Help needed for configuring firewall with YAST
Hello all, Since i while i've remarked the following lines in my firewall-log : Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18) Does anyone can help me ? I appears to be in the 'critical' messages for the firewall. I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file. Thanks in advance, Franky. -- =================================== GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Systeemingenieur Mainframe Tel./Fax : 32 - (0)3 / 776.10.09 GSM : 32 - (0)478 / 21.40.94 franky.goethals@pandora.be ===================================
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the 'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have: FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" ! set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Thanks in advance,
Franky.
good luck Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan, The value of this variable is allready 'yes'. Any other ideas ? Tnx allready, Franky.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Thanks in advance,
Franky.
good luck
Stefan
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ==========================================
Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- =================================== GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Systeemingenieur Mainframe Tel./Fax : 32 - (0)3 / 776.10.09 GSM : 32 - (0)478 / 21.40.94 franky.goethals@pandora.be ===================================
On Sun, 6 Aug 2000, Franky GOETHALS wrote:
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan,
The value of this variable is allready 'yes'.
Any other ideas ?
Tnx allready,
Franky.
Well, if that value is set to yes, theoretically all traffic coming from system x port 67 to your port 68 should be allowed (see /sbin/SuSEfirewall). If it isn't, you probably defined another rule somewhere specifically denying these connections from this system. To say anything meaningfull, I'd have to take a look at either your firewall.rc.config or your ipchains -L output. What you could do is take a look at your ipchains -L|grep DENY output and see if there's a rule blocking udp connections from the dhcp server. If you really want control over the rules generated, you should use a custom made script instead of SuSEfirewall, adding only those rules you need.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Stefan ========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ========================================== Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan Suurmeijer wrote:
On Sun, 6 Aug 2000, Franky GOETHALS wrote:
Stefan Suurmeijer wrote:
On Sat, 5 Aug 2000, Franky GOETHALS wrote:
Hello all,
Since i while i've remarked the following lines in my firewall-log :
Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to 195.130.132.18 Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127) Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
Does anyone can help me ? I appears to be in the
Stefan,
The value of this variable is allready 'yes'.
Any other ideas ?
Tnx allready,
Franky.
Well, if that value is set to yes, theoretically all traffic coming from system x port 67 to your port 68 should be allowed (see /sbin/SuSEfirewall). If it isn't, you probably defined another rule somewhere specifically denying these connections from this system. To say anything meaningfull, I'd have to take a look at either your firewall.rc.config or your ipchains -L output. What you could do is take a look at your ipchains -L|grep DENY output and see if there's a rule blocking udp connections from the dhcp server. If you really want control over the rules generated, you should use a custom made script instead of SuSEfirewall, adding only those rules you need.
'critical' messages for the firewall.
What it's telling you is that host 195.130.132.18 is sending an udp (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 & 68) and that package is being denied. If you use the standard Suse firewall configuration script (/etc/rc.config.d/firewall.rc.config) you should have:
FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" !
set to yes, or manually add a rule for accepting bootp packages
I would like to allow these requests through my firewall, but i didn't succeed. I'm trying to configure it with YAST & FW_- variables in the configuration-file.
Stefan
========================================== Stefan Suurmeijer Network Specialist University of Groningen tel: (+31) 50 363 3423 fax: (+31) 50 363 7272 E-mail (business): s.m.suurmeijer@let.rug.nl E-mail (private): stefan@symbolica.nl ==========================================
Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown
Stefan, In attach my /etc/rc.config.d/firewall.rc.config, and hereunder some other output : root@penguin:/etc > ifconfig eth0 Link encap:Ethernet HWaddr 00:50:04:40:83:11 inet addr:213.224.20.136 Bcast:213.224.21.255 Mask:255.255.254.0 UP BROADCAST NOTRAILERS RUNNING PROMISC MTU:1500 Metric:1 RX packets:155572 errors:0 dropped:0 overruns:0 frame:0 TX packets:119434 errors:0 dropped:0 overruns:0 carrier:1 collisions:0 txqueuelen:100 Interrupt:9 Base address:0x1400 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:3924 Metric:1 RX packets:403 errors:0 dropped:0 overruns:0 frame:0 TX packets:403 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 vmnet1 Link encap:Ethernet HWaddr 00:50:56:01:00:00 inet addr:192.168.164.1 Bcast:192.168.164.