Urgggggg!!! SuSEFirewall2 is getting on my nerves!!!!!
Hi there SuSErs... Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working! I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc.... Then a new task came up: let's input the internet into the network. Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3). I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it. Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work. Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now). Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host.... I have made no changes to the Win9X PCs. Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand. Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing?? What about the Win9X PCs?? Is there something that I have to do there?? I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!! Chris
Chris Bek wrote:
Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working!
The firewall-box is configured as default gateway for the windows boxes? Try accessing the internet from the firewall first before trying from the network. Then check IP-forwarding on the firewall and gateways. Set logging to max (in firewall config file) and watch for log output in /var/log/firewall or /var/log/messages Olaf
Chris Bek wrote:
Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working!
Hi Chris, visit Togans site at http://susefaq.sourceforge.net/ especially http://susefaq.sourceforge.net/firewall.html for hints and links for SuSEs firewall packages.
Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found
Have you opened "domain" traffic in the firewall setup?
Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever....
Have you tried "lynx" or "wget" on the server to see that you internet access works properly?
In addition, is there something that I have to do regarding route or routing??
Doublecheck "IP_FORWARD" in /etc/sysconfig/sysctl
What about the Win9X PCs?? Is there something that I have to do there??
For your clients, use "winipcfg" to make sure your dhcp config puts an "default gateway" entry to the server. No further setup necessary. Peter
On Monday 07 January 2002 7:09 am, Chris Bek wrote:
What about the Win9X PCs?? Is there something that I have to do there??
I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!!
Chris Get shorewall and let your hair grow back. Download the latest rpm from shorewall.net , download the 2 or 3 interface examples. All work will be done in the /etc/shorewall directory. After you untar the examples they will be in a folder called two-interfaces or three-interfaces, drag all of the files to /etc/shorewall and follow the QuickstartGuide. The documentation at www.shorewall.net will lead you by the nose through all the pitfalls. Yes, you will have to check several files, it's more a verificaton than anything, then when you are ready you simply delete the file 'startup disabled' and type shorewall start and you are in business. Sometimes some other firewall script may have some crap loaded into the iptables. A simple 'shorewall clear' before the start command will take care of that problem. And yes, shorewall puts all the startup stuff in init.d so you dont have to play around anymore. After you get the basic stuff going, it is pretty simple to change rules to enable or permit input/output through various ports as needed by your settup. If you need any help, email me or the maillist. Lotsa luck, ra
* Chris Bek wrote on Mon, Jan 07, 2002 at 15:09 +0200:
Since I only need direct masquerading to be done [...] I opened (among others) 139 port for samba to work.
If you really have no need for any firewalling/filtering, and you really want samba to be accessible from the internet (which is both not recommended), why you install a firewall? Wouldn't it be me more easy to do just masquerading? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
hi chris, first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc.... so then i -disabled susefirewall , i personally think it sucks. -found out i had to reenable forwarding (echo 1 > /somefile under /proc/somwhere) sorry not at the machine and cant remember -(after a few other tries for software to kind of 'edit a firewall graphically', they all might be nice but seem to need a full 'gnome' machine which i dont have)installed webmin (last version) which is a web interface to setup a server, and among all also a firewall. tried some things, i guess even then i puzzled about one day, but i got it working!!! read somwhere in this thread about shorewall, might be nice as well, havent tried that. so good luck, and my advice is, drop sf2. it seems to want to be more clever than the user, and i for my part dont like that. Chris Bek <chris001@softhome.net> wrote:Hi there SuSErs... Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working! I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc.... Then a new task came up: let's input the internet into the network. Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3). I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it. Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work. Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now). Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host.... I have made no changes to the Win9X PCs. Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand. Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing?? What about the Win9X PCs?? Is there something that I have to do there?? I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!! Chris Mit freundlichen Gruessen Patrick Thempel mail:patrick_thempel@yahoo.com --------------------------------- Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now
On Tue, 7 Jan 2003, patrick thempel wrote:
hi chris, first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc.... so then i -disabled susefirewall , i personally think it sucks.
is susefirewall2 so much different to susefirewall ? we did susefirewall with up to three external interfaces which gives more problems in routing than in the chains. we had fixed ip and dynamic and dialups. -- --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6410 Telfs Untermarkt 9 / Tel. ++43-5262-64727 ----+
first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc....
