# FW_DEV_EXT="eth0" # # FW_DEV_INT="eth1" # # # FW_DEV_DMZ="eth0" # # # # FW_ROUTE="yes" # # FW_MASQUERADE="yes" # FW_MASQ_DEV="$FW_DEV_EXT" # # FW_MASQ_NETS="192.168.1.0/24" # FW_PROTECT_FROM_INTERNAL="no" # # # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # FW_AUTOPROTECT_SERVICES="no" # # 9.) # Common: smtp domain FW_SERVICES_EXT_TCP="smtp domain" # Common: domain FW_SERVICES_EXT_UDP="domain" # Common: domain # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" # # Common: smtp domain FW_SERVICES_DMZ_TCP="25" # Common: domain FW_SERVICES_DMZ_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" # # Common: ssh smtp domain FW_SERVICES_INT_TCP="25 110" # Common: domain syslog FW_SERVICES_INT_UDP="53" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" # # 10.) # FW_TRUSTED_NETS="192.168.1.0/24" # # 11.) # # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="NO" # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won´t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # if not set. # FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting # # If you are running bind/named set to yes. Remember that you have to open # port 53 (or "domain") as udp/tcp to allow incoming queries. # Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DNS="no" # # if you use dhclient to get an ip address you have to set this to "yes" ! FW_SERVICE_DHCLIENT="no" # # set to "yes" if this server is a DHCP server FW_SERVICE_DHCPD="no" # # set to "yes" if this server is running squid. You still have to open the # tcp port 3128 to allow remote access to the squid proxy service. FW_SERVICE_SQUID="no" # # set to "yes" if this server is running a samba server. You still have to open # the tcp port 139 to allow remote access to SAMBA. FW_SERVICE_SAMBA="no" # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? # REQUIRES: FW_ROUTE # # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514" # FW_FORWARD="" # Beware to use this! # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public IP addesses! # Hint: if FW_DEV_MASQ is set to the external interface you have to set # FW_FORWARD from internal to DMZ for the service as well to allow access # from internal! # # Please note that this should *not* be used for security reasons! You are # opening a hole to your precious internal network. If e.g. the webserver there # is compromised - your full internal network is compromised!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forward masquerade rules, seperated each by a space. # A forward masquerade rule consists of 1) source IP/net, 2) destination IP # (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port, # seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80" # Optional is a port after the destination port, to redirect the request to # a different destination port on the destination IP, e.g. # "4.0.0.0/8,1.1.1.1,tcp,80,81" # FW_FORWARD_MASQ="" # Beware to use this! # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) protocol (tcp or udp) 3) original destination port and 4) local port to # redirect the traffic to, seperated by a colon. e.g.: # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # FW_REDIRECT="" # # 16.) # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="no" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # # only change/activate this if you know what you are doing! FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # # 17.) # Do you want to enable additional kernel TCP/IP security features? # FW_KERNEL_SECURITY="yes" # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # FW_STOP_KEEP_ROUTING_STATE="no" # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="no" # FW_ALLOW_PING_EXT="no" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"