I have been tasked with replacing an old Linux firewall. The person
that built the firewall used Iptables. I want to use the SuSEfirewall2
script. I can't change the requirement or the infrastructure because
of existing services.
I'm having some difficulties with the SuSEfirewall2 script. I can't
seem to get traffic forwarded from the DMZ side to the internal
network. Here is my layout and requirements.
The new server has three interfaces and the OS is OpenSUSE 10.3.
The external interface has a public IP address assigned to it.
The internal interface connects to a private subnet where there are
hosted services and a few employees (QA Lab).
The other interface which I am labeling the DMZ is connected to
another private network. This is the main employee network.
The QA lab hosts a secure IMAP server, a public web server, four other
web servers (accessible only to employees) and a public SMTP server.
The QA employees need to have full unrestricted access to the Internet.
The regular employees (DMZ) will not be allowed to use this firewall
as their gateway, therefore they are restricted from using the DMZ
interface to get to the Internet. The employees in front of this
interface should only be allowed to access the four web servers and
mail server. The key here is that services living on the on the
employee network make calls to the web servers on the internal network
using different ports. For example, http requests to port 83 on the
DMZ interface will need to be redirected to port 80 on the internal
web server. FYI. This is where I sit and access to the Firewall for
administration purposes. The QALAB does not get access to the
firewall.
[This is what it would look like in IPTABLES]
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 83 -j DNAT --to-destination 192.168.2.150:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 82 -j DNAT --to-destination 192.168.2.150:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 81 -j DNAT --to-destination 192.168.2.30:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 80 -j DNAT --to-destination 192.168.2.20:80
-A PREROUTING -s 10.2.2.0/255.0.0.0 -d 10.2.2.10 -i eth2 -p tcp -m tcp
--dport 25 -j DNAT --to-destination 192.168.2.20:25
Additionally, there is an SSL VPN connection and IPSEC traffic but
that is for another post. My main problem is getting to the lab
webservice from the DMZ interface. Here is what I have configured in
the SuSEfirewall2 script.
[Interfaces]
FW_DEV_EXT='any eth5'
FW_DEV_INT='eth4'
FW_DEV_DMZ='eth1'
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="zone:ext"
[NAT lab Internet requests only]
FW_MASQ_NETS="192.168.2.0/24"
FW_PROTECT_FROM_INT="yes"
[The only service listening on the external interface]
FW_SERVICES_EXT_TCP="SSLVPNPORT"
[Admin SSH access to the firewall from the DMZ netowrk]
FW_SERVICES_DMZ_TCP="someSSHport"
[Used for VPN]
FW_FORWARD="192.168.20.0/24,192.168.2.0/24 192.168.2.0/24,192.168.20.0/24"
[Allow Access from the Internet]
FW_FORWARD_MASQ="0/0,192.168.2.20,tcp,80 0/0,192.168.2.30,tcp,80
0/0,192.168.2.150,tcp,80 0/0,192.168.2.20,tcp,25
0/0,192.168.2.20,tcp,995"
I tried using FW_FORWARD_MASQ to open connections from the DMS to
Internal but the firewall log shows the connections being dropped.
How do I allow (without using IPTABLES commands in the custom script)
the services in the DMZ to access the web services on the internal
network (using redirection).
I also tried FW_REDIRECT="" but I do not have open ports on the DMZ
side of the firewall. Everything should be forwarded through.
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Greetings all,
I'm still having problems getting SSL to work with Cyrus IMAP and
Postfix. I had SSL working fine for IMAP on Suse 10.0. This got broken
after I upgraded this install to Opensuse 10.3. I think this has
something to do with /etc/ssl not being changed during the upgrade due
to previous changes or certs I added there earlier on for 10.0. I'm not
sure this is the problem but I'm starting to suspect this may be the
issue. I'm not sure how to track this down. I had (have) a cert in
/etc/ssl/certs/imap.pem that was working with 10.0.
