed, Jun 27, 2001 at 11:52:29PM -0400, hysterion wrote:
Thanks for the advice - I've downloaded SuSEfirewall 4.8 from Marc's page, and will probably end up installing it. It's just that I was a bit more confident in my own ability to *uninstall* an .rpm, in case anything goes wrong :-) (Also, I felt not quite ready to use a "beta" for my first firewall experience.)
The number of files it install is actually very few. Just a handful. SuSEfirewall2 install six executable files and the docs/logs. Also, if you install it by hand while the rpm is installed, I'm pretty sure you will find it is still un-installable via rpm, or at the very least, you can install an rpm over it. Either way, there are just a handful of files :-)
The 7.1 distribution has a SuSEfirewall.rpm, but it's not so easy to figure out what version/files it contains, which kernel it supports, and what the dependencies are. Is this info readily available anywhere on the web, à la rpmfind? At least not in these natural places,
You could always download it from SuSE and take a look with kpackage before installing ;) The SuSEfirewall.rpm on my 7.1 CD is version 4.3.1 and supports the 2.2.x kernel with ipchains. It is the same as the version on Marc's page, only a few months older.
ftp://ftp.suse.com/pub/suse/ppc/7.1/full-names/ppc/ or http://suse.de/en/produkte/susesoft/ppc/Pakete/SuSEfirewall.html
(I hope I don't come across as a whiner for deploring this. Of course, *now* that my Linux box is online, I can find out all this information by ftping an rpm query, but this kind of assumes that all problems have already been solved, right? Also it seems to assume that I dug the German database, http://sdb.suse.de/sdb/de/html/sm_masq2.html, to find out that the 7.0 "firewals.rpm" has become "SuSEfirewall.rpm" in 7.1.)
Because the firewall is architecture independent, it is in the dir. : /pub/suse/ppc/7.1/full-names/noarch/SuSEfirewall-4.3-9.noarch.rpm Good luck ;) -- http://www.josswinn.org
participants (2)
-
hysterion -
Joss Winn