Hm, maybe I got some more time to read some manuals, first of all you should read the files in /usr/share/doc/packages/<Package>. If there is nothing then look in the support database @ SuSE or unofficial SuSE FAQ. If there is no hint try e.g. www.google.de/linux (for germany others use their suffix) and use simple expressions for your search. Most solutions are in english, so filter searchlist only in engl. and your native language.
so then i -disabled susefirewall , i personally think it sucks.
Hm, wasn't this list some kind of security related? If you are using linux there is no clickediclick mouse drag and drop like in teletubby world. And you think "I got XP and my personal firewall" but wasn't there a server you use for routing? The SuSEfirewall is very good documentated in the config file and in each section there is something say what or how something is to be done. Most questions inside this list are made but mostly the questions are answered, inside the configfile within the remarks to each section. Probably with modem it is unfortunately that your system will get hacked. If you wanna use kazzaa or something like that you will need port forwarding to your win os box (e.g. this provides the SuSEfirewall). You should use to get minimum security personal firewall from SuSE to prevent incoming connections with connection tracking (new, related, established). The new version for 8.1 (the updates one) should work for 7.3 as well and has some nice features e.g. a simple setup. What most postings show there is only a small amount of information give for beginners how the SuSEfirewall1/2 works - for a simple workstation it is no problem to be setup. For routers you got to: - enable forwarding in firewall or manually set the option (echo 1 > /proc/sys/net/ipv4/ip_forward) - write a routing table - configure internal network to use router as default gateway (and use public ip's like 192.168.0.x) - enable masquerading Due to the functionality of ipchains/iptables it is slightly different to windows firewall systems. Portforwarding, connection tracking, chaining and dmz are some features that are missing in most windows firewalls, bacause mostr ones are "personal" ones. There should be some extra info on that in a small FAQ in the /usr/share/doc/packages/SuSEfirewall(2) - unfortunately the info should be read as well!
is susefirewall2 so much different to susefirewall ?
Hm, not at all! Only SuSEfirewall is for 2.2.x kernel/ipchains and SuSEfirewall2 for 2.4.x kernel/iptables. I personally like more recent iptables so I don't use the ones provided with 7.3 and compile them for my own including the kernel. Philippe
Hi List, I agree that this topic has turned into something that does not belong here. I have _very_ good results with SuSEfirewall, and I think it has helped many people a lot. Still, if somebody is not comfortable with it, then just dump it and install something else - that's linux. But try at least to find some docs (and there are docs) before you decide to start flaming a tool that includes lots of work and effort. And please don't use this list for this kind of discussion. In any case, good luck with whatever you try to achive Peter
-----Original Message----- From: Philippe Vogel [mailto:filiaap@freenet.de] Sent: Mittwoch, 8. Januar 2003 09:10 To: suse-security@suse.com Subject: Re: [suse-security] Urgggggg!!! SuSEFirewall2 is getting on my nerves!!!!! --- what a title :-)
first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc....
Hm, maybe I got some more time to read some manuals, first of all you should read the files in /usr/share/doc/packages/<Package>. If there is nothing then look in the support database @ SuSE or unofficial SuSE FAQ. If there is no hint try e.g. www.google.de/linux (for germany others use their suffix) and use simple expressions for your search. Most solutions are in english, so filter searchlist only in engl. and your native language.
so then i -disabled susefirewall , i personally think it sucks.
Hm, wasn't this list some kind of security related? If you are using linux there is no clickediclick mouse drag and drop like in teletubby world. And you think "I got XP and my personal firewall" but wasn't there a server you use for routing? The SuSEfirewall is very good documentated in the config file and in each section there is something say what or how something is to be done. Most questions inside this list are made but mostly the questions are answered, inside the configfile within the remarks to each section. Probably with modem it is unfortunately that your system will get hacked. If you wanna use kazzaa or something like that you will need port forwarding to your win os box (e.g. this provides the SuSEfirewall). You should use to get minimum security personal firewall from SuSE to prevent incoming connections with connection tracking (new, related, established). The new version for 8.1 (the updates one) should work for 7.3 as well and has some nice features e.g. a simple setup. What most postings show there is only a small amount of information give for beginners how the SuSEfirewall1/2 works - for a simple workstation it is no problem to be setup.
