Dear All
I've configured a gateway on a friends network with SuSE 7.2. I
thought that it might be a good idea to try the SuSE firewall once
again. The one that comes on the SuSE CDs. I don't want to upgrade
to the new one I want to use this one.
After installing the firewall and starting the gateway machine I find
that I can't ping the gateway machine and after manually putting in
the rules to allow forwarding up to the net nothing works either.
You should be able to see the config file for the firewall that I'm
using below. Can someone tell me where I've gone wrong and explain
what it is that I should change. This is for an ADSL connection with
an ethernet card. The external card is eth1 and the internal LAN
facing card is eth0. Internal net is 192.168.1.1/24.
The manuals do give some simple instructions about what to do but
these are confusing and two more pages about configuration options
would be helpful. Apologies for the enormously long post
..............
# Copyright (c) 1999-2001 SuSE GmbH Nuernberg, Germany. All rights
reserved.
#
# Author: Marc Heuse <marc(a)suse.de>, 1999-2001
# Please contact me directly if you find bugs.
------------------------------------------------------------------------
#
# 1.)
# Should the Firewall be started?
#
# This setting is done in /etc/rc.config (START_FW="yes")
#
# 2.)
# Which is the interface that points to the internet?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, separated by a space
# e.g. "eth0", "ippp0 ippp1"
#
FW_DEV_WORLD="eth1"
#
# You *may* configure a static IP and netmask to force rule loading
even if the
# interface is not up and running: set a variable called
# FW_DEV_WORLD_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_WORLD first!
#
# e.g. for external interface ippp0
#FW_DEV_WORLD_ippp0="10.0.0.1 255.255.255.0"
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, separated by a space
# e.g. "tr0", "eth0 eth1" or ""
#
FW_DEV_INT="eth0"
#
# You may configure a static IP and netmask to force rule loading
even if the
# interface is not up and running: set a variable called
# FW_DEV_INT_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_INT first!
#
# e.g. for internal interface eth0
#FW_DEV_INT_eth0="192.168.1.1 255.255.255.0"
#
# 4.)
# Which is the interface that points to the dmz network?
#
# Enter all the network devices here which point to the dmz.
# A "dmz" is a special, separated network, which is only connected to
the
# firewall, and should be reachable from the internet to provide
services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD_TCP and
FW_FORWARD_UDP to
# define the services which should be available to the internet and
set
# FW_ROUTE to yes.
# Very special note: servers/networks in FW_MASQ_NETS may access the
DMZ to
# the same extent they are allowed to access the internet! No
FW_FORWARD_*
# needed ...
#
# Choice: leave empty or any number of devices, separated by a space
# e.g. "tr0", "eth0 eth1" or ""
#
FW_DEV_DMZ=""
#
# You may configure a static IP and netmask to force rule loading
even if the
# interface is not up and running: set a variable called
# FW_DEV_INT_[device]="IP_ADDRESS NETMASK"
# see below for an example. Otherwise automatic detection is done.
# You will still need to set FW_DEV_DMZ first!
#
# e.g. for dmz interface eth1
#FW_DEV_DMZ_eth1="192.168.1.1 255.255.255.0"
#
# 5.)
# Should routing between the internet, dmz and internal network be
activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade
internal
# machines or allow access to the dmz (or internal machines, but this
is not
# a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade
your
# internal network to the internet, or configure FW_FORWARD_TCP and/or
# FW_FORWARD_UDP to define what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"
#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use
services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Please note this config changed in firewals-2.3: You may either use
just
# hosts/nets to allow all traffic from them to the internet, or use
an extended
# syntax, to restrict internet access to certain services!
#
# Choice: leave empty or any number of hosts/networks seperated by a
space.
# Every host/network may get a list of allowed services, otherwise
everything
# is allowed. A protocol and service is appended by a comma to the
host/network.
# e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
unrestricted access
# "10.0.1.0/24,tcp,80 10.0.1.0/24,tcp,21" allows the 10.0.1.0 network
to use
# www/ftp to the internet. "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24"
is OK too.
