Re: Re: [suse-security] Susefirewall2 DMZ
I prefere an example ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
I know but i must have some errors in my config file thats why i need help
--- Peter Wiersig
I prefere an example
You already have one in this file on your computer: /usr/share/doc/packages/SuSEfirewall2/EXAMPLES
Peter
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
* Frédéric Poulet;
I know but i must have some errors in my config file thats why i need help
It is difficult to give suggestions without knowing your config. Send the config file and if there is a mistake it is easier to help I thought the document I had prepared explained all the parameters along with examples. Looks like need polishing before I announce the final version :-( -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I use Suse 8.0 and Susefirewall2
My system :
WEB
|
|
(ppp0-eth0)
|
FIREWALL-----(eth2:192.168.5.0)-------- WEB SERVER (apache) 192.168.5.2
|
(eth1) 192.168.1.0
|
|
INTERN NETWORK 192.168.1.x
My SuseFirewall file :
# 2.)
FW_DEV_EXT="ppp0"
#
# 3.)
FW_DEV_INT="eth1"
#
# 4.)
FW_DEV_DMZ="eth2"
#
# 5.)
FW_ROUTE="yes"
#
# 6.)
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.1.0/24"
#
# 7.)
FW_PROTECT_FROM_INTERNAL="yes"
#
# 8.)
FW_AUTOPROTECT_SERVICES="yes"
#
# 9.)
FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp"
FW_SERVICES_EXT_UDP="www"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="www"
FW_SERVICES_DMZ_UDP="www"
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="www"
FW_SERVICES_INT_UDP="www"
FW_SERVICES_INT_IP=""
#
# 10.)
FW_TRUSTED_NETS=""
#
# 11.)
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
#
# 12.)
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
#
# 13.)
FW_FORWARD="0/0,192.168.5.2,tcp,80"
#
# 14.)
FW_FORWARD_MASQ=""
#
# 15.)
FW_REDIRECT=""
#
# 16.)
FW_LOG_DROP_CRIT="no"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
#
# 17.)
FW_KERNEL_SECURITY="yes"
#
# 18.)
FW_STOP_KEEP_ROUTING_STATE="no"
#
# 19.)
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="no"
#
# 20.)
FW_ALLOW_FW_TRACEROUTE="yes"
#
# 21.)
FW_ALLOW_FW_SOURCEQUENCH="yes"
#
# 22.)
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
#
# 23.)
FW_ALLOW_CLASS_ROUTING="no"
#
# 25.)
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
--- Togan Muftuoglu
I know but i must have some errors in my config file thats why i need help
It is difficult to give suggestions without knowing your config. Send the config file and if there is a mistake it is easier to help
I thought the document I had prepared explained all the parameters along with examples. Looks like need polishing before I announce the final version :-(
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
* Frédéric Poulet;
I use Suse 8.0 and Susefirewall2 # # 9.) FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp"
This is definining the services that are running on the FIREWALL mchine itself. So if your webserver is on the DMZ *you_do_not* put http www https here.
FW_SERVICES_EXT_UDP="www"
leave blank
FW_SERVICES_DMZ_TCP="www" leave blank
FW_SERVICES_DMZ_UDP="www" leave blank
FW_SERVICES_INT_TCP="www"
leave blank
FW_SERVICES_INT_UDP="www"
leave blank
# # 13.) FW_FORWARD="0/0,192.168.5.2,tcp,80"
No leave blank this is only if you have a valid IP that is used in the dmz
# # 14.) FW_FORWARD_MASQ=""
here enter 0/0,192.168.5.2.tcp,80 The document does explain the meaning of the parameters and do has examples. If you have just looked thru may I suggest you reread it. Use of the FW_FORWARD_MASQ is explained on page 22 and there is an example on page 24 (taken from the SuSEfirewall2 documentation) http://dinamizm.ath.cx/articles/firewall2.pdf ftp://dinamizm.ath.cx/documents/firewall2.pdf -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I done modifications but i don't see my web server from internet and from inter network
--- Togan Muftuoglu
I use Suse 8.0 and Susefirewall2 # # 9.) FW_SERVICES_EXT_TCP="www http https imap imaps pop3 pop3s smtp"
This is definining the services that are running on the FIREWALL mchine itself. So if your webserver is on the DMZ *you_do_not* put http www https here.
FW_SERVICES_EXT_UDP="www"
leave blank
FW_SERVICES_DMZ_TCP="www" leave blank
FW_SERVICES_DMZ_UDP="www" leave blank
FW_SERVICES_INT_TCP="www"
leave blank
FW_SERVICES_INT_UDP="www"
leave blank
# # 13.) FW_FORWARD="0/0,192.168.5.2,tcp,80"
No leave blank this is only if you have a valid IP that is used in the dmz
# # 14.) FW_FORWARD_MASQ=""
here enter 0/0,192.168.5.2.tcp,80
The document does explain the meaning of the parameters and do has examples. If you have just looked thru may I suggest you reread it. Use of the FW_FORWARD_MASQ is explained on page 22 and there is an example on page 24 (taken from the SuSEfirewall2 documentation)
http://dinamizm.ath.cx/articles/firewall2.pdf ftp://dinamizm.ath.cx/documents/firewall2.pdf
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hi Frédéric!
I done modifications but i don't see my web server from internet and from inter network
Please add your DMZ web server to FW_MASQ_NETS, as follows:
FW_MASQ_NETS="192.168.1.0/24 192.168.5.2/32"
This should make it visible from the Internet.
If it is still not visible from the internal network, add
FW_FORWARD="192.168.1.0/24,192.168.5.2/32,tcp,80"
That should fix it. If not, please mail me again. I don't have much
experience with DMZs, but the above looks reasonable to me.
Regards, Andy
- --
Andreas J. Mueller email:
* Andreas J Mueller;
-----BEGIN PGP SIGNED MESSAGE-----
Hi Frédéric!
I done modifications but i don't see my web server from internet and from inter network
Please add your DMZ web server to FW_MASQ_NETS, as follows: FW_MASQ_NETS="192.168.1.0/24 192.168.5.2/32" This should make it visible from the Internet.
Yes I missed this one Actually I read it as /16 looks like time to visit my optician
If it is still not visible from the internal network, add FW_FORWARD="192.168.1.0/24,192.168.5.2/32,tcp,80" That should fix it. If not, please mail me again. I don't have much experience with DMZs, but the above looks reasonable to me.
-- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi, might be a silly question , but after standard install of SuSe 8.1 and filling in my SuSEfirewall2 config file I can start the firewall without any errors ... everything works fine ... Only one problem ... Unfortunately I forgot how to make sure the firewall starts up at boot time .... Was there something I had 2 enable or change in a configfile...? I think I remember seeing the scripts running on boot before I reformatted my system and started again something like : SuSEfirewall2 starting (init) ... SuSEfirewall2 starting (final) ... I don;'t see these lines anymore when I boot my system .. Help ? ? ;))) thanks
participants (5)
-
Andreas J Mueller -
Chris FitzGerald -
Frédéric Poulet -
Peter Wiersig -
Togan Muftuoglu