In order to resolve this problem I tried setting up TLS for both IMAP
and smtp auth for Postfix, but could not get that working either, but
suspected I had the wrong cert incantation.
So I tried making certs using a different how-to, I made a CA request
that generated mailkey.pem and mailreq.pem.
Then I ran this to sign the file myself
openssl ca -out mail_signed_cert.pem -infiles mailreq.pem
which returned the following errors.....
Using configuration from /etc/ssl/openssl.cnf
Error opening CA private key ./demoCA/private/cakey.pem
5712:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen('./demoCA/private/cakey.pem','r')
5712:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
unable to load CA private key
I do have a file /etc/ssl/openssl.cnf but not sure where to go from here.
I sure could use some help with this.
Jim
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I see this in my warn log:
Jun 10 23:11:38 nimrodel freshclam[9428]: Your ClamAV installation is OUTDATED!
Jun 10 23:11:38 nimrodel freshclam[9428]: Local version: 0.93 Recommended version: 0.93.1
Jun 10 23:11:41 nimrodel freshclam[9428]: Your ClamAV installation is OUTDATED!
Jun 10 23:11:41 nimrodel freshclam[9428]: Current functionality level = 29, recommended = 31
Will there be an official update through YOU?
- --
Cheers,
Carlos Robinson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)
iD8DBQFITwMstTMYHG2NR9URArZtAJ9NBxWEGBwp5ENI8jDtsxITFQvMwQCfcRIS
RHxWyQlhT2OQ70R1oDcpAII=
=6Dvx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Greetings,
Could you please publish signatures for the 11.0 ISOs at release? I
believe they were never published for 10.3, I never got a reply to my
question on the subject[0].
I hope it does not take someone distributing a CD image with a goatse
bootloader and the same md5sum for this to be done.
__
[0] http://lists.opensuse.org/opensuse-security/2007-10/msg00001.html
--
Benjamin Weber
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Jonathon Robison wrote:
> Be aware that the default firewall in opensuse interferes with
> openvpn. I haven't nailed down exactly what line yet, but in mine,
> even though I had all appropriate routes added and ports open, nobody
> could browse the samba shares (or get a browse list from the WINS
> server) until I dropped all rules and established only the necessary
> openvpn rules.
>
I've got OpenVPN to run preliminatry in ROUTE mode on my openSUSE 10.3
workstation so far by copying most of the config files used on Win2kTS
to openSUSE /etc/openvpn. Existing client certificates also work. But I
hope someone can throw more "practical light" on the following listed items:
OpenVPN and Firewall:
During initial testing I disabled the SuseFW2 on my workstation. With
YaST2 I've allowed the OpenVPN port 119x for TCP and UDP to the external
zone.
The OpenVPN BRIDGING document
http://openvpn.net/index.php/documentation/miscellaneous/ethernet-bridging.…
tells that the following additional entries should be set in the firewall:
iptables -A INPUT -i tap0 -j ACCEPT
iptables -A INPUT -i br0 -j ACCEPT
iptables -A FORWARD -i br0 -j ACCEPT
How can this be set in SuseFW2, preferably with YaST2?
After the OpenVPN rpm installation there is also a longer samle firewall
config file located as
/usr/share/doc/packages/openvpn/sample-config-files/firewall.sh
Does anybody know if this sample OpenVPN-aware firewall script will work
for SuseFirewall, possibly how it may be customized to work?
Autostart OpenVPN during boot:
After the OpenVPN rpm installation there is available a script
/etc/init.d/openvpn
OpenVPN does not start automatic during boot. I can start openvpn from
/etc/openvpn with
openvpn server.conf
Another installed script document
/usr/share/doc/packages/openvpn/suse/openvpn.init
tells that OpenVPN can started and stoped by the /etc/init.d init script
with
service openvpn start
service openvpn stop
This works. I'm unsure if this openvpn.init file should be copied to
/etc/rc.d/init.d/openvpn as mentioned and possible how to use the YaST
runlevel editor.
