SuSEFirewall2 and SQUID and LOTS of help needed :)
Hello all, I am in search of "desperately" for help with configuring my SuSEfirewall2 on 8.1 Pro and Squid with a few windows 2000 and Xp pro machines. present configuration SuSE 8.1 no DNS (ips provides dns), no DHCP server or clients, FTPd, SSH, http&https, in the future... SQUID and SAMBA I use a broadband connection -> Linksys BEFSX41 (vpn endpoint router which accepts its Wan IP via DHCP C.C.C.C/255.255.255.0, internal Static IP 10.x.x.A/255.255.255.0) -> Linux pro 8.1 [eth0 Static IP 10.x.x.B/255.255.255.0, eth1 Static IP 10.x.x.C/255.255.255.0] , Win Xp Pro Static IP 10.x.x.D/255.255.255.0, and Win2k Pro Static IP 10.x.x.E/255.255.255.0 It works fine and I use personal software firewalls for the Windows machines. My hopes are to set up the network like this..... Broadband connection -> Linksys BEFSX41 Wan DHCP, INT IP Static -> [Eth0] Linux Firewall-2 & Squid proxy [eth1] -> Hub {or better yet internal print server box w/hub in it} -> Windows machines with Static IPs. I have been reading the susefirewall2 examples and a great "unofficial faq" SuSE Firewall2 by Togan Muftoglu. First and foremost I am NEW to configuring firewalls. Second I should pick it up quickly if I can make heads or tails of what combination of rules to use together. Second I would like to just get the firewall up and running with windows clients connecting through it WITHOUT THE PROXY that I can work out later. 1.) FW_Quickmode_"no" 2.) FW_DEV_EXT="eth0" 3.) FW_DDEV_INT="eth1" 4.) FW_DEV_DMZ="" This is where I get a bit lost if I should or not set these switches/options 5.) FW_ROUTE="no" I should set this to YES until I get my proxy going? 6.) FW_MASQUERADE="no" I should set this to YES until I get my proxy going, then set it back to NO 6a.) FW_MASQ_DEV="eth0" or "$FW_DEV_EXT" 6b.) FW_MASQ_NETS="" This I want to restrict to only the services I use, WWW, FTP, SSH, SC, receive email via POP3, send email via SMTP, (a few games Starcraft, CounterStrike but these are to important) my internal IPs are 10.x.x.x/255.255.255.0, there are 3 machines, 2 workstations and 1 laptop. 7.) FW_PROTECT_FROM_INTERNAL="yes" Is this similar to FW_MASQ_NETS? 8.) FW_AUTOPROTECT_SERVICES="yes" So with this set to YES then I have to add the IP/net/protocol/port# and these need to be set in FW_SERVICES_EXT_TCP,UDP & FW_SERVICES_INT_TCP,UDP ? But that about an entry FW_SERVICE_*_TCP,UDP...? 9.) FW_SERVICES_EXT_TCP="www ssh" but what about SSL and FTP? 9.) FW_SERVICES_EXT_UDP="" 9.) FW_SERVICES_INT_TCP="" 9.) FW_SERVICES_INT_UDP="" 9a.) FW_SERVICES_QUICK_TCP="" 9a.) FW_SERVICES_QUICK_UDP="" 9a.) FW_SERVICES_QUICK_IP="" 10.) FW_TRUSTED_NETS="" 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" can I specify the port #s in here? 11.) FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" Is this required for DNS for the internal network machines? 12.) FW_SERVICE_AUTOPROTECT="yes" 12.) FW_SERVICE_DNS="no" 12.) FW_SERVICE_DHCLIENT='no" 12.) FW_SERVICE_DHCPD="no" 12.) FW_SERVICE_SQUID="no" Soon I hope to configure SQUID but I need to buy a book or read a lot more online. 12.) FW_SERVICE_SAMBA="no" 13.) FW_FORWARD="" 14.) FW_FORWARD_MASQ="" 15.) FW_REDIRECT="" This I should setup for SQUID? 10.x.x.x/y,0/0,tcp,80,3128 0/0, 10.x.x.a,tcp,80,8080 16.) FW_LOG_DROP_CRIT="yes" 16.) FW_LOG_DROP_ALL="no" 16.) FW_LOG_ACCEPT_CRIT=yes" 16.) FW_LOG_ACCEPT_ALL="no" 16.) FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" 17.) FW_KERNEL_SECURITY="yes" 18.) FW_STOP_KEEP_ROUTING_STATE="no" 19.) FW_ALLOW_PING_FW="yes" 19.) FW_ALLOW_PING_DMZ="no" 19.) FW_ALLOW_PING_EXT="no" 20.) FW_ALLOW_TRACEROUTE="no" 21.) FW_ALLOW_SOURCEQUELCH="yes" 22.) FW_ALLOW_FW_BROADCASTS="no" 22.) FW_IGNORE_FW_BROADCASTS="yes" 23.) FW_ALLOW_CLASS_ROUTING="no" 25.) FW_CUSTOMRULES="" 26.) FW_REJECT="no" So if anyone has some time to help me out I would be greatly appreciative and send you all the good karma I can muster :) If anyone can recommend any books that I should pick up that may help me understand these rules that would be great also. Sincerely, Ash
* Ash Corbin;
I have been reading the susefirewall2 examples and a great "unofficial faq" SuSE Firewall2 by Togan Muftoglu.
version 0.9 is the latest
5.) FW_ROUTE="no" I should set this to YES until I get my proxy going? 6.) FW_MASQUERADE="no" I should set this to YES until I get my proxy going, then set it back to NO
Your assumption is right. If there is no proxy there should be a way to route the packets from the internet to the LAN and vice versa. So set these yes to work without a proxy.
6a.) FW_MASQ_DEV="eth0" or "$FW_DEV_EXT"
leave as $FW_DEV_EXT ( setting to external interface is the same thing but for ease I let the script find it)
6b.) FW_MASQ_NETS="" This I want to restrict to only the services I use, WWW, FTP, SSH, SC, receive email via POP3, send email via SMTP, (a few games Starcraft, CounterStrike but these are to important) my internal IPs are 10.x.x.x/255.255.255.0, there are 3 machines, 2 workstations and 1 laptop.
then limit it like 10.x.x.x/24,tcp,80 10.x.x.x/24,tcp,21 10.x.x.x/24,tcp,110
7.) FW_PROTECT_FROM_INTERNAL="yes" Is this similar to FW_MASQ_NETS?
No read teh documentation
8.) FW_AUTOPROTECT_SERVICES="yes" So with this set to YES then I have to add the IP/net/protocol/port# and these need to be set in FW_SERVICES_EXT_TCP,UDP & FW_SERVICES_INT_TCP,UDP ? But that about an entry FW_SERVICE_*_TCP,UDP...?
9.) FW_SERVICES_EXT_TCP="www ssh" but what about SSL and FTP?
FW_SERVICES_EXT_* (* meaning TCP or UDP or IP) means services that you are running on the firewall machine that you provide to the world. It does not mean you need to put services that you want to reach on the Internet.
15.) FW_REDIRECT="" This I should setup for SQUID? 10.x.x.x/y,0/0,tcp,80,3128 0/0, 10.x.x.a,tcp,80,8080
There is an exapmle for this in the Unoffical SuSEFirewall2 document
If anyone can recommend any books that I should pick up that may help me understand these rules that would be great also.
Building Internet Firewalls (Zwickey,Cooper,Chapman) Published by Oreilly -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (2)
-
Ash Corbin
-
Togan Muftuoglu