# You may NOT set this variable to "0/0" !
#
FW_MASQ_NETS="192.168.1.0/32"
#
# If you want (and you should) you may also set the FW_MASQ_DEV
option, to
# specify the outgoing interface to masquerade on. (You would
normally use
# the external interface(s), the FW_DEV_WORLD device(s), e.g. "ippp0")
#
# e.g. "ippp0" or "$FW_DEV_WORLD"
FW_MASQ_DEV="eth1"
#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
services on
# the machine you explicitly allow. They will be also affected from
the
# FW_AUTOPROTECT_GLOBAL_SERVICES option.
# If you set this to "no", any user can connect (and attack) any
service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_PROTECT_FROM_INTERNAL="no"
#
# 8.)
# Do you want to autoprotect all global running services?
#
# If set to "yes", all network access to services TCP and UDP on this
machine
# which are not bound to a special IP address will be prevented
(except to
# those which you explicitly allow, see below: FW_*_SERVICES_*)
# Example: "0.0.0.0:23" would be protected, but "10.0.0.1:53" not.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_AUTOPROTECT_GLOBAL_SERVICES="yes"
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the
internet
# (or other untrusted networks), the dmz or internal (trusted
networks)?
# (see no.13 & 14 if you want to route traffic through the firewall)
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the
internet:
# FW_SERVICES_EXTERNAL_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need
to set
# FW_SERVICES_*_IP with the protocol name or number (see
/etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this, from 1 to 10: "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or
number ("2")
#
# Services, visible to the external net (normally internet), TCP
# Common: smtp domain
FW_SERVICES_EXTERNAL_TCP="smtp www ftp"
# Services, visible to the external net (normally internet), UDP
# Common: domain
FW_SERVICES_EXTERNAL_UDP="domain"
# Externally visible services, other IP protocols
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXTERNAL_IP=""
#
# Services visible to the DMZ, TCP
# Common: smtp domain
FW_SERVICES_DMZ_TCP="smtp domain"
# Services visible to the DMZ, UDP
# Common: domain syslog
FW_SERVICES_DMZ_UDP=""
# Services visible to the DMZ, other IP protocols
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Services, visible to the internal net, TCP
# Common: ssh smtp domain
FW_SERVICES_INTERNAL_TCP="smtp domain"
# Services, visible to the internal net, UDP
# Common: domain syslog
FW_SERVICES_INTERNAL_UDP="domain"
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INTERNAL_IP=""
#
# 10.)
# Which services should be accessible from trusted hosts/nets on the
internet?
#
# Define trusted networks on the internet, and the TCP and/or UDP
services
# they are allowed to use.
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers
and/or
# networks, seperated by a space. e.g. "172.20.1.1", "172.20.0.0/16"
#
FW_TRUSTED_NETS="192.168.1.0/32"
#
# leave FW_SERVICES_TRUSTED_* empty or any number of ports, known
portnames
# (from /etc/services) and port ranges seperated by a space.
# e.g. "25", "ssh", "1:65535", "1 3:5"
#
# Services, available to trusted hosts/nets, TCP
# Common: ssh
FW_SERVICES_TRUSTED_TCP=""
# Services, available to trusted hosts/nets, UDP
# Common: syslog time ntp
FW_SERVICES_TRUSTED_UDP=""
# Services, available to trusted hosts/nets, other IP protos
# For VPN/Routing which END at the firewall!!
FW_SERVICES_TRUSTED_IP=""
#
# Some people want to allow some trusted machines access to some
services
# and different services to others. OK, here is your hardcore config
option:
# "trusted_net,protocol,port" e.g. "10.0.1.0/24,tcp,80
10.0.1.6,tcp,21"
FW_SERVICES_TRUSTED_ACL=""
#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports
("yes"),
# disallow anyone ("no"), anyone who comes from a defined port
(portnumber or
# known portname) [note that this is easy to circumvent!], or just
your
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set
the TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as
root
# from a firewall using this script (well, you can if you include
range
# 600:1023 in FW_SERVICES_EXTERNAL_UDP ...).
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults
to "no"
#
# Incoming connections on ports >= 1024, TCP
# Common: "ftp-data" (sadly!)
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Incoming connections on ports >= 1024, UDP
# Common: "DNS" or "domain ntp"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults
to "no"
