[opensuse-security] Firewall on a labtop as private web / mail server
Hello everyone, I hope I am asking on the good list. Excuse me, please, if not. This is strange, but on the 5 Leap 42.3 installations on a labtop Compaq Presario C700, the last two did me the honor to ask me the configuration of the network, and not the first three. Can anyone tell me, please, why the installation may require configuration, immediately after the choice of language and layout of the keyboard ? The choice of a minimal installation, perhaps. After this minimal installation for a text-based operation, online updating, adding to the minimum system of XOrg-X11 and tigervnc, having banned the "yast2-firewall" and "network manager" packages, the system reboots and works correctly, with wifi interfaces and Ethernet still in the desired configuration. Here is a shema of installation : ____ eth0 ____ | |<---------------->| | |desk| .-->|hub | |top | eth1 | | | |____|<--. | |____| | | 192.168.0.0 ______ eth1 | | _____ _/ \_ 198.168.1.0 | .-->| | ( ) | |modem|---->( INTERNET ) eth0 | |cable| (_ _) ____ | |_____| \______/ | |<--’ eth0 ^ |lab | | | top| wlan0 . 192.168.0.0 |____|<--.... .... Can anyone help me, please, to set up the labtop firewall, with the file /etc/sysconfig/SuSEfirewall2 ? Here is the contents of this file for my last attempt: FW_DEV_EXT="wlan0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="" FW_SERVICES_EXT_TCP="http https 587 imap" FW_SERVICES_EXT_UDP="53" All other parameters contain their default values (either empty, or empty strings). My goal is to allow all the traffic on the network 192.168.1.0 (eth0) and limit that from the outside (wlan0) to http, https, 587 and imap. The labtop must of course be able to resolve domain names (DNS). I thank you for the attention you paid ti this e-mail. Sincerly, Patrick Serru -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2017-10-03 17:40, Patrick Serru wrote:
Hello everyone,
I hope I am asking on the good list. Excuse me, please, if not.
This seems to me a normal user question, which should be asked in the normal mail list. I don't see the security question in your post.
This is strange, but on the 5 Leap 42.3 installations on a labtop Compaq Presario C700, the last two did me the honor to ask me the configuration of the network, and not the first three. Can anyone tell me, please, why the installation may require configuration, immediately after the choice of language and layout of the keyboard ? The choice of a minimal installation, perhaps.
The exact answer would be compare the install logs of all five installs and see where they go different. Normally the system tries to autoconfigure the network. It may ask if it fails. The network is needed to provide the updated release notes, the translations of some texts, to access online repos if asked, and to provide online updates if asked during the install.
After this minimal installation for a text-based operation, online updating, adding to the minimum system of XOrg-X11 and tigervnc, having banned the "yast2-firewall" and "network manager" packages, the system reboots and works correctly, with wifi interfaces and Ethernet still in the desired configuration.
Here is a shema of installation : ____ eth0 ____ | |<---------------->| | |desk| .-->|hub | |top | eth1 | | | |____|<--. | |____| | | 192.168.0.0 ______ eth1 | | _____ _/ \_ 198.168.1.0 | .-->| | ( ) | |modem|---->( INTERNET ) eth0 | |cable| (_ _) ____ | |_____| \______/ | |<--’ eth0 ^ |lab | | | top| wlan0 . 192.168.0.0 |____|<--.... ....
Can anyone help me, please, to set up the labtop firewall, with the file /etc/sysconfig/SuSEfirewall2 ? Here is the contents of this file for my last attempt: FW_DEV_EXT="wlan0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="" FW_SERVICES_EXT_TCP="http https 587 imap" FW_SERVICES_EXT_UDP="53" All other parameters contain their default values (either empty, or empty strings).
You need routing if devices in the wlan are to access the lan using the laptop. If it is not that what you want, you have to explain.
My goal is to allow all the traffic on the network 192.168.1.0 (eth0) and limit that from the outside (wlan0) to http, https, 587 and imap. The labtop must of course be able to resolve domain names (DNS).
-- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
Hello everyone, hello Carlos, Thank you for the response. Le mardi 03 octobre 2017, Carlos E. R. a écrit :
On 2017-10-03 17:40, Patrick Serru wrote:
Hello everyone,
I hope I am asking on the good list. Excuse me, please, if not.
This seems to me a normal user question, which should be asked in the normal mail list. I don't see the security question in your post. Well, virtual or real, the firewalls exist fore security reasons.
This is strange, but on the 5 Leap 42.3 installations on a labtop Compaq Presario C700, the last two did me the honor to ask me the configuration of the network, and not the first three. Can anyone tell me, please, why the installation may require configuration, immediately after the choice of language and layout of the keyboard ? The choice of a minimal installation, perhaps.
The exact answer would be compare the install logs of all five installs and see where they go different.
The logs of the previous installations are lost for ever. So I can not compare.
Can anyone help me, please, to set up the labtop firewall, with the file /etc/sysconfig/SuSEfirewall2 ? Here is the contents of this file for my last attempt: FW_DEV_EXT="wlan0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="" FW_SERVICES_EXT_TCP="http https 587 imap" FW_SERVICES_EXT_UDP="53" All other parameters contain their default values (either empty, or empty strings).
You need routing if devices in the wlan are to access the lan using the laptop. If it is not that what you want, you have to explain.
The labtop does not have to route anything. The reason of the point-to-point ethernet link 192.168.1.0 between the labtop and my destop is to permit me to connect with ssh as root to the labtop. Furthermore, the labtop is working 24/24, and not the destop. Sincerly Patrick Serru -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Carlos E. R. -
Patrick Serru