Problems Understanding SuSEfirewall2
Hi ! I seem to have a problem with SuSEfirewall2. I administrate a Linux router (SuSE 8.0) for a small network. This router serves as a gateway to the Internet as well as a firewall between the Net and my LAN. The LAN`s mail server is also located on this machine, while the web server ist on 100.120.55.2. Every PC in the LAN has a public IP, so I have to use routing without masquerading. The firewall is supposed to block all traffic between the Internet and the LAN except for the following protocols/ports : pop3, pop3s, http, https, ftp, ftps, smtp, ssh, domain. I also have to keep the port 7271 open for licensing purposes. Following the example files I built the Config-file listed below. However, I am not really satisfied with its performance. For example, it should not be possible to establish a ftp- connection from the outside to one of my LAN computers, but the firewall doesn´t prevent this at all. Also I want only certain outside machines to be able to connect to port 7271 on a certain computer within the LAN, yet it seems everybody can. What did I do wrong ??? BTW, the IPs in the config-file below were changed, just to be on the safe side. Please help ! Thanks in advance, Jörg PS : Please reply to JLeicher@gmx.de, since I have not subscribed to this mailing list. Here comes /etc/sysconfig/SuSEfirewall2 : FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="100.120.55.0/6,0/0,tcp,80 / 100.120.55.0/6,0/0,tcp,110 / 100.120.55.0/6,0/0,tcp,22 / 100.120.55.0/6,0/0,tcp,25 / 100.120.55.0/6,0/0,udp,53 / 100.120.55.0/6,0/0,tcp,53 / 100.120.55.0/6,0/0,tcp,995 / 0/0,100.120.55.2,tcp,80 / 100.120.204.51,100.120.55.18,tcp,7127 / 100.120.204.56,100.120.55.18,tcp,7127 / 100.120.204.58,100.120.55.18,tcp,7127 " FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Quoting remote <remote@leat.ruhr-uni-bochum.de>:
Hi !
I seem to have a problem with SuSEfirewall2. I administrate a Linux router LAN except for the following protocols/ports : pop3, pop3s, http, https, ftp, ftps, smtp, ssh, domain. I also have to keep the port 7271 open for licensing purposes.
You should read the manual and general networking how-to stuff. You are giving acces from the internet to setup a connection to your network (and the firewall explicitely which is wrong
Please help !
For brevity I only show what should be changed. BB, Arjen FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \ 100.120.55.18,100.120.204.56,tcp,7127 \ 100.120.55.18,100.120.204.58,tcp,7127" FW_KERNEL_SECURITY="yes" ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/
Hi ! I recently asked for help regarding a secure setup for the SuSEfirewall2 on a router for a small LAN with public IPs. I received the following advice which I implemented :
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \ 100.120.55.18,100.120.204.56,tcp,7127 \ 100.120.55.18,100.120.204.58,tcp,7127"
FW_KERNEL_SECURITY="yes"
The problem is, if I do this, every connection out of my LAN into the Net is down, the firewall blocks everything. The firewall also doubles as a mail and DNS server for the LAN, so these services have to be reachable. What I want it to do is to block everything but certain well defined connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the outside world has to have access to a webserver on 100.120.55.2. If I understand it correctly, this would mean FW_FORWARD rules like : 100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via http, other services similarly and 0/0, 100.120.55.2,tcp,80 # for web server availability but it doesn´t seem to work. What do I miss ? My original working but probably insecure setup is as follows : FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_EXT_UDP="53" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="100.120.55.0/6,0/0,tcp,80 / 100.120.55.0/6,0/0,tcp,110 / 100.120.55.0/6,0/0,tcp,22 / 100.120.55.0/6,0/0,tcp,25 / 100.120.55.0/6,0/0,udp,53 / 100.120.55.0/6,0/0,tcp,53 / 100.120.55.0/6,0/0,tcp,995 / 0/0,100.120.55.2,tcp,80 / 100.120.204.51,100.120.55.18,tcp,7127 / 100.120.204.56,100.120.55.18,tcp,7127 / 100.120.204.58,100.120.55.18,tcp,7127 " FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" Any suggestion is appreciated, Thanks in advance !
