Re: Re: [suse-security] Susefirewall2 DMZ
I prefere an example ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
I know but i must have some errors in my config file thats why i need help --- Peter Wiersig <wiersig-ml@dns.glamus.de> a écrit : > Frédéric Poulet wrote:
I prefere an example
You already have one in this file on your computer: /usr/share/doc/packages/SuSEfirewall2/EXAMPLES
Peter
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
* Frédéric Poulet; <pofrederic@yahoo.fr> on 07 Nov, 2002 wrote:
I know but i must have some errors in my config file thats why i need help
It is difficult to give suggestions without knowing your config. Send the config file and if there is a mistake it is easier to help I thought the document I had prepared explained all the parameters along with examples. Looks like need polishing before I announce the final version :-( -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I use Suse 8.0 and Susefirewall2 My system : WEB | | (ppp0-eth0) | FIREWALL-----(eth2:192.168.5.0)-------- WEB SERVER (apache) 192.168.5.2 | (eth1) 192.168.1.0 | | INTERN NETWORK 192.168.1.x My SuseFirewall file : # 2.) FW_DEV_EXT="ppp0" # # 3.) FW_DEV_INT="eth1" # # 4.) FW_DEV_DMZ="eth2" # # 5.) FW_ROUTE="yes" # # 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24" # # 7.) FW_PROTECT_FROM_INTERNAL="yes" # # 8.) FW_AUTOPROTECT_SERVICES="yes" # # 9.) FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp" FW_SERVICES_EXT_UDP="www" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="www" FW_SERVICES_DMZ_UDP="www" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="www" FW_SERVICES_INT_UDP="www" FW_SERVICES_INT_IP="" # # 10.) FW_TRUSTED_NETS="" # # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # # 13.) FW_FORWARD="0/0,192.168.5.2,tcp,80" # # 14.) FW_FORWARD_MASQ="" # # 15.) FW_REDIRECT="" # # 16.) FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # # 17.) FW_KERNEL_SECURITY="yes" # # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="no" # # 20.) FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" # # 23.) FW_ALLOW_CLASS_ROUTING="no" # # 25.) #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" --- Togan Muftuoglu <toganm@users.sourceforge.net> a écrit : > * Frédéric Poulet; <pofrederic@yahoo.fr> on 07 Nov, 2002 wrote:
I know but i must have some errors in my config file thats why i need help
It is difficult to give suggestions without knowing your config. Send the config file and if there is a mistake it is easier to help
I thought the document I had prepared explained all the parameters along with examples. Looks like need polishing before I announce the final version :-(
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
* Frédéric Poulet; <pofrederic@yahoo.fr> on 07 Nov, 2002 wrote:
I use Suse 8.0 and Susefirewall2 # # 9.) FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp"
This is definining the services that are running on the FIREWALL mchine itself. So if your webserver is on the DMZ *you_do_not* put http www https here.
FW_SERVICES_EXT_UDP="www"
leave blank
FW_SERVICES_DMZ_TCP="www" leave blank
FW_SERVICES_DMZ_UDP="www" leave blank
FW_SERVICES_INT_TCP="www"
leave blank
FW_SERVICES_INT_UDP="www"
leave blank
# # 13.) FW_FORWARD="0/0,192.168.5.2,tcp,80"
No leave blank this is only if you have a valid IP that is used in the dmz
# # 14.) FW_FORWARD_MASQ=""
here enter 0/0,192.168.5.2.tcp,80 The document does explain the meaning of the parameters and do has examples. If you have just looked thru may I suggest you reread it. Use of the FW_FORWARD_MASQ is explained on page 22 and there is an example on page 24 (taken from the SuSEfirewall2 documentation) http://dinamizm.ath.cx/articles/firewall2.pdf ftp://dinamizm.ath.cx/documents/firewall2.pdf -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I done modifications but i don't see my web server from internet and from inter network --- Togan Muftuoglu <toganm@users.sourceforge.net> a écrit : > * Frédéric Poulet; <pofrederic@yahoo.fr> on 07 Nov, 2002 wrote:
I use Suse 8.0 and Susefirewall2 # # 9.) FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp"
This is definining the services that are running on the FIREWALL mchine itself. So if your webserver is on the DMZ *you_do_not* put http www https here.
FW_SERVICES_EXT_UDP="www"
leave blank
FW_SERVICES_DMZ_TCP="www" leave blank
FW_SERVICES_DMZ_UDP="www" leave blank
FW_SERVICES_INT_TCP="www"
leave blank
FW_SERVICES_INT_UDP="www"
leave blank
# # 13.) FW_FORWARD="0/0,192.168.5.2,tcp,80"
No leave blank this is only if you have a valid IP that is used in the dmz
# # 14.) FW_FORWARD_MASQ=""
here enter 0/0,192.168.5.2.tcp,80
The document does explain the meaning of the parameters and do has examples. If you have just looked thru may I suggest you reread it. Use of the FW_FORWARD_MASQ is explained on page 22 and there is an example on page 24 (taken from the SuSEfirewall2 documentation)
http://dinamizm.ath.cx/articles/firewall2.pdf ftp://dinamizm.ath.cx/documents/firewall2.pdf
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hi Frédéric!
I done modifications but i don't see my web server from internet and from inter network
Please add your DMZ web server to FW_MASQ_NETS, as follows: FW_MASQ_NETS="192.168.1.0/24 192.168.5.2/32" This should make it visible from the Internet. If it is still not visible from the internal network, add FW_FORWARD="192.168.1.0/24,192.168.5.2/32,tcp,80" That should fix it. If not, please mail me again. I don't have much experience with DMZs, but the above looks reasonable to me. Regards, Andy - -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPcqXLPobN5o9QdlBAQE+QQU/fsFUaQ1Cc/nmUJkfLcA5WD6Afa5pLP7A Ze650dJxO0PAr3iOmMH+8yIxnoWhu7CGxgcdwRAE7sj3ZlcGQG7QfVLqH+EACS8t TPLOyeEDW8t+0tukcuRrV39pE3srUM7f5eFQwblaSII/zK344rdgrPF0DF9rF8Je 0HbwZkcVRyhQLgPBb5DMks4kDtrQRbDd60xagpAFe1LrnDpkwdsb9PMabnrqDe4K =wpKU -----END PGP SIGNATURE-----
* Andreas J Mueller; <andy@muelli.net> on 07 Nov, 2002 wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hi Frédéric!
I done modifications but i don't see my web server from internet and from inter network
Please add your DMZ web server to FW_MASQ_NETS, as follows: FW_MASQ_NETS="192.168.1.0/24 192.168.5.2/32" This should make it visible from the Internet.
Yes I missed this one Actually I read it as /16 looks like time to visit my optician
If it is still not visible from the internal network, add FW_FORWARD="192.168.1.0/24,192.168.5.2/32,tcp,80" That should fix it. If not, please mail me again. I don't have much experience with DMZs, but the above looks reasonable to me.
-- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi, might be a silly question , but after standard install of SuSe 8.1 and filling in my SuSEfirewall2 config file I can start the firewall without any errors ... everything works fine ... Only one problem ... Unfortunately I forgot how to make sure the firewall starts up at boot time .... Was there something I had 2 enable or change in a configfile...? I think I remember seeing the scripts running on boot before I reformatted my system and started again something like : SuSEfirewall2 starting (init) ... SuSEfirewall2 starting (final) ... I don;'t see these lines anymore when I boot my system .. Help ? ? ;))) thanks
participants (5)
-
Andreas J Mueller -
Chris FitzGerald -
Frédéric Poulet -
Peter Wiersig -
Togan Muftuoglu