How to open a protocol with SuSEfirewall2
Hello there, maybe I misunderstood the SuSEfirewall2 describtions, but how to open a protocol? Ports are opened eg. by the lines FW_SERVICES_EXT_TCP="..." FW_SERVICES_EXT_UDP="..." But how to handle protocols? Thanks in advance! c y Torsten
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 2003-02-09 at 17:09, T. Ermlich wrote:
maybe I misunderstood the SuSEfirewall2 describtions, but how to open a protocol? Ports are opened eg. by the lines FW_SERVICES_EXT_TCP="..." FW_SERVICES_EXT_UDP="..." But how to handle protocols?
[sniped from /etc/SuSEfirewall2] # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") [snip] ie.: FW_SERVICES_EXT_TCP="http ftp pop3 smtp ssh 10000" # Common: domain FW_SERVICES_EXT_UDP="domain" # Common: domain # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" Peace. -- "The Man, he is not; he becomes." - NEHER. .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND NATEL 079 543 1935 http://counter.li.org Linux user #301007 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Gnome PGP version 0.4 iD8DBQE+RoYYlhxWYRfZRJQRAoDYAJ9QDiV58Ib0dc0ZIkP0vRQhydEfFQCffinn qwIdCcJCvQn3/6ZfdF5rrB8= =o1iU -----END PGP SIGNATURE-----
----- Original Message ----- From: "Miguel Albuquerque" <mfoacs@e-workshop.ch> To: <suse-security@suse.com> Sent: Sunday, February 09, 2003 5:48 PM Subject: Re: [suse-security] How to open a protocol with SuSEfirewall2
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Sun, 2003-02-09 at 17:09, T. Ermlich wrote:
maybe I misunderstood the SuSEfirewall2 describtions, but how to open a protocol? Ports are opened eg. by the lines FW_SERVICES_EXT_TCP="..." FW_SERVICES_EXT_UDP="..." But how to handle protocols?
[sniped from /etc/SuSEfirewall2]
# Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
[snip]
ie.:
FW_SERVICES_EXT_TCP="http ftp pop3 smtp ssh 10000" # Common: domain FW_SERVICES_EXT_UDP="domain" # Common: domain # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP=""
Peace.
-- "The Man, he is not; he becomes." - NEHER.
.-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND NATEL 079 543 1935 http://counter.li.org Linux user #301007 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Gnome PGP version 0.4
iD8DBQE+RoYYlhxWYRfZRJQRAoDYAJ9QDiV58Ib0dc0ZIkP0vRQhydEfFQCffinn qwIdCcJCvQn3/6ZfdF5rrB8= =o1iU -----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Hi again, maybe I'm too stupid ....... but isn't there a difference between ports & protocols? I thought I understood iptables, but you're reply shows me I didn't. Here's an example: /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p udp --dport 500 -j ACCEPT /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p 50 -j ACCEPT Line 1 is related udp port 500, while line 2 is related to protocol 50. Or am I totally wrong????? c y Torsten
On Sunday 09 February 2003 18:13, T. Ermlich wrote:
Hi again,
maybe I'm too stupid ....... but isn't there a difference between ports & protocols? I thought I understood iptables, but you're reply shows me I didn't. Here's an example: /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p udp --dport 500 -j ACCEPT /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p 50 -j ACCEPT Line 1 is related udp port 500, while line 2 is related to protocol 50. Or am I totally wrong?????
No, you're right. Line 2 is related to protocol 50 ("-p 50") thomas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 2003-02-09 at 18:13, T. Ermlich wrote: Hi again,
maybe I'm too stupid ....... but isn't there a difference between
protocols? I thought I understood iptables, but you're reply shows me I didn't. Here's an example: /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p udp --dport 500 -j ACCEPT /usr/sbin/iptables -A INPUT -s 192.168.0.25 -d 64.65.66.67 -p 50 -j ACCEPT Line 1 is related udp port 500, while line 2 is related to protocol
ports & 50.
Or am I totally wrong?????
Nope, you're right. Ports are not protocols. But again, everything is there. Protocol 50 (and 51) are used for most ipsec compliant encryption packages. I.E. M$ boxes will tipically use: IPSec: ISAKMP UDP: 500 ESP IP Protocol 50 AH IP Protocol 51 [sniped from /etc/sysconfig/SuSEfirewall2] # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [sniped from /etc/protocols] #ipv6-crypt 50 IPv6-Crypt # Encryption Header for IPv6 #ipv6-auth 51 IPv6-Auth # Authentication Header for IPv6 [snips] Well, all you need is edit /etc/sysconfig/SuSEfirewall, go to line ~ 259 if want allow those protocols and: # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="50 51 (or enter protocol name)" ^^^^^^^^^^^^^^^^^^^^^^^^^^ You're done. - -- "The Man, he is not; he becomes." - NEHER. .-. e-SecureNet /v\ We Run SuSE Project Manager // \\ *The LINUX Experts* c/o Miguel Albuquerque /( )\ Av. Miremont 46 ^^-^^ 1202 - GE, SWITZERLAND NATEL 079 543 1935 http://counter.li.org Linux user #301007 mailto:mfoacs@e-workshop.ch http://mfoacs.e-workshop.ch - ---------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Gnome PGP version 0.4 iD8DBQE+RpyOlhxWYRfZRJQRAheWAJ9gO4agLgwYIKYsy/RSXB7RS+CUBQCfZqKC nqoyY3Hh6jhk2HPnhvHCUfQ= =pOZP -----END PGP SIGNATURE-----
participants (3)
-
Miguel Albuquerque -
T. Ermlich -
Thomas Reitelbach