Ok, 1st I explain my setup a bit with some general stuff then I review your original config (which purpose I know do understand). Hth BB, Arjen List: I deemed it more purposefull in this case to quote the whole message On Thursday 22 May 2003 17:25, you wrote:
Hi !
I recently asked for help regarding a secure setup for the SuSEfirewall2 on a router for a small LAN with public IPs. I received the following advice
which I implemented :
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \ 100.120.55.18,100.120.204.56,tcp,7127 \ 100.120.55.18,100.120.204.58,tcp,7127"
FW_KERNEL_SECURITY="yes"
The problem is, if I do this, every connection out of my LAN into the Net is down, the firewall blocks everything. The firewall also doubles as a mail and DNS server for the LAN, so these services have to be reachable.
Ok, well these can both be the same error :) Was FW_ROUTE="yes" also there ( I don't remember) And when the fw is DNS server it also needs FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995" Because if there is no DNS internet access will fail Remember, these are all for allowing services to be provided by software running _on_ the firewall, not for allowing access to services on servers somewhere in the internet
What I want it to do is to block everything but certain well defined connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the outside world has to have access to a webserver on 100.120.55.2. If I understand it correctly, this would mean FW_FORWARD rules like :
100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via ??? Are you sure you have /6 not /8? (which is already humoungous to put behind a simple SuSE (linux)firewall.) That needs dedicated iron (more like
In case those services are not provided by the fw and you want to dissallow all other traffic to the internet but the one you mention you do indeed need such an elaborate setup and set FW_ROUTE="no". platinum) if you would have that many devices
http, other services similarly and 0/0, 100.120.55.2,tcp,80 # for web server availability
but it doesnt seem to work. What do I miss ? My original working but probably insecure setup is as follows :
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes" Set this to no afiak SuSE fw impicitely allows traffic from internal to external with this setting
FW_MASQUERADE="no"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995" This means that the whole world is allowed to access your firewall on these
So this was your problem ports! Don't set this! Leave empty! FW_SERVICES_EXT_UDP="53" Same here, or are you actually providing domain services for the internet (me does not think so
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"
only 53, if I understood you right this is the only service that the fw actually provides itself
FW_SERVICES_INT_UDP="53"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Set to now and tell users to use passive ftp Tell that to ie too, or be smart and install a proxy and let users use that
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" Set to no
FW_SERVICE_AUTODETECT="no" set to yes, this does not open up any ports, just make fw more efficient.
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD="100.120.55.0/6,0/0,tcp,80 /
100.120.55.0/6,0/0,tcp,110 /
100.120.55.0/6,0/0,tcp,22 /
100.120.55.0/6,0/0,tcp,25 /
100.120.55.0/6,0/0,udp,53 /
100.120.55.0/6,0/0,tcp,53 /
100.120.55.0/6,0/0,tcp,995 /
0/0,100.120.55.2,tcp,80 /
100.120.204.51,100.120.55.18,tcp,7127 /
100.120.204.56,100.120.55.18,tcp,7127 /
100.120.204.58,100.120.55.18,tcp,7127 "
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no" Set to yes (when fw works)
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
##
# END of rc.firewall
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
Any suggestion is appreciated, Thanks in advance !
* Arjen Runsink; <arjen@zeilers.net> on 19 May, 2003 wrote:
You should read the manual and general networking how-to stuff. You are giving acces from the internet to setup a connection to your network (and the firewall explicitely which is wrong
for the manual (OK it is unoffical but may help) http://sourceforge.net/projects/susefaq there you will find the manual HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (3)
-
Arjen Runsink -
remote -
Togan Muftuoglu