Hello there, I'm not sure, if this question belongs to this ML, but as its FW2 related I think I'd post it here ... An external office has two DSL connections (don't ask why ... they have it ... ;)). The LAN (office systems) should be connected to the internet for browsing, email, etc. using one DSL connection. The second one should be dedicated to get remote access to one special system there. Scenario: ____________ | | DSL-line 1 --- |eth0 -- eth2| --- LAN (browsing, email, etc.) (Provider 1 | | | SuSE 9.2 | | | DSL-line 2 --- |eth1 -- eth3| --- dedicated system (separate network) (Provider 1 | | ------------ Restrictions: - no permitted connections from eth1 <-> eth2 & eth0 <-> eth3 - FW for eth0 accepts traffic for browsing, emails, etc. only - FW for eth1 accepts traffic for rc-software (vnc or rdp or so) only Can this be realized using an SuSE 9.2 system? If Yes, how to configure/setup it? As we have some 9.2 systems running, acting as webservers or routers, we'd like to use one for this szenario, too ... Thanks in advance & have a nice day Torsten
Hello Thorsten, On Monday 09 May 2005 12:53, Torsten E. wrote: [...snipp...]
Can this be realized using an SuSE 9.2 system? If Yes, how to configure/setup it?
First, yes you can use SuSE9.2 Second, in my opinion you can't use FW2 for something as elaborated as this scenario, but have to use iptables/netfilter instead . In general, you will have to create your rules manually, i.e. with a start/stop script or similar. I can offer you a bas script, which I wrote some time ago to initialise my fw, so if you're interested, mail me outside the list. But the script is not much more than a bash script that sets some rules. If you are familiar with iptables, you can do this yourself, otherwise send me an email. Greetings from Vienna Wolfgang -- ----------------------------------------------------- Wolfgang Leithner Pinguin-Systeme.at GF Bereich Systeme und Security EMail: wolfgang.leithner@pinguin-systeme.at http://www.pinguin-systeme.at ----------------------------------------------------- GPG Key Fingerprint: 21FE FB64 BD83 8385 364A E927 BB2F F331 84FD 12A9 ----------------------------------------------------- GPG Public Key can be found at: http://www.pinguin-systeme.at/privacy/wl.asc ----------------------------------------------------- Registered Linux User # 388544 To support the Cause of Linux and OpenSource please register at: http://counter.li.org ---------------------------------------------------- Der Inhalt dieser Nachricht ist persoenlich und vertraulich und lediglich fuer die Verwendung durch den/die Adressaten bestimmt. Sollten Sie diese Nachricht irrtuemlich erhalten haben, infor- mieren Sie bitte postmaster@pinguin-systeme.at. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@pinguin-systeme.at -----------------------------------------------------
Wolfgang Leithner wrote:
On Monday 09 May 2005 12:53, Torsten E. wrote: [...snipp...]
Can this be realized using an SuSE 9.2 system? If Yes, how to configure/setup it?
First, yes you can use SuSE9.2 Second, in my opinion you can't use FW2 for something as elaborated as this scenario, but have to use iptables/netfilter instead .
SuSEfirewall2 *IS* iptables. You can always use the provided hook functions to insert your own rules if the configuration options for SuSEfirewall2 are not sufficient. You don't need to start from scratch writing a completely new script. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi list, hi ludwig! On Tuesday 10 May 2005 10:34, Ludwig Nussel wrote:
SuSEfirewall2 *IS* iptables. You can always use the provided hook functions to insert your own rules if the configuration options for SuSEfirewall2 are not sufficient. You don't need to start from scratch writing a completely new script.
Of course FW2 is iptables, I didn't want to imply anything different. But in my experience it is easier (at least for debugging) to create a whole script instead of adding rules to FW2, but thats just my 2eurocents. After all, I'm using "handmade" rulesets since ipchains, so maybe I'm only out of date ;) As a GUI for iptables I sometimes use fwbuilder, depending on the mood I'm in (and the WS I'm on).
cu Ludwig
CU W. - -- - ----------------------------------------------------- Wolfgang Leithner Pinguin-Systeme.at GF Bereich Systeme und Security EMail: wolfgang.leithner@pinguin-systeme.at http://www.pinguin-systeme.at - ----------------------------------------------------- GPG Key Fingerprint: 21FE FB64 BD83 8385 364A E927 BB2F F331 84FD 12A9 - ----------------------------------------------------- GPG Public Key can be found at: http://www.pinguin-systeme.at/privacy/wl.asc - ----------------------------------------------------- Registered Linux User # 388544 To support the Cause of Linux and OpenSource please register at: http://counter.li.org - ---------------------------------------------------- Der Inhalt dieser Nachricht ist persoenlich und vertraulich und lediglich fuer die Verwendung durch den/die Adressaten bestimmt. Sollten Sie diese Nachricht irrtuemlich erhalten haben, infor- mieren Sie bitte postmaster@pinguin-systeme.at. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@pinguin-systeme.at - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFCgHUGuy/zMYT9EqkRAthJAKClcGFW7L7NtIRUj6sKKTVvznJHVACfTgwY JQHarqLqFlpSsEWnYRn7yDw= =aPw6 -----END PGP SIGNATURE-----
From: Torsten E. [mailto:linux-user@gmx.com]
Can this be realized using an SuSE 9.2 system? If Yes, how to configure/setup it?
I would download fwbuilder from www.fwbuilder.org. It's what I use to administer our firewall which has 5 interfaces. fwbuilder has an easy to use graphical interface which makes administering complex sets of rules a breeze! It can also output the rules in a variety of formats, i.e. iptables or *BSD or Cisco etc. Just don't let the 100 page reference manual scare you off! Once have generated your script, you will need to create an init script to call your rules in the correct place during startup. Cheers Mike
Torsten E. wrote:
An external office has two DSL connections (don't ask why ... they have it ... ;)). The LAN (office systems) should be connected to the internet for browsing, email, etc. using one DSL connection. The second one should be dedicated to get remote access to one special system there. Scenario: ____________ | | DSL-line 1 --- |eth0 -- eth2| --- LAN (browsing, email, etc.) (Provider 1 | | | SuSE 9.2 | | | DSL-line 2 --- |eth1 -- eth3| --- dedicated system (separate network) (Provider 1 | | ------------ Restrictions: - no permitted connections from eth1 <-> eth2 & eth0 <-> eth3 - FW for eth0 accepts traffic for browsing, emails, etc. only - FW for eth1 accepts traffic for rc-software (vnc or rdp or so) only
Can this be realized using an SuSE 9.2 system? If Yes, how to configure/setup it?
0 and 1 are external, 2 and 3 internal. FW_ALLOW_CLASS_ROUTING=no. You can use FW_FORWARD, FW_FORWARD_MASQ and FW_TRUSTED_NETS to grant special access for some src/dest combinations. Those are not bound to interfaces though. Use FW_CUSTOMRULES to install you own rules if you need to. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (4)
-
Ludwig Nussel -
Mike Tierney -
Torsten E. -
Wolfgang Leithner