#
# if yes, FW_SERVICES_*_TCP needs to have port 53
# (or "domain") set to allow incoming queries.
# also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="no"
# if you use dhclient to get an ip address
# you have to set this to "yes" !
FW_SERVICE_DHCLIENT="yes"
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"
# set to "yes" if this server uses samba as client
# or server. As a server, you still have to set
# FW_SERVICES_{WORLD,DMZ,INT}_TCP="139"
# Everyone may send you udp 137/138 packets if set
# to yes! (samba on the firewall is not a good idea!)
FW_SERVICE_SAMBA="no"
#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
assigned to
# you by your ISP. This opens a direct link to your network, so only
use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained
syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net, 2) destination IP
(dmz/intern)
# and 3) destination port (or IP protocol), seperated by a comma
(","), e.g.
# "4.0.0.0/8,1.1.1.1,22" [means: net 4.0.0.0 with netmask 255.0.0.0 is
# allowed to connect to the single server 1.1.1.1 on port 22 (which
is SSH)]
# "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22"
# For FW_FORWARD_IP it is "4.0.0.0/8,1.1.1.1,igmp" or
"4.0.0.0/8,1.1.1.1,1"
#
# Forward TCP connections
# Beware to use this!
FW_FORWARD_TCP=""
# Forward UDP connections
# Beware to use this!
FW_FORWARD_UDP=""
# Forward other IP protocol connections (for VPN setups)
# Beware to use this!
FW_FORWARD_IP=""
#
# 14.)
# Which services accessed from the internet should be allowed to
masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE, FW_MASQUERADE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to
set
# FW_FORWARD_* from internal to DMZ for the service as well!
#
# Please note that this should *not* be used for security reasons!
You are
# opening a hole to your precious internal network. If e.g. the
webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained
syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2)
destination IP
# (dmz/intern) and 3) destination port, seperated by a comma (","),
e.g.
# "4.0.0.0/8,1.1.1.1,22",
# "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22"
#
# Forward TCP connections to masqueraded host
# Beware to use this!
FW_FORWARD_MASQ_TCP=""
# Forward UDP connections to masqueraded host
# Beware to use this!
FW_FORWARD_MASQ_UDP=""
# it is not possible to masquerade other IP protocols, hence no _IP
variable
#
# 15.)
# Which accesses to services should be redirected to a localport on
the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid
proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of
redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination
IP/net,
# 3) original destination port and 4) local port to redirect the
traffic to,
# seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128
0/0,172.20.1.1,80,8080"
#
# Redirect TCP connections
FW_REDIRECT_TCP="80"
# Redirect UDP connections
FW_REDIRECT_UDP=""
#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
# Log critical denied network packets
FW_LOG_DENY_CRIT="yes"
# Log all denied packets
FW_LOG_DENY_ALL="yes"
# Log critical accepted packets
FW_LOG_ACCEPT_CRIT="yes"
# Log all accepted packets
FW_LOG_ACCEPT_ALL="yes"
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep
it
# if everything still works. (It should!) ;-)
#
# If you are using VPNs (e.g. FreeSWAN) or are combining several ISDN
lines
# or similar to one, you have to set this to "no" !
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets
need
# to be sent to the internet, you need to turn this on. The script
will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but
are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"
#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz
from
# the internet?
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ
#
# Choice: "yes" or "no", defaults to "no"
#
# Allow ping on firewall
FW_ALLOW_PING_FW="no"
# Allow ping on DMZ targets
FW_ALLOW_PING_DMZ="no"
##
# END of firewall.rc.config
##
#
#
#-------------------------------------------------------------------------#
#
#
# EXPERT OPTIONS - all others please don't change these!
#
#
#
#-------------------------------------------------------------------------#
#
#
#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your
firewall.
# This is used for traceroutes to your firewall (or traceroute like
tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if
you say
# "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="no"
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking,
however
# this opens yourself to a denial of service attack. Choose your
poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"
#
# 22.)
# Which masquerading modules should be loaded?
# REQUIRES: FW_ROUTE, FW_MASQUERADE
#
# (omit the path or "ip_masq_" prefix as well as the ".o" suffix!)
#
FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user
vdolive"
#
# 23.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/rc.config.d/firewall-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config"
--
Richard