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:41310 errors:0 dropped:0 overruns:0 frame:0 TX packets:53743 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 root@penguin:/etc > ipchains -L|grep DENY Chain input (policy DENY): DENY all ----l- 213.224.20.0/23 anywhere n/a DENY all ----l- 192.168.164.0/24 anywhere n/a DENY all ----l- 192.168.164.0/24 anywhere n/a DENY all ----l- 213.168.164.0/24 anywhere n/a DENY all ----l- 213.224.0.0/24 anywhere n/a DENY all ----l- linux anywhere n/a DENY all ----l- dhcp-213-224-20-136.kabel.pandora.be anywhere n/a DENY all ----l- loopback/8 anywhere n/a DENY all ----l- anywhere loopback/8 n/a DENY all ----l- 192.168.164.0/24 linux n/a DENY all ----l- 192.168.164.0/24 dhcp-213-224-20-136.kabel.pandora.be n/a DENY all ----l- 213.168.164.0/24 linux n/a DENY all ----l- 213.168.164.0/24 dhcp-213-224-20-136.kabel.pandora.be n/a DENY all ----l- 213.224.0.0/24 linux n/a DENY all ----l- 213.224.0.0/24 dhcp-213-224-20-136.kabel.pandora.be n/a DENY all ----l- anywhere 192.168.164.0/24 n/a DENY all ----l- anywhere 192.168.164.0/24 n/a DENY all ----l- anywhere 213.168.164.0/24 n/a DENY all ----l- anywhere 213.224.0.0/24 n/a DENY all ----l- anywhere anywhere n/a Chain forward (policy DENY): DENY all ----l- anywhere anywhere n/a I don't get from where he gets all those denies.... Can you please help ? Tnx, Franky. -- =================================== GOETHALS Franky Driegaaienstraat 104 B-9100 SINT-NIKLAAS B E L G I E Systeemingenieur Mainframe Tel./Fax : 32 - (0)3 / 776.10.09 GSM : 32 - (0)478 / 21.40.94 franky.goethals@pandora.be =================================== # Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse <marc@suse.de>, 1999,2000 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into /usr/doc/packages/firewals/EXAMPLES ! # # /etc/rc.config.d/firewall.rc.config # # for use with /sbin/SuSEfirewall version 2.1 # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall you are # not secure per se! There is *not* such a thing you install and hence you # are safed from all (security) hazards. # # To ensure your security, you must also: # # * Secure all services you are offering to untrusted networks (internet) # You can do this by using software which has been designed with # security in mind (like postfix, apop3d, ssh), setting these up without # misconfiguration and praying, that they have got really no holes. # SuSEcompartment can help in most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can you trust # SuSE or any other software distributor?) # * Harden your server(s) with the harden_suse package/script # * Recompile your kernel with the openwall-linux kernel patch # (former secure-linux patch, from Solar Designer) www.openwall.com # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the internet # for an internal network, try to run proxy services for everything and # disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone transfers and # either don't allow access to it from the internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/doc/packages/firewals/EXAMPLES for an example. # # # All types have to set option 1): set START_FW in /etc/rc.config to "yes" ;-) # # If you are a end-user who is NOT connected to two networks you just have to # reconfigure (all other settings are OK): 2), and maybe 9), 11), and 17). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are end end-user connected to the # internet and to a internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 10), 11) # 12), 14) and 17). # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 14), 17). # # If you want to run a DMZ in either of the above three standard setups, you # just have to config 4), 9), 13) and maybe 18). # # If you know what you are doing, you may also change 8), 15), 16), 18) # and the expert options 19), 20), 21) at the far end, but you should NOT. # # If you use diald or ISDN autodialing, you might want to set 17). # # To get programs like traceroutes to your firewall to work is a bit tricky, # you have to set the following options to "yes" : 11 (UDP only), 18 and 19. # # If you want to load the full firewall rules for an interface even if it's not # available, configure a static IP and netmask (see 2, 3 and 4 for an example). # # Please note that if you use service names, that they exist in /etc/services. # There is no service "dns", it's called "domain", email is called "smtp" etc. # # If you use a modem/ISDN for connections, put "/sbin/SuSEfirewall" in the # 2nd line of "/etc/ppp/ip-up". This is important!! # # *Any* routing between interfaces except masquerading has to set FW_ROUTE to # "yes" and use FW_FORWARD_TCP and/or FW_FORWARD_UDP # # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" with your masquerade/external interface): # ipchains -A forward -j MASQ -i ippp0 # # ------------------------------------------------------------------------ # # 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") # # 2.) # Which is the interface that points to the internet? # # Enter all the network devices here which are untrusted. # # Choice: any number of devices, seperated by a space # e.g. "eth0", "ippp0 ippp1" # FW_DEV_WORLD="eth0" # # You *may* configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_WORLD_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # #FW_DEV_WORLD_ippp0="10.0.0.1 255.255.255.0" # e.g. for exernal interface ippp0 # # 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_INT="vmnet1" # # You may configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_INT_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # #FW_DEV_INT_eth0="192.168.1.1 255.255.255.0" # e.g. for internal interface eth0 # # 4.) # Which is the interface that points to the dmz network? # # Enter all the network devices here which point to the dmz. # A "dmz" is a special, seperated network, which is only connected to the # firewall, and should be reachable from the internet to provide services, # e.g. WWW, Mail, etc. and hence are at risk from attacks. # See /usr/doc/packages/firewals/EXAMPLES for an example. # # Special note: You have to configure FW_FORWARD_TCP and FW_FORWARD_UDP to # define the services which should be available to the internet and set # FW_ROUTE to yes. