Re: [suse-security] Blocking a domain with SuseFirewall2
Hi,
I've setup the SuseFirewall2 on my web server, allowing access just via http and ssh, that was very easy with the GUI. Now if I need to block a specific domain, let say *.123.123.123, is
If one knows how, yes, it's easy. Alas, SuSE's firewall documentation is not well documented in that aspect. Besides IPv6 problems, the firewall itself is configured out of the box to deny nearly all network traffic, which is not very practicable for a typical Web/LAN Server box, indeed. This firewall even requires custom rules to allow unlimited access from the internal network to external networks, such as the Internet, go figure. Here's the only way how to do it with SuSE firewall: 1. Open /etc/sysconfig/scripts/SuSEfirewall2-custom in a text editor 2. Seek to the section "fw_custom_before_antispoofing()" 3. Enter your custom firewall rules. I.e., block a specific address: iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP Philippe Wiede Raphael Leplae wrote: there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ?
I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in /usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
Raphael
And don't forget to set FW_CUSTOMRULES in /etc/sysconfig/SuSEfirewall2; otherwise you will need a *very* long time to see what the problem is. Johannes
If one knows how, yes, it's easy. Alas, SuSE's firewall documentation is not well documented in that aspect. Besides IPv6 problems, the firewall itself is configured out of the box to deny nearly all network traffic, which is not very practicable for a typical Web/LAN Server box, indeed. This firewall even requires custom rules to allow unlimited access from the internal network to external networks, such as the Internet, go figure.
Here's the only way how to do it with SuSE firewall: 1. Open /etc/sysconfig/scripts/SuSEfirewall2-custom in a text editor 2. Seek to the section "fw_custom_before_antispoofing()" 3. Enter your custom firewall rules. I.e., block a specific address: iptables -I INPUT -s xxx.xxx.xxx.xxx -j DROP
Philippe Wiede
Raphael Leplae wrote:
Hi,
I've setup the SuseFirewall2 on my web server, allowing access just
via http and ssh, that was very easy with the GUI.
Now if I need to block a specific domain, let say *.123.123.123, is
there a simple way to do it in /etc/sysconfig/SuSEfirewall2 ?
I was expecting something like: FW_REJECT_IP="*.123.123.123" but nothing like that in the examples provided in
/usr/share/doc/packages/SuSEfirewall2/
I guess there is a simple way to do it. Thanks in advance.
Raphael
On Friday 27 August 2004 21:53, Johannes Becker wrote:
And don't forget to set FW_CUSTOMRULES in /etc/sysconfig/SuSEfirewall2; otherwise you will need a *very* long time to see what the problem is.
Johannes
..and don't forget to set REJECT_ALL_INCOMING_CONNECTIONS="no" in /etc/sysconfig/personal-firewall, otherwise it renders most, if not all settings in /etc/sysconfig/SuSEfirewall2 useless :-(. Never forget the bash -x /sbin/SuSEfirewall2 trick, if in doubt. Pete
participants (3)
-
Hans-Peter Jansen -
Johannes Becker -
PW