Re: [suse-security] Help needed with susefirewall2
An Upgrade to 8.1 just might be in order. But I still have to come up with the scripts for my firewall. If any one has something or some advice or tools that would be great. Basically I could pluck around and figure it out but that takes too much time. I'd like to have my site up ASAP. Does anyone have scripts that would allow something like this to work. Say maybe something with one interface to the internet and maybe one web server and dns along with full outbound access for a workstation. I could build off of that pretty easly. I have some scripts that I came up with but I am still trying to put it all together. PS- where can I find the upgrades to what is in the SUSE 8.1 firewall2 as opposed to the SUSE 8.0 Firewall2. Thanks Mike W Howard, Neal wrote:
Actually I'd advise you to upgrade to SuSE 8.1 to get some new features in the SuSEFirewall2 that will let you have multiple external ip addresses, even aliases on a single external NIC, and route/forward them using the FW_FORWARD_MASQ feature to different separate internal ip addresses behind the firewall. The SuSEFirewall2 features in SuSE 8.0 only assumes that you have a single external interface with a single external ip address. The new version handles more elaborate combinations of mix-matching multiple external addresses to internal ones as well as mix-matching tcp and udp port numbers too.
You could also stick with SuSE 8.0 and use another tool like Shorewall instead of SuSEfirewall2 to generate the brain-hurting iptables configs.
I chose to upgrade SuSE 8.1 myself instead of having to learn a different set of firewall managemnt tools. That would let you do away with multiple external NICS too and just simply stack multiple aliased ip addresses onto a single external nic.
-----Original Message----- From: mike wilsher [mailto:mwilsher@yahoo.com] Sent: Wednesday, January 22, 2003 11:36 AM To: suse-security@suse.com Subject: [suse-security] Help needed with susefirewall2
I have SUSE 8.0 and am running SuSEfirewall2 and I have the below setup;
---------------------- | | | DSL Modem | | | ---------------------- | | ---------------------- | | | HUB | | | ---------------------- | | ---------------------- |eth1 eth2 | | | | SuSE Firewall2 | | | | | | eth0 | ---------------------- | | ---------------------- | | | HUB | | | ---------------------- | | | | | | | | | | | | | | L_______ workstation_a WEB1 | | | x.x.x.30 x.x.x.6 | | L_________ workstation_b | | x.x.x.31 WEB2 | x.x.x.7 | | Mail1/ftp1/scp1 x.x.x.8
IP Addresses; eth1 and eth2 are ISP assigned STATIC addresses.
I need to permit the exchange of DNS services to my internal machines
Internal addresses are 192.168.0.x
What I want to do;
web traffic on eth1 needs to go to web1 ( port 80 httpmhttps) my work web server
pop, ftp and scp traffic on eth1 needs to Mail1/ftp1/scp1
web traffic on eth2 needs to go to web2 ( port 80 http,https) my other web server
the workstation_a and workstation_b both shoudl be able to surf the net as well as access the internal pop as well as access external pop as well as any other internet based service.
So what the heck do I need to do to my SuSEfirewall2 and SuSEfirewall2-custom files?
Any help out there?
Thanks.
-- Mike Wilsher - Unix/Security/Disaster Recovery PGP = 5E 1C 46 C6 0A 49 FF A6 94 72 2C FA D3 C6 1C 28 9D DF 7E EB NIHRC KC5BOD
On 22 Jan 2003 at 15:23, mike wilsher wrote: [...]
PS- where can I find the upgrades to what is in the SUSE 8.1 firewall2 as opposed to the SUSE 8.0 Firewall2.
Just use the source-rpm for the 8.1 Firewall2 Skript an build your own rpm for your versiom. That's what I did for my 7.3 Server. After that you should fix line 518 in /sbin/SuSEfirewall2: Line 518 old (one line): test "$FW_ROUTE" = no -a "$FW_ALLOW_PING_DMZ" = yes -o "FW_ROUTE" = no -a "$FW_ALLOW_PING_EXT" = yes && \ Line 518 new: test "$FW_ROUTE" = no -a "$FW_ALLOW_PING_DMZ" = yes -o "$FW_ROUTE" = no -a "$FW_ALLOW_PING_EXT" = yes && \ It will run fine on your server. There is no need to upgrade the whole server. Andreas
I dodn't word this very well, I was interested in a feature list and a list of enhancements in SuSEFirewall2 for SuSE 8.1 va 8.0. I already know where/how to get and do the rpm install thats no biggie. YEah I realize I do not have to upgrade the whole thing. Thanks for the info info about line 518 I noticed the missing "$" So does anyone have any running/working SuSEfirewall2 and SuSEfirewall2-custom config scripts that I can pilfer parts from... Thanks again Andreas Kyek wrote:
On 22 Jan 2003 at 15:23, mike wilsher wrote:
[...]
PS- where can I find the upgrades to what is in the SUSE 8.1 firewall2 as opposed to the SUSE 8.0 Firewall2.
Just use the source-rpm for the 8.1 Firewall2 Skript an build your own rpm for your versiom.
That's what I did for my 7.3 Server.
After that you should fix line 518 in /sbin/SuSEfirewall2:
Line 518 old (one line): test "$FW_ROUTE" = no -a "$FW_ALLOW_PING_DMZ" = yes -o "FW_ROUTE" = no -a "$FW_ALLOW_PING_EXT" = yes && \
Line 518 new: test "$FW_ROUTE" = no -a "$FW_ALLOW_PING_DMZ" = yes -o "$FW_ROUTE" = no -a "$FW_ALLOW_PING_EXT" = yes && \
It will run fine on your server. There is no need to upgrade the whole server.
Andreas
-- Mike Wilsher - Unix/Security/Disaster Recovery PGP = 5E 1C 46 C6 0A 49 FF A6 94 72 2C FA D3 C6 1C 28 9D DF 7E EB NIHRC KC5BOD
* mike wilsher;
I dodn't word this very well, I was interested in a feature list and a list of enhancements in SuSEFirewall2 for SuSE 8.1 va 8.0. I already know where/how to get and do the rpm install thats no biggie. YEah I realize I do not have to upgrade the whole thing.
look at the changelog look at the diffs
So does anyone have any running/working SuSEfirewall2 and SuSEfirewall2-custom config scripts that I can pilfer parts from...
Although it does not have a full setup have you checked the Chapter 8 of the SuSefirewall2 documentation of the Unofficial SuSEFAQ http://sourceforge.net/projects/susefaq -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (3)
-
Andreas Kyek
-
mike wilsher
-
Togan Muftuoglu