Hi all! I dont know if this is the right list, but here goes. I am fairly new to firewalling and iptables. I have a setup as follows: firewall: red eth0 external interface (adsl, dhcp) yellow eth1 dmz interface green eth2 internal interface On dmz is a combined server running web/ mysql/ ftp/ caching dns/ time/ outgoing mail and nfs server I only want web/ftp to be available from red All other services is for green (and yellow) network I have several machines on green (So i guess i want NAT there) One Linux server with NFS Three linux ones running gnomemeeting amsn and licq Two windows ones running Netmeeting, MSN, ICQ All machines run bittorrent, limewire and dc++ I want ssh access to all boxes I want to be able to run all communicationservices from arbitrary box. All internal boxes shall use time/ dns/ outgoing mail om the dmz server The firewall is to be locked down for user login only via ssh. Anything to be done is sudo'ne (note to self, find out how to lock ssh to userlogin only) But i want access from red to firewall so i can "jump" to green and yellow if needed. I want as full access as possible from green to red I have read the SuSEFirewall2 docs in /usr/share/docs/packages/SuSEFirewall2 but i cant figure it out.. What so set, what to add/remove.. Any pointers on where to start learning? Any pointers on how to set it up? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
To be quite honest, you have your work cut out for you, and i'm not so certain you can do Everything you've listed, but from the looks of it it's the life long goal of every SuSE administrator ;) good luck and keep us posted on this topic. I'm not gonna be the first to respond to answering because I don't believe i'm fully qualified for all this put together........yet :P I'd read everything I could get my hands on, if you can at least configure all your services to work, I'd memorize the general Iptables docs on the web and see what you can find there first. It also looks like you need to do some custom VLAN's and routing configs
Oh and this would make a terrific Doc when its all finished *cough*
Rikard Johnels
On Thu September 30 2004 6:06 am, Rikard Johnels wrote:
Hi all! I dont know if this is the right list, but here goes.
I am fairly new to firewalling and iptables. I have a setup as follows:
firewall: red eth0 external interface (adsl, dhcp) yellow eth1 dmz interface green eth2 internal interface
On dmz is a combined server running web/ mysql/ ftp/ caching dns/ time/ outgoing mail and nfs server I only want web/ftp to be available from red
All other services is for green (and yellow) network
I have several machines on green (So i guess i want NAT there) One Linux server with NFS Three linux ones running gnomemeeting amsn and licq Two windows ones running Netmeeting, MSN, ICQ All machines run bittorrent, limewire and dc++
I want ssh access to all boxes I want to be able to run all communicationservices from arbitrary box. All internal boxes shall use time/ dns/ outgoing mail om the dmz server
The firewall is to be locked down for user login only via ssh. Anything to be done is sudo'ne (note to self, find out how to lock ssh to userlogin only) But i want access from red to firewall so i can "jump" to green and yellow if needed.
I want as full access as possible from green to red
I have read the SuSEFirewall2 docs in /usr/share/docs/packages/SuSEFirewall2 but i cant figure it out.. What so set, what to add/remove..
Any pointers on where to start learning? Any pointers on how to set it up?
-- /Rikard
Shorewall firewall at www.shorewall.net. Much easier to understand and setup than SuSEfirewall2. Lots of example files for various configurations, very good documentation. Author uses SUSE 9.1 Pro. Combined with Webmin its very easy to get setup and running. Stan
/ 2004-09-30 22:26:08 -0500 \ SRGlasoe:
(note to self, find out how to lock ssh to userlogin only)
/etc/ssh/sshd_config: PermitRootLogin no man sshd_config :)
But i want access from red to firewall so i can "jump" to green and yellow if needed.
I want as full access as possible from green to red
I have read the SuSEFirewall2 docs in /usr/share/docs/packages/SuSEFirewall2 but i cant figure it out.. What so set, what to add/remove..
Any pointers on where to start learning? Any pointers on how to set it up?
-- /Rikard
Shorewall firewall at www.shorewall.net. Much easier to understand and setup than SuSEfirewall2. Lots of example files for various configurations, very good documentation. Author uses SUSE 9.1 Pro. Combined with Webmin its very easy to get setup and running.
I find http://firehol.sourceforge.net a very interessting project, too. I'd also like comments from shorewall or susefirewall2 users about it. If you read the script, least it is a great source for the ports you need to open for all those funny multi-port services... thanks, Lars Ellenberg
On Friday 01 October 2004 05.26, SRGlasoe wrote:
On Thu September 30 2004 6:06 am, Rikard Johnels wrote:
Hi all! I dont know if this is the right list, but here goes.
I am fairly new to firewalling and iptables. I have a setup as follows:
firewall: red eth0 external interface (adsl, dhcp) yellow eth1 dmz interface green eth2 internal interface
On dmz is a combined server running web/ mysql/ ftp/ caching dns/ time/ outgoing mail and nfs server I only want web/ftp to be available from red
All other services is for green (and yellow) network
I have several machines on green (So i guess i want NAT there) One Linux server with NFS Three linux ones running gnomemeeting amsn and licq Two windows ones running Netmeeting, MSN, ICQ All machines run bittorrent, limewire and dc++
I want ssh access to all boxes I want to be able to run all communicationservices from arbitrary box. All internal boxes shall use time/ dns/ outgoing mail om the dmz server
The firewall is to be locked down for user login only via ssh. Anything to be done is sudo'ne (note to self, find out how to lock ssh to userlogin only) But i want access from red to firewall so i can "jump" to green and yellow if needed.
I want as full access as possible from green to red
I have read the SuSEFirewall2 docs in /usr/share/docs/packages/SuSEFirewall2 but i cant figure it out.. What so set, what to add/remove..
Any pointers on where to start learning? Any pointers on how to set it up?
-- /Rikard
Shorewall firewall at www.shorewall.net. Much easier to understand and setup than SuSEfirewall2. Lots of example files for various configurations, very good documentation. Author uses SUSE 9.1 Pro. Combined with Webmin its very easy to get setup and running.
Stan
From the looks of it, shorewall seems to be script based. I will give it a try and see if it works on my firewall. Its a Alphastation (SuSE 7.1 AXP system), but i hope it is compatible enough :) Documentation will follow.. (hopefully) -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rikjoh@norweb.se Web : http://www.rikjoh.com Mob : +46 735 05 51 01 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >
Also make use of AllowGroups in sshd_conf (this one has already saved my
servers. I saw the increase in SSH activity and managed to implement this
about a week before they got serious with the different user ids.)
And remove shell access from those user id's that don't really need it.
Lyle
----- Original Message -----
From: "Lars Ellenberg"
/ 2004-09-30 22:26:08 -0500 \ SRGlasoe:
(note to self, find out how to lock ssh to userlogin only)
/etc/ssh/sshd_config: PermitRootLogin no man sshd_config :)
participants (5)
-
Lars Ellenberg
-
Lyle Giese
-
MB
-
Rikard Johnels
-
SRGlasoe