An Upgrade to 8.1 just might be in order. But I still have to come up with the scripts for my firewall. If any one has something or some advice or tools that would be great. Basically I could pluck around and figure it out but that takes too much time. I'd like to have my site up ASAP. Does anyone have scripts that would allow something like this to work. Say maybe something with one interface to the internet and maybe one web server and dns along with full outbound access for a workstation. I could build off of that pretty easly. I have some scripts that I came up with but I am still trying to put it all together. PS- where can I find the upgrades to what is in the SUSE 8.1 firewall2 as opposed to the SUSE 8.0 Firewall2. Thanks Mike W Howard, Neal wrote:

Actually I'd advise you to upgrade to SuSE 8.1 to get some new features in the SuSEFirewall2 that will let you have multiple external ip addresses, even aliases on a single external NIC, and route/forward them using the FW_FORWARD_MASQ feature to different separate internal ip addresses behind the firewall. The SuSEFirewall2 features in SuSE 8.0 only assumes that you have a single external interface with a single external ip address. The new version handles more elaborate combinations of mix-matching multiple external addresses to internal ones as well as mix-matching tcp and udp port numbers too.

You could also stick with SuSE 8.0 and use another tool like Shorewall instead of SuSEfirewall2 to generate the brain-hurting iptables configs.

I chose to upgrade SuSE 8.1 myself instead of having to learn a different set of firewall managemnt tools. That would let you do away with multiple external NICS too and just simply stack multiple aliased ip addresses onto a single external nic.

-----Original Message----- From: mike wilsher [mailto:mwilsher@yahoo.com] Sent: Wednesday, January 22, 2003 11:36 AM To: suse-security@suse.com Subject: [suse-security] Help needed with susefirewall2

I have SUSE 8.0 and am running SuSEfirewall2 and I have the below setup;

---------------------- | | | DSL Modem | | | ---------------------- | | ---------------------- | | | HUB | | | ---------------------- | | ---------------------- |eth1 eth2 | | | | SuSE Firewall2 | | | | | | eth0 | ---------------------- | | ---------------------- | | | HUB | | | ---------------------- | | | | | | | | | | | | | | L_______ workstation_a WEB1 | | | x.x.x.30 x.x.x.6 | | L_________ workstation_b | | x.x.x.31 WEB2 | x.x.x.7 | | Mail1/ftp1/scp1 x.x.x.8

IP Addresses; eth1 and eth2 are ISP assigned STATIC addresses.

I need to permit the exchange of DNS services to my internal machines

Internal addresses are 192.168.0.x

What I want to do;

web traffic on eth1 needs to go to web1 ( port 80 httpmhttps) my work web server

pop, ftp and scp traffic on eth1 needs to Mail1/ftp1/scp1

web traffic on eth2 needs to go to web2 ( port 80 http,https) my other web server

the workstation_a and workstation_b both shoudl be able to surf the net as well as access the internal pop as well as access external pop as well as any other internet based service.

So what the heck do I need to do to my SuSEfirewall2 and SuSEfirewall2-custom files?

Any help out there?

Thanks.

-- Mike Wilsher - Unix/Security/Disaster Recovery PGP = 5E 1C 46 C6 0A 49 FF A6 94 72 2C FA D3 C6 1C 28 9D DF 7E EB NIHRC KC5BOD