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_DMZ="" # # You may configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_INT_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # #FW_DEV_DMZ_eth1="192.168.1.1 255.255.255.0" # e.g. for dmz interface eth1 # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ # # You need only set this to yes, if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but this is not # a good idea). This option supersedes IP_FORWARD from /etc/rc.config! # # Setting this option one alone doesn't do anything. Either activate # massquerading with FW_MASQUERADE below if you want to masquerade your # internal network to the internet, or configure FW_FORWARD_TCP and/or # FW_FORWARD_UDP to define what is allowed to be forwarded! # # Choice: "yes" or "no", defaults to "no" # FW_ROUTE="yes" # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT, FW_ROUTE # # "Masquerading" means that all your internal machines which use services on # the internet seem to come from your firewall. # Please note that it is more secure to communicate via proxies to the # internet than masquerading # # Choice: "yes" or "no", defaults to "no" # FW_MASQUERADE="yes" # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Choice: leave empty or any number of computers and/or networks, seperated by # a space. You may NOT set this to "0/0" ! # e.g. "10.0.0.0/8", "10.0.0.1 10.0.0.10 10.10.10.0/24" or "" # FW_MASQ_NETS="192.168.164.0/24 213.168.164.0/24 213.224.0.0/24" # # If you want (and you should) you may also set the FW_MASQ_DEV option, to # specify the outgoing interface to masquerade on. (You would normally use # the external interface(s), the FW_DEV_WORLD device(s), e.g. "ippp0") # FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_GLOBAL_SERVICES option. # If you set this to "no", any user can connect (and attack) any service on # the firewall. # # Choice: "yes" or "no", defaults to "yes" # FW_PROTECT_FROM_INTERNAL="no" # # 8.) # Do you want to autoprotect all global running services? # # If set to "yes", all network access to services TCP and UDP on this machine # which are not bound to a special IP address will be prevented (except to # those which you explicitly allow, see below: FW_*_SERVICES_*) # Example: "0.0.0.0:23" would be protected, but "10.0.0.1:53" not. # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_GLOBAL_SERVICES="no" # # 9.) # Which services on the firewall should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. # e.g. if a webserver on the firewall should be accessible from the internet: # FW_SERVICES_EXTERNAL_TCP="www" # e.g. if the firewall should receive syslog messages from the dmz: # FW_SERVICES_DMZ_UDP="syslog" # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this, from 1 to 10: "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # FW_SERVICES_EXTERNAL_TCP="www smtp telnet telnet5 ftp-data ipp compressnet" FW_SERVICES_EXTERNAL_UDP="www smtp telnet telnet5 ftp-data ipp compressnet" # FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" # FW_SERVICES_INTERNAL_TCP="" FW_SERVICES_INTERNAL_UDP="" # # 10.) # Which services should be accessible from trusted hosts/nets on the internet? # # Define trusted networks on the internet, and the TCP and/or UDP services # they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1", "172.20.0.0/16" # FW_TRUSTED_NETS="213.224.0.0/0 10.95.13.0/0 192.168.164.0/0" # # leave FW_SERVICES_TRUSTED_* empty or any number of ports, known portnames # (from /etc/services) and port ranges seperated by a space. # e.g. "25", "ssh", "1:65535", "1 3:5" # FW_SERVICES_TRUSTED_TCP="1:65535" FW_SERVICES_TRUSTED_UDP="1:65535" # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("dns"). # Note that if you want to use normal (active) ftp, you have to set the TCP # option to ftp-data. If you use passive ftp, you don't need that. # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script. # # Choice: "yes", "no", "dns", portnumber or known portname, defaults to "no" # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won´t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # FW_SERVICE_DNS="no" # if yes, FW_TCP_SERVICES_* needs to have port 53 # (or "domain") set to allow incoming queries. # also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DHCLIENT="yes" # if you use dhclient to get an ip address # you have to set this to "yes" ! FW_SERVICE_DHCPD="yes" # # 13.) # Which services accessed from the internet should be allowed to the # dmz or internal network? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were assigned to # you by your ISP. This opens a direct link to your network, so only use # this option for access to your dmz!!!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forwarding rules, seperated each by a space. # A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,1.1.1.1,22", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" # FW_FORWARD_TCP="" FW_FORWARD_UDP="" # # 14.) # Which accesses to services should be redirected to a localport on the # firewall machine? # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) original destination port and 4) local port to redirect the traffic to, # seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080" # FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" # # 15.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" # # 16.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", defaults to "yes" # FW_KERNEL_SECURITY="yes" # # 17.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # If you are using diald, or automatic dialing via ISDN, if packets need # to be sent to the internet, you need to turn this on. The script will then # not turn off routing and masquerading when stopped. # You *might* also need this if you have got a DMZ. # Please note that this is *insecure*! If you unload the rules, but are still # connected, you might your internal network open to attacks! # The better solution is to remove "/sbin/SuSEfirewall stop" or # "/sbin/init.d/firewall stop" from the ip-down script! # # # Choices "yes" or "no", defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no" # # 18.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 19.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_UDP_ALLOW_INCOMING_HIGHPORTS, and windows traceroutes only if you say # "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes" # # 20.) # Allow ICMP sourcequench from your ISP? # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 21.) # Which masquerading modules should be loaded? # REQUIRES: FW_ROUTE, FW_MASQUERADE # # (omit the path or "ip_masq_" prefix as well as the ".o" suffix!) # FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
participants (2)
-
Franky GOETHALS -
Stefan Suurmeijer