Configuring SuSEfirewall2 on SuSE 9.0 as a personal firewall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I try to use SuSEfirewall2 as included in SuSE 9.0 to secure the eth0-connection of a server-machine (only one interface, connected to the university network, no routing, NAT, bridging, etc.) but I'm a bit confused about the options and the available documentation (especially regarding differences between the current and older versions of SuSEfirewall2): What I have read (but maybe not fully understood :-)) so far: ============================================================= ~ * http://seismo.ethz.ch/linux/firewall.html, which deals with SuSE up to version 8.1 (which has obviously differences to the current version) ~ * http://susefaq.sourceforge.net/articles/firewall/fw_manual.html a nice manual about the same package also up to version 8.1 ~ * the archive of this mailinglist ~ * Googled the usual newsgroups/pages for more help. What I want to do: ================== Secure a server which should be used as a department server running SAMBA, NFS (maybe not), Netatalk, Apache, ssh/scp/sftp, xntpd (i.e. a plain simple standard intranet- and fileserver) against access from the outside world. The setup: ========== All machines are directly connected to the Internet (via the university network thanks to the University of Tuebingen not running their own firewall), therefore I want to grant/deny access to the server based on ~ * IP-address (i.e. "FW_TRUSTED_NETS") individually (per machine) ~ * possibly MAC-address (possible to set this in the firewall-config??) ~ * login and password-protection for services of course (not part of the ~ firewall) and deny access to all services except ssh for the rest of the world. In http://seismo.ethz.ch/linux/firewall.html I found the following entry which seems to be ok for me FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # Adjust FW_SERVICES_TRUSTED_TCP="1:65535" # Should be adjusted to needed services per machine, not globaly everything. FW_SERVICES_TRUSTED_UDP="1:65535" # see above in connection with FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" # Do I have to set eth0 here as well??? FW_SERVICES_EXT_TCP="" # drop all FW_SERVICES_EXT_UDP="" # drop all FW_AUTOPROTECT_SERVICES="yes" FW_PROTECT_FROM_INTERNAL="yes" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="yes" ... (among others) to deny everything else from unknown computers. The problem is, that the variables "FW_SERVICES_TRUSTED*" seem to be absent in SuSEfirewall2-3.1-206 (as installed with SuSE 9.0). Can someone point me in the right direction to solve this problem? How to enable (more or less) fine-grained access controll to a computer on IP-address-basis (or better IP and MAC)? Thanks in advance. - -- Bye, Marc Saric Dr. Marc Saric, Bioinformatik, Proteom Centrum Tübingen, Paul-Ehrlich-Str. 15, D-72076 Tübingen, Germany, Tel: +49 (0)7071 29 77645, marc.saric@uni-tuebingen.de http://www.proteom-centrum-tuebingen.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUHy3BLD6PjSWyL4RAk9sAJ9RhHC0uVBfaRTWPPi/NV1OYyJNOwCeLOQ7 9HQHFLZ2fEBBRnt3ziatNF8= =tasY -----END PGP SIGNATURE-----
Hi Marc,
and deny access to all services except ssh for the rest of the world.
--> make sure to use /etc/hosts.allow hosts.deny as a second layer of security after the firewall.
In http://seismo.ethz.ch/linux/firewall.html I found the following entry which seems to be ok for me
FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # Adjust FW_SERVICES_TRUSTED_TCP="1:65535" # Should be adjusted to needed services per machine, not globaly everything.
FW_SERVICES_TRUSTED_UDP="1:65535" # see above
--> Have a look at 10) in /etc/sysconfig/SuSEfirewall2. You can finetune the services in the FW_TRUSTED_NETS variable. Example: FW_TRUSTED_NETS="123.123.0.0/16,tcp,ssh 195.195.yyy.zzz,tcp,80"
in connection with
FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" # Do I have to set eth0 here as well???
--> No.
to enable (more or less) fine-grained access controll to a computer on IP-address-basis (or better IP and MAC)?
--> I think for MAC controll you have to write your own rules. See 25) and /etc/sysconfig/scripts/SuSEfirewall2-custom HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thanks for the fast reply. Armin Schoech wrote: | --> make sure to use /etc/hosts.allow hosts.deny as a second layer of | security after the firewall. Allready done. And Webserver and SMB etc. are protected as well (accept connection only from trusted hosts). | --> Have a look at 10) in /etc/sysconfig/SuSEfirewall2. You can | finetune the services in the FW_TRUSTED_NETS variable. Example: | | FW_TRUSTED_NETS="123.123.0.0/16,tcp,ssh 195.195.yyy.zzz,tcp,80" One thing I did not get here: Is it possible to set more than one protocol,port per IP-address (i.e. listing internal computers with explicit access to www, smb, nfs, ssh while listing the timeserver only with access to ntp? And what might be the syntax here (more comma-separated stuff IP1,Protocol1,PortOfProtocol1,Protocol2,PortOfProtocol2 or a (very long) list of IP1,Protocol1,PortOfProtocol1 IP1(thesame),Protocol2,PortOfProtocol2 etc."? Could not find a clear hint for that, from /sbin/SuSEFirewall2 it seems that the second option is the only possibility, I'm just unsure if more than one rule can be set per IP (i.e. if only the first or the last one gets activated or if they add up). Or is this not possible in general? - -- Bye, Marc Saric Dr. Marc Saric, Bioinformatik, Proteom Centrum Tübingen, Paul-Ehrlich-Str. 15, D-72076 Tübingen, Germany, Tel: +49 (0)7071 29 77645, marc.saric@uni-tuebingen.de http://www.proteom-centrum-tuebingen.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUJV1BLD6PjSWyL4RAiVuAJ0XlAuFWLgqro5/qaeW+FcfDr7H3gCeIUQU j7iai3a5axWWX7jz1b1QccA= =gWht -----END PGP SIGNATURE-----
Hi Marc,
One thing I did not get here: Is it possible to set more than one protocol,port per IP-address (i.e. listing internal computers with explicit access to www, smb, nfs, ssh while listing the timeserver only with access to ntp? And what might be the syntax here (more comma-separated stuff
IP1,Protocol1,PortOfProtocol1,Protocol2,PortOfProtocol2
or a (very long) list of
IP1,Protocol1,PortOfProtocol1 IP1(thesame),Protocol2,PortOfProtocol2
etc."?
--> I think you have to use the latter version. If I understand the concept right, the firewall script builds a long list of packets that are accepted. Everything that has not been accepted when the end of the list is reached is discarded (DROPed or REJECTed). So it should work to specify the same IP more than once. Just try! To make the list shorter, you can specify netmasks instead of single IPs. Good luck! Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
participants (2)
-
Armin Schoech
-
Marc Saric