Ok, 1st I explain my setup a bit with some general stuff then I review your original config (which purpose I know do understand). Hth BB, Arjen List: I deemed it more purposefull in this case to quote the whole message On Thursday 22 May 2003 17:25, you wrote:
Hi !
I recently asked for help regarding a secure setup for the SuSEfirewall2 on a router for a small LAN with public IPs. I received the following advice
which I implemented :
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \ 100.120.55.18,100.120.204.56,tcp,7127 \ 100.120.55.18,100.120.204.58,tcp,7127"
FW_KERNEL_SECURITY="yes"
The problem is, if I do this, every connection out of my LAN into the Net is down, the firewall blocks everything. The firewall also doubles as a mail and DNS server for the LAN, so these services have to be reachable.
Ok, well these can both be the same error :) Was FW_ROUTE="yes" also there ( I don't remember) And when the fw is DNS server it also needs FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" Because if there is no DNS internet access will fail Remember, these are all for allowing services to be provided by software running _on_ the firewall, not for allowing access to services on servers somewhere in the internet
What I want it to do is to block everything but certain well defined connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the outside world has to have access to a webserver on 100.120.55.2. If I understand it correctly, this would mean FW_FORWARD rules like :
100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via ??? Are you sure you have /6 not /8? (which is already humoungous to put behind a simple SuSE (linux)firewall.) That needs dedicated iron (more like
In case those services are not provided by the fw and you want to dissallow all other traffic to the internet but the one you mention you do indeed need such an elaborate setup and set FW_ROUTE="no". platinum) if you would have that many devices
http, other services similarly and 0/0, 100.120.55.2,tcp,80 # for web server availability
but it doesnt seem to work. What do I miss ? My original working but probably insecure setup is as follows :
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes" Set this to no afiak SuSE fw impicitely allows traffic from internal to external with this setting
FW_MASQUERADE="no"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" This means that the whole world is allowed to access your firewall on these
So this was your problem ports! Don't set this! Leave empty! FW_SERVICES_EXT_UDP="53" Same here, or are you actually providing domain services for the internet (me does not think so
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"
only 53, if I understood you right this is the only service that the fw actually provides itself
FW_SERVICES_INT_UDP="53"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Set to now and tell users to use passive ftp Tell that to ie too, or be smart and install a proxy and let users use that
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" Set to no
FW_SERVICE_AUTODETECT="no" set to yes, this does not open up any ports, just make fw more efficient.
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD="100.120.55.0/6,0/0,tcp,80 /
100.120.55.0/6,0/0,tcp,110 /
100.120.55.0/6,0/0,tcp,22 /
100.120.55.0/6,0/0,tcp,25 /
100.120.55.0/6,0/0,udp,53 /
100.120.55.0/6,0/0,tcp,53 /
100.120.55.0/6,0/0,tcp,995 /
0/0,100.120.55.2,tcp,80 /
100.120.204.51,100.120.55.18,tcp,7127 /
100.120.204.56,100.120.55.18,tcp,7127 /
100.120.204.58,100.120.55.18,tcp,7127 "
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no" Set to yes (when fw works)
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
##
# END of rc.firewall
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Any suggestion is appreciated, Thanks in advance !