There is also a third sample-script after the installation
/usr/share/doc/packages/openvpn/sample-scripts/openvpn.init
I'm unsure if this document has only relevance for Redhat and other
chkconfig-based systems.
Lastly, so far, I'm unsure what the purpose is with and possibly what to
do with the
/usr/share/doc/packages/openvpn/sample-config-files/xinetd-client-config
/usr/share/doc/packages/openvpn/sample-config-files/xinetd-server-config
The server file tells it should be renamed to openvpn or similar and
copied to /etc/xinet.d
xinet.d can then be made aware of this file by restarting it or sending
it a SIGHUP signal.
Thanks,
Terje J Hanssen
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi List,
From before I have a OpenVPN server running in route mode on a Win2kTS
server on a SO network (a single network, no subnetting), with working
client connections from both Windows and Linux external clients.
With a new production SLES10/OES2 server, I wish to setup OpenVPN in
Bridge mode on this new server to reach the whole network instead. First
however, I wish to test this setup on a openSUSE 10.3 workstation, until
the OpenVPN Bridge works.
My hope is that existing client certifates and by modifying the config
files generated on Windows also can be used for OpenVPN server on Suse
Linux.
Documentation:
On openvpn.net there a general Linux OpenVPN Howto and a Ethernet
Bridging documents.
After installing the openvpn-2.0.9-44 and bridge-utils-1.2-53 packages
on openSUSE, there is also some documentations and sample files located
in /usr/share/doc/packages/openvpn and /usr/share/doc/packages/bridge-utils.
I wonder if there may exist additional useful Suse Linux specific
documents (cool tips, quick start guide) for this setup job, which also
includes neccessary Firewall setup (port, tap0 and br0)?
As I'm not proficient neihter with OpenVPN nor the Firewall, all hints
or issues to be aware of are welcome to get this painless working ;)
Rgds,
Terje J. Hanssen
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org
Hi all,
As you probably know, SANS last week reported a vulnerability in
Adobe Flash Player versions 9.0.124.0 and older. Reference:
<http://isc.sans.org/diary.html?storyid=4465>
Two days later in a follow-up report,they amended their analysis
to versions ___ earlier than ___ "9.0.124.0."
<http://isc.sans.org/diary.html?storyid=4474>
("9.0.124.0" was released in April by Adobe.)
In the follow-up story, they included a link to Adobe's site to
test what version of Flash Player (if any) you have installed.
<http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_15507>
(I use "no-script" -- and as a policy I try not to go to any
flash sites -- but sometimes I need to :(
I tested my machine using the Adobe test page,
and first got "9.0.124.0" -- which is what I expected.
I then re-ran the test from a copy of their page
which I had downloaded and got Version: "9.0.115.0" !!!!!
Which is not so good and not what i expected.
It turns out last Fall when I installed openSUSE-10.3
I installed from the openSUSE DVD, the rpm labled
"flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0."
When the new patch came out for Adobe Flash in April,
I installed the rpm labled: "flash-player-9.0.124.0-0.1 --
Macromedia Flash Plug-In,"
but that install did not remove the old rpm --
it was still there.
So after reading the SAN's story, I removed the old rpm tonight
using kpackage (after testing if it was needed)
and as far as I can tell my "flash player is still working"
and the Adobe test page tells me I have
Flash Player 9.0.124.0 installed -- so life is good.
Since most of you probably don't use Flash,
this is probably not worth knowing,
but in case you do use Flash, using YaST2 or kpackage
you might want to check if you still have
"flash-plugin-9.0.115.0-release -Adobe Flash Player 9.0
installed if you are running openSUSE-10.3.
(Sorry I wrote such a long email --
but I wanted it to be clear what the issue was in my mind.)
Hope this helps,
HAND.
--
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org