Fwd: Re: [suse-security] 3 SuSEfirewall2 questions
On Tuesday 21 January 2003 18:32, Richard Ems wrote:
Hi list.
This is my 2nd try. I hope this time I get some answers ;-)
I have 3 questions about SuSEfirewall2. This is a SuSE Linux 8.1 system.
1) What is NEW_FW_MASQ_DEV good for?
I have in my /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT="eth0 eth0:3"
and
FW_MASQ_DEV="$FW_DEV_EXT"
but in /sbin/SuSEfirewall2 (from SuSEfirewall2-3.1-26) FW_MASQ_DEV is "filtered" and eth0:3 discarded. So after this filtering I have only FW_MASQ_DEV="eth0".
Is this needed/wanted? Why?
The SuSEfirewall2 script pay no attention on alias in this device definitions.
========== 2) I'm trying to connect from a public external ip (a) to a private internal masqueraded ip, over the public ip address (b) at eth0:3.
From tcpdump on both the external and internal devices, pakets are being correctly forwarded from ext to int, but when responses arrive at the internal device they are being dropped on the last forward_int chain rule.
For this to work I have set on /etc/sysconfig/SuSEfirewall2 FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8"
where 1.2.3.4 is the ext source public ip (a) and 5.6.7.8 is the public ip address (b)
Does someone have any clue?
Your line is wrong: 192.168.30.15/32,5.6.7.8/32,tcp,22
<Internal IP that have to mask>/
========== 3) What do _ext/_int/_dmz mean on forward_xxx or input_xxx ? [forward|input]_pakets_COMING_FORM_xxx or [forward|input]_pakets_GOING_TO_xxx ???
I think you mean FW_SERVICES_DMZ_TCP and such definitions: It means that you can access from intern with port >1024 to the defined port. I hope that helps you a bit. Perhaps you try first a sample configuration and extends that. Another tools is fwbuilder, which I think it looks very nice. But I have to configure firewalls remotly and thats the reason I prefere SuSEfirewal. Greetings Harald -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de ------------------------------------------------------- -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
* Harald Wallus wrote on Wed, Jan 22, 2003 at 09:21 +0100:
Another tools is fwbuilder, which I think it looks very nice.
Does anybody have experiences? It looks like this is a kind of rule compiler that generates some script. This is a nice way of doing I think, but it's complex to do right and flexible...
But I have to configure firewalls remotly and thats the reason I prefere SuSEfirewal.
Could you explain that, please? oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Wed, 2003-01-22 at 10:47, Steffen Dettmer wrote:
* Harald Wallus wrote on Wed, Jan 22, 2003 at 09:21 +0100:
Another tools is fwbuilder, which I think it looks very nice.
Does anybody have experiences? It looks like this is a kind of rule compiler that generates some script. This is a nice way of doing I think, but it's complex to do right and flexible... It basically generates an iptables script with the rules ... IMHO it is better and more flexible to do it yourself ... at least then you'll understand what you are doing ...
But I have to configure firewalls remotly and thats the reason I prefere SuSEfirewal.
Could you explain that, please? SuSEfirewall only has one config file and is therefore easy to configure?
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Wednesday 22 January 2003 09:55, Raymond Leach wrote:
On Wed, 2003-01-22 at 10:47, Steffen Dettmer wrote:
* Harald Wallus wrote on Wed, Jan 22, 2003 at 09:21 +0100:
Another tools is fwbuilder, which I think it looks very nice.
Does anybody have experiences? It looks like this is a kind of rule compiler that generates some script. This is a nice way of doing I think, but it's complex to do right and flexible...
It basically generates an iptables script with the rules ... IMHO it is better and more flexible to do it yourself ... at least then you'll understand what you are doing ...
But I have to configure firewalls remotly and thats the reason I prefere SuSEfirewal.
Could you explain that, please?
SuSEfirewall only has one config file and is therefore easy to configure? You are right. At a maximum you need only 20 lines for realy complex firewall configuration. And you can easily read it, make commands and so on. I do my comments like this: %<------ # <name> soll auf SAP router xxx.xxx.xxx.xxx zugreifen koennen. <firma> FW_MASQ_NETS=${FW_MASQ_NETS}" 192.168.251.233/32,213.157.3.110/32 " --->% Please don't forget the spaces, else SuSEfirewall cannot parse.
Greetings Harald
oki,
Steffen
-- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
Hi, i changed from using SuSEFirewall to Shorewall, its very easy to configure. You have to edit at least 3 files (very simple edits tho), but i found it easier to set up some special things with it than with SuSEFirewall. If you absolutely cant do a thing with SuSEFirewall, try Shorewall. Thats the nice thing with linux, you got the choice ;) Peace, Tom
On Wednesday 22 January 2003 13:30, Thomas Seliger wrote:
Hi,
i changed from using SuSEFirewall to Shorewall, its very easy to configure. You have to edit at least 3 files (very simple edits tho), but i found it easier to set up some special things with it than with SuSEFirewall.
If you absolutely cant do a thing with SuSEFirewall, try Shorewall. Thats the nice thing with linux, you got the choice ;)
Peace, Tom
Looks good, I think I try it next month. -- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de
* Harald Wallus wrote on Wed, Jan 22, 2003 at 13:06 +0100:
You are right. At a maximum you need only 20 lines for realy complex firewall configuration. And you can easily read it, make commands and so on.
Do you really think that a configuration that can be described by 20 rules is complex? On border filters, some hunderds of rules are common, but it's quite clear, since NTP servers do NTP and others do on (1 rule per NTP server) and so with all services. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* Raymond Leach wrote on Wed, Jan 22, 2003 at 10:55 +0200:
On Wed, 2003-01-22 at 10:47, Steffen Dettmer wrote:
* Harald Wallus wrote on Wed, Jan 22, 2003 at 09:21 +0100:
Another tools is fwbuilder, which I think it looks very nice.
Does anybody have experiences? It looks like this is a kind of rule compiler that generates some script. This is a nice way of doing I think, but it's complex to do right and flexible...
It basically generates an iptables script with the rules ... IMHO it is better and more flexible to do it yourself ...
Do you think SuSEFirewall is doing yourself?! I get confused when I tried it. I don't use it. But what this has to do with "but I configure remotely...", well, how else? My firewall script has as remote-safe feature, after "start" by shell you have to give an "ok" withhin 60 seconds, otherwise some fail safe SSH rules are inserted (it's important when having really strict firewalls :)).
at least then you'll understand what you are doing ...
With SuSEFirewall I don't think you'd be able to understand it, eihter...
But I have to configure firewalls remotly and thats the reason I prefere SuSEfirewal.
Could you explain that, please?
SuSEfirewall only has one config file and is therefore easy to configure?
A shell script which needs to be copied is also just one file, isn't it? And since I create it local I can cvs check in :) So I think this isn't a bad way... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi,
Do you think SuSEFirewall is doing yourself?! I get confused when I tried it. I don't use it. But what this has to do with "but I configure remotely...", well, how else? My firewall script has as remote-safe feature, after "start" by shell you have to give an "ok" withhin 60 seconds, otherwise some fail safe SSH rules are inserted (it's important when having really strict firewalls :)).
I really would like to see the relevant parts (not your fw-conf :-), because that's a nice idea... Greetings, Sven
participants (5)
-
Harald Wallus
-
Raymond Leach
-
Steffen Dettmer
-
Sven Thomsen
-
Thomas Seliger