As far as I know then (as I have the same, only my webserver is on the Gateway itself (home network)), the mail from Andreas Mueller could help you out! FW_FORWARD_MASQ="0/0,10.3.1.34,tcp,5678,80" meaning indeed : source ip, destination ip, protocol, source port, destination port What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP, otherwise the firewall won't allow clients to connect. And you can get rid of port 80 on EXT because you use the other port for it. FW_SERVICES_EXT_TCP="25 53 5678" as for opening port 80 on the gateway on FW_SERVICES_INT_TCP ... If you run a webserver on it , you can leave it open else close it as this is an open port doing nothing ;) (meaning if you want security to be high : close everything you don't need) If LAN users connect to your webserver the routing tables on the network know they don't have to go over the gateway so it will find the webserver anywayz ... Hope this helped you out a bit ... regards Chris
You wrote :
Thanks for your prompt answer a.) The local users enter by default port 80 (transparently) Nevertheless for external users this should not be the case. They should give on the explorer the address http://204.87.34.12:5678 (just an example) . Then the firewall should redirect this request on port 5678 on device (206.87.34.1) to the internal server 10.3.1.34 port 80. b.) The Webserver accesses the database itself presenting the result in a webpage obviously. René On Thursday 24 October 2002 09:00, you wrote:
Hi,
When users are connecting to your webserver , do they have to enter the portnumber or is it port 80 by default.
I know here in belgium ports under 1024 get blocked with certain providers unless you pay for a more expensive "solution"
Plus: Does the webserver access the database itself (localhost) and then presents the results in a webpage or do the clients have to have a connection to the database themselves ?
regards
Chris
----- Original Message ----- From: "René Garizzao" <rgarizzao@comfenalco.com> To: <suse-security@suse.com> Sent: Thursday, October 24, 2002 3:54 PM Subject: [suse-security] suse-security list
Hello Uli, I present to you following porblem I haven't closed succesfully:
Configuration: ==========
Internal <---> Firewall (SuSE8.0) <---> Internet <---> Client Web Server (int_dev: 10.3.1.10) (10.3.1.34) (ext_dev: x.y.z.a)
Well, certain client shall connect to the internal Web server to make use of a data base application. The Client should give the ext_dev ip address and the desired port to connect, i.e. http://x.y.z.a:5678 The request should pass through the firewall and be redirected straight to the webserver 10.3.1.34 .(port 80) I tried different configuration examples without success. Have you any experience wuthin?
SuSEfirewall Configuration =================== (This configuration uses port 80 and not the desired high port 5678)
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="10.3.0.0/16"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="25 53 80"
FW_SERVICES_EXT_UDP="53"
FW_SERVICES_INT_TCP="25 53 80"
FW_SERVICES_INT_UDP="53"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_DNS="yes"
FW_FORWARD="0/0,x.y.z.a,tcp,80 x.y.z.a,10.3.1.34,tcp,80 0/0,10.3.1.34/255.255.255.255,tcp,80"
# FW_REDIRECT="10.3.0.0/16,0/0,tcp,53,53 10.3.0.0/16,0/0,tcp,25,25 10.3.0.0/16,0/0,udp,53,53 10.3.1.34,0/0,tcp,80,80" ===========================================================
Thanks in advance for any further help you could provide me.
-----BEGIN PGP SIGNED MESSAGE----- Hi Chris!
What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP, otherwise the firewall won't allow clients to connect. And you can get rid of port 80 on EXT because you use the other port for it.
FW_SERVICES_EXT_TCP="25 53 5678"
That's not necessary for SuSE-FW2 (at least in 8.0), because the forwarding code will create the needed ACCEPT rules independently of the settings in FW_SERVICES_EXT_TCP. However, if the destination host is itself not masqueraded, e.g., not listed in FW_MASQ_NETS, the reply packets won't get back through the firewall. I found that out while setting up a Windows web server that should only accept incoming connections on port 80 and have no other Internet access. Regards, Andy - -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPbgj8PobN5o9QdlBAQES7AU/XglTmJHdo+Ca8v0hzsD8cUsIuc/3nEBI 9RJJgaA6JCqxg3d8ONxgxwA4sSJ9tzYzNBboCQDvFtWNo2ABFfPnW0h6+0lyD9F+ ZkZ5a97jXZMM8b85XVkeezxI9JFXABrf6TEYdO2stkF+gknvc4LGZ6mcrrGYgTwo UO1EarVvV28uk2cyZa8G6X21NR8vPHTAogK4OqWBfexnzWjTaxXNzyY+94fHHNpA =2Oq3 -----END PGP SIGNATURE-----
Hi, ic! Looks like i am going to experiment a bit with my server tonight ;))) Thanks for the info! Could come in very handy for me ;) This way I can also protect my Win"blows" Unreal server (in the LAN) a bit more from sending out sh*tty stuff when infected with a virus of some sort .. Off course I take my precautions, but some extra security is always welcome ;) Thanks again Regards Chris ----- Original Message ----- From: "Andreas J Mueller" <andy@muelli.net> To: <suse-security@suse.com> Sent: Thursday, October 24, 2002 6:46 PM Subject: Re: [suse-security] suse-security list
-----BEGIN PGP SIGNED MESSAGE-----
Hi Chris!
What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP, otherwise the firewall won't allow clients to connect. And you can get rid of port 80 on EXT because you use the other port for it.
FW_SERVICES_EXT_TCP="25 53 5678"
That's not necessary for SuSE-FW2 (at least in 8.0), because the forwarding code will create the needed ACCEPT rules independently of the settings in FW_SERVICES_EXT_TCP. However, if the destination host is itself not masqueraded, e.g., not listed in FW_MASQ_NETS, the reply packets won't get back through the firewall. I found that out while setting up a Windows web server that should only accept incoming connections on port 80 and have no other Internet access.
Regards, Andy
- -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32)
iQC9AwUBPbgj8PobN5o9QdlBAQES7AU/XglTmJHdo+Ca8v0hzsD8cUsIuc/3nEBI 9RJJgaA6JCqxg3d8ONxgxwA4sSJ9tzYzNBboCQDvFtWNo2ABFfPnW0h6+0lyD9F+ ZkZ5a97jXZMM8b85XVkeezxI9JFXABrf6TEYdO2stkF+gknvc4LGZ6mcrrGYgTwo UO1EarVvV28uk2cyZa8G6X21NR8vPHTAogK4OqWBfexnzWjTaxXNzyY+94fHHNpA =2Oq3 -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Andreas J Mueller; <andy@muelli.net> on 24 Oct, 2002 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hi Chris!
What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP, otherwise the firewall won't allow clients to connect. And you can get rid of port 80 on EXT because you use the other port for it.
FW_SERVICES_EXT_TCP="25 53 5678"
That's not necessary for SuSE-FW2 (at least in 8.0), because the forwarding code will create the needed ACCEPT rules independently of the settings in FW_SERVICES_EXT_TCP. However, if the destination host
Correct as FW_SERVICES_EXT_* means anything that is running on the firewall machine itself
However, if the destination host is itself not masqueraded, e.g., not listed in FW_MASQ_NETS, the reply packets won't get back through the firewall. I found that out while
This is true if you are using FW_FORWARD_MASQ variable as this is used for forwarding requests to private ip machines. if you have routable ip's then you should be using FW_FORWARD which does not need FW_MASQ_NETS -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (3)
-
Andreas J Mueller -
Chris -
Togan Muftuoglu