For routers you got to:
- enable forwarding in firewall or manually set the option (echo 1 > /proc/sys/net/ipv4/ip_forward) - write a routing table - configure internal network to use router as default gateway (and use public ip's like 192.168.0.x) - enable masquerading
Due to the functionality of ipchains/iptables it is slightly different to windows firewall systems. Portforwarding, connection tracking, chaining and dmz are some features that are missing in most windows firewalls, bacause mostr ones are "personal" ones. There should be some extra info on that in a small FAQ in the /usr/share/doc/packages/SuSEfirewall(2) - unfortunately the info should be read as well!
is susefirewall2 so much different to susefirewall ?
Hm, not at all! Only SuSEfirewall is for 2.2.x kernel/ipchains and SuSEfirewall2 for 2.4.x kernel/iptables. I personally like more recent iptables so I don't use the ones provided with 7.3 and compile them for my own including the kernel.
Philippe
Heyas,
first of all, i absolutely understand all of your grieve (well most of it), ive been through much of the same. came to the point of contemplating suicide , feeling too stupid to get such a small thing to work etc.... so then i -disabled susefirewall , i personally think it sucks.
is susefirewall2 so much different to susefirewall ?
we did susefirewall with up to three external interfaces which gives more problems in routing than in the chains. we had fixed ip and dynamic and dialups.
IMHO most of the problems come from the way how people work with their servers. They are used to the colorful click-and-forget GUIs of the Windoze-Desktop and believe they can work on a server the same way. That is one reason why there are more security holes on windoze servers than linux servers, ppl only scratch the surface of the problem and the gui makes it too easy tio get first results without telling them that the first results are not the best results. I tend to look into the concepts behind a solution before implementing it. That means in this case, I try to understand the concepts of routing, masquerading(NAT) and IPtables and Itry to figure out what a firewall is needed for (OFC, any good salesman will tell you that you need one but ask him what a firewall does and you get interesting results:-). If you know all the basics behind iptables, you can easily write your custom firewall script. Tools like shorewall or SuSEfirewall2 are a shortcut to save you time (when you know what you're doing) and protect you from typos. If you need graphical tools to set up your firewall, you can purchase a commercial product like the Firewall on CD (which basically provides an easy GUI for designing a firewall without knowing anything about linux) but there is nothing you can do with that gui what you can't do by editing a config file. Basically, what you need is to set up your server for routing (simple entry in /etc/rc.config on SuSE 7.3. and configure your clients to use your server as default gateway (either on each machine or in the DHCP config on your DHCP server). The next step is defining which services on your server are being used from the internal network and from the internet. That determines what settings you need to activate on your firewall. The whole setup is pretty easy then: FW_DEV_EXT="ppp0" # your modem FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" # assuming your internal network as 192.168.x.0/255.255.255.0 FW_MASQ_NETS="192.168.x.0/24" # allowing ssh, dns and www from external FW_SERVICES_EXT_TCP="domain ssh www" FW_SERVICES_EXT_UDP="domain" # allowing ssh, www, DNS and windoze protocols for internal machines FW_SERVICES_INT_TCP="ssh smtp domain www 137:139" FW_SERVICES_INT_UDP="domain 137:139" Basically this should be most of the work. As I mentioned before, some SuSE 7.3 did not check in the ip-up script for firewall2, so you might need to edit /etc/ppp/ip-up If you only find lines like this: test "$START_FW" = yes && /sbin/SuSEfirewall without mentioning test "$START_FW2" = yes somewhere above, you might need to modify the script to check for START_FW2 in rc.config and then start SuSEfirewall2 cya Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/
Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host....
I have made no changes to the Win9X PCs.
To make masquerading work at least you set the default gateway on your Win-PCs to the IP of your Linuxbox=Gateway. Hope it helps, good luck Dirk -- CaribeNet S.A. - Cartagena - Colombia www.caribenet.com
participants (11)
-
CaribeNet -
Chris Bek -
engelbert.gruber@ssg.co.at -
Hans Wuerstchen -
Jörn Ott -
Olaf Kock -
patrick thempel -
Peter Wiersig -
Philippe Vogel -
Richard -
Steffen Dettmer