Hallo,vielleicht könnt ihr mir helfen: Ich habe einen Rechner mit DSL-Verbindung als Router unter einem 8.2er SuSE mit aktuellen Paketen. Das Routing läuft unter SuSEFirewall2 einwandfrei. Jetzt habe ich auf diesem Rechner noch einen Samba konfiguriert. Von Linux-Systemen aus kann mann einwandfrei auf die Samba-Freigaben zugreifen, der Windows-Rechner kann aber den Samba-Server nicht finden. Deaktivire ich die SuSEFirewall2, funktioniert auch das! Also blockt meine SuSEFirewall die Windowsrechner. Ich habe schon alles in der Firewall-Config versucht freizugeben, nichts hilft. Weiß jemand weiter? Hier meine Config: # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse <marc@suse.de>, 2002 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into # -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES ! # -> /usr/share/doc/packages/SuSEfirewall2/FAQ ! # -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE ! # # /etc/sysconfig/SuSEfirewall2 # # for use with /sbin/SuSEfirewall2 version 3.1 which is for 2.4 kernels! # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall2 you are # not secure per se! There is *not* such a thing you install and hence you # are safed from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks (internet) # You can do this by using software which has been designed with # security in mind (like postfix, apop3d, ssh), setting these up without # misconfiguration and praying, that they have got really no holes. # SuSEcompartment can help in most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can you trust # SuSE or any other software distributor?) # * Harden your server(s) with the harden_suse package/script # * Recompile your kernel with the openwall-linux kernel patch # (former secure-linux patch, from Solar Designer) www.openwall.com # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the internet # for an internal network, try to run proxy services for everything and # disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone transfers and # either don't allow access to it from the internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example. # # # All types have to set enable SuSEfirewall2 in the runlevel editor # # If you are a end-user who is NOT connected to two networks (read: you have # got a single user system and are using a dialup to the internet) you just # have to configure (all other settings are OK): 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the # internet and to an internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), # 14), 20) # # If you want to run a DMZ in either of the above three standard setups, you # just have to configure *additionally* 4), 9), 12), 13), 17), 19). # # If you know what you are doing, you may also change 8), 11), 15), 16) # and the expert options 19), 20), 21), 22) and 23) at the far end, but you # should NOT. # # If you use diald or ISDN autodialing, you might want to set 17). # # To get programs like traceroutes to your firewall to work is a bit tricky, # you have to set the following options to "yes" : 11 (UDP only), 18 and 19. # # Please note that if you use service names, that they exist in /etc/services. # There is no service "dns", it's called "domain"; email is called "smtp" etc. # # *Any* routing between interfaces except masquerading requires to set FW_ROUTE # to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING ! # # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn): # iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0 # echo 1 > /proc/sys/net/ipv4/ip_forward # and additionally the following lines to get at least a minimum of security: # iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0 # iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0 # ------------------------------------------------------------------------ ## Path: Network/Firewall/SuSEfirewall2 ## Description: SuSEfirewall2 configuration ## Type: yesno ## Default: no # # 1.) # Should the Firewall run in quickmode? # # "Quickmode" means that only the interfaces pointing to external networks # are secured, and no other. all interfaces not in the list of FW_DEV_EXT # are allowed full network access! Additionally, masquerading is # automatically activated for FW_MASQ_DEV devices. and last but not least: # all incoming connection via external interfaces are REJECTED. # You will only need to configure 2.) and FW_MASQ_DEV in 6.) # Optionally, you may add entries to section 9a.) # # Choice: "yes" or "no", if not set defaults to "no" # FW_QUICKMODE="no" ## Type: string # 2.) # Which is the interface that points to the internet/untrusted networks? # # Enter all the network devices here which are untrusted. # # Choice: any number of devices, seperated by a space # e.g. "eth0", "ippp0 ippp1 eth0:1" # FW_DEV_EXT="ppp0" ## Type: string # # 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_INT="eth0" ## Type: string # # 4.) # Which is the interface that points to the dmz or dialup network? # # Enter all the network devices here which point to the dmz/dialups. # A "dmz" is a special, seperated network, which is only connected to the # firewall, and should be reachable from the internet to provide services, # e.g. WWW, Mail, etc. and hence are at risk from attacks. # See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example. # # Special note: You have to configure FW_FORWARD to define the services # which should be available to the internet and set FW_ROUTE to yes. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_DMZ="" ## Type: yesno ## Default: no # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ # # You need only set this to yes, if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but this is not # a good idea). This option supersedes IP_FORWARD from # /etc/sysconfig/network/options # # Setting this option one alone doesn't do anything. Either activate # massquerading with FW_MASQUERADE below if you want to masquerade your # internal network to the internet, or configure FW_FORWARD to define # what is allowed to be forwarded! # # Choice: "yes" or "no", if not set defaults to "no" # FW_ROUTE="yes" ## Type: yesno ## Default: no # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE # # "Masquerading" means that all your internal machines which use services on # the internet seem to come from your firewall. # Please note that it is more secure to communicate via proxies to the # internet than masquerading. This option is required for FW_MASQ_NETS and # FW_FORWARD_MASQ. # # Choice: "yes" or "no", if not set defaults to "no" # FW_MASQUERADE="yes" ## Type: string # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT" FW_MASQ_DEV="$FW_DEV_EXT" ## Type: string # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. # FW_MASQ_NETS="0/0" ## Type: yesno ## Default: yes # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_SERVICES option. # If you set this to "no", any user can connect (and attack) any service on # the firewall. # # Choice: "yes" or "no", if not set defaults to "yes" # # "yes" is a good choice FW_PROTECT_FROM_INTERNAL="no" ## Type: yesno ## Default: yes # # 8.) # Do you want to autoprotect all running network services on the firewall? # # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", if not set defaults to "yes" # FW_AUTOPROTECT_SERVICES="no" ## Type: string # # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX # # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. # e.g. if a webserver on the firewall should be accessible from the internet: # FW_SERVICES_EXT_TCP="www" # e.g. if the firewall should receive syslog messages from the dmz: # FW_SERVICES_DMZ_UDP="syslog" # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") # # Common: smtp domain FW_SERVICES_EXT_TCP="1:65535" ## Type: string # Common: domain FW_SERVICES_EXT_UDP="1:65535" # Common: domain ## Type: string # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" ## Type: string # # Common: smtp domain FW_SERVICES_DMZ_TCP="1:65535" ## Type: string # Common: domain FW_SERVICES_DMZ_UDP="1:65535" ## Type: string # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" ## Type: string # # Common: ssh smtp domain FW_SERVICES_INT_TCP="1:65535" ## Type: string # Common: domain syslog FW_SERVICES_INT_UDP="1:65535" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" ## Type: string # 9a.) # External services in QUICKMODE. # This is only used for QUICKMODE (see 1.)! # (The settings here are similar to section 9.) # Which services ON THE FIREWALL should be accessible from either the # internet (or other untrusted networks), i.e. the external interface(s) # $FW_DEV_EXT # # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_QUICK_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_QUICK_UDP. # e.g. if a secure shell daemon on the firewall should be accessible from # the internet: # FW_SERVICES_QUICK_TCP="ssh" # e.g. if the firewall should receive isakmp (IPsec) internet: # FW_SERVICES_QUICK_UDP="isakmp" # For IP protocols (like IPsec) you need to set # FW_SERVICES_QUICK_IP="50" # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") # # QUICKMODE: TCP services open to external networks (InterNet) # (Common: ssh smtp) FW_SERVICES_QUICK_TCP="" ## Type: string # QUICKMODE: UDP services open to external networks (InterNet) # (Common: isakmp) FW_SERVICES_QUICK_UDP="" ## Type: string # QUICKMODE: IP protocols unconditionally open to external networks (InterNet) # (For VPN firewall that is VPN gateway: 50) FW_SERVICES_QUICK_IP="" ## Type: string # # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # Please note that a trusted host/net is *not* allowed to ping the firewall # until you set it to allow also icmp! # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="192.128.0.0/24,tcp,1:65535,192.168.0.0/24,udp,1:65535" ## Type: string # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("DNS"). # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXT_UDP ...). # Please note that with v2.1 "yes" is not mandatory for active FTP from # the firewall anymore. # # Choice: "yes", "no", "DNS", portnumber or known portname, # if not set defaults to "no" # # Common: "ftp-data", better is "yes" to be sure that everything else works :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" ## Type: string # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" ## Type: yesno ## Default: yes # # 12.) # Are you running some of the services below? # They need special attention - otherwise they wonŽt work! # # Set services you are running to "yes", all others to "no", # if not set defaults to "no" # If you want to offer the below services to your DMZ as well, # (and not just internally), set the switches below to "dmz", # if you even want to offer to the world as well, set to "ext" # instead of "yes" (NOT RECOMMENDED FOR SECURITY REASONS!) # FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting ## Type: yesno ## Default: no # If you are running bind/named set to yes. Remember that you have to open # port 53 (or "domain") as udp/tcp to allow incoming queries. # Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DNS="no" ## Type: yesno ## Default: no # if you use dhclient to get an ip address you have to set this to "yes" ! FW_SERVICE_DHCLIENT="no" ## Type: yesno ## Default: no # set to "yes" if this server is a DHCP server FW_SERVICE_DHCPD="no" ## Type: yesno ## Default: no # set to "yes" if this server is running squid. You still have to open the # tcp port 3128 to allow remote access to the squid proxy service. FW_SERVICE_SQUID="no" ## Type: yesno ## Default: no # set to "yes" if this server is running a samba server. You still have to # open the tcp port 139 to allow remote access to SAMBA. FW_SERVICE_SAMBA="yes" ## Type: string # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were assigned to # you by your ISP. This opens a direct link to your network, so only use # this option for access to your dmz!!!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forwarding rules, seperated each by a space. # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514" # FW_FORWARD="" # Beware to use this! ## Type: string # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public IP addesses! # Hint: if FW_DEV_MASQ is set to the external interface you have to set # FW_FORWARD from internal to DMZ for the service as well to allow access # from internal! # # Please note that this should *not* be used for security reasons! You are # opening a hole to your precious internal network. If e.g. the webserver there # is compromised - your full internal network is compromised!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forward masquerade rules, seperated each by a space. # A forward masquerade rule consists of 1) source IP/net, 2) the IP to which # the requests will be forwarded to (in the dmz/intern net), 3) a protocol # (tcp/udp only!) and 4) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,1.1.1.1,tcp,80" # # Optional is a port after the destination port, to redirect the request to # a different destination port on the destination IP, e.g. # "4.0.0.0/8,1.1.1.1,tcp,80,81" #10000 111 137:139 2049 445 4661:4665 901 telnet # Optional is an target IP address on which should the masquerading be decided. # You have to set the optional port option to use this. # # Example: # 200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202 # The class C network 200.200.200.0/24 trying to access 202.202.202.202 port # 80 will be forwarded to the internal server 10.0.0.10 on port 81. # Example: # 200.200.200.0/24,10.0.0.10,tcp,80 # The class C network 200.200.200.0/24 trying to access anything which goes # through this firewall ill be forwarded to the internal server 10.0.0.10 on # port 80 # FW_FORWARD_MASQ="0/0,192.168.0.3,tcp,1:65535 0/0,192.168.0.3,udp,1:65535 0/0,192.168.0.4,tcp,1:65535 0/0,192.168.0.4,udp,1:65535 0/0,192.168.0.5,tcp,1:65535 0/0,192.168.0.5,udp,1:65535 0/0,192.168.0.5,tcp,1:65535 0/0,192.168.0.5,udp,1:65535 0/0,192.168.0.6,tcp,1:65535 0/0,192.168.0.6,udp,1:65535 0/0,192.168.0.7,tcp,1:65535 0/0,192.168.0.7,udp,1:65535 0/0,192.168.0.8,tcp,1:65535 0/0,192.168.0.8,udp,1:65535 0/0,192.168.0.9,tcp,1:65535 0/0,192.168.0.9,udp,1:65535 0/0,192.168.0.10,tcp,1:65535 0/0,192.168.0.10,udp,1:65535 0/0,192.168.0.11,tcp,1:65535 0/0,192.168.0.11,udp,1:65535 0/0,192.168.0.12,tcp,1:65535 0/0,192.168.0.12,udp,1:65535 0/0,192.168.0.13,tcp,1:65535 0/0,192.168.0.13,udp,1:65535 0/0,192.168.0.14,tcp,1:65535 0/0,192.168.0.14,udp,1:65535 0/0,192.168.0.15,tcp,1:65535 0/0,192.168.0.15,udp,1:65535 0/0,192.168.0.16,tcp,1:65535 0/0,192.168.0.16,udp,1:65535 0/0,192.168.0.17,tcp,1:65535 0/0,192.168.0.17,udp,1:65535 0/0,192.168.0.18,tcp,1:65535 0/0,192.168.0.18,udp,1:65535 0/0,192.168.0.19,tcp,1:65535 0/0,192.168.0.19,udp,1:65535 0/0,192.168.0.20,tcp,1:65535 0/0,192.168.0.20,udp,1:65535" # Beware to use this! ## Type: string # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) protocol (tcp or udp) 3) original destination port and 4) local port to # redirect the traffic to, seperated by a colon. e.g.: # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # Please note that as 2) destination, you may add '!' in front of the IP/net # to specify everything EXCEPT this IP/net. # FW_REDIRECT="" ## Type: yesno ## Default: yes # # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", if not set FW_LOG_*_CRIT defaults to "yes", and # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="no" ## Type: yesno ## Default: no # FW_LOG_DROP_ALL="no" ## Type: yesno ## Default: yes # FW_LOG_ACCEPT_CRIT="no" ## Type: yesno ## Default: no # FW_LOG_ACCEPT_ALL="no" ## Type: string # # only change/activate this if you know what you are doing! FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" ## Type: yesno ## Default: yes # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", if not set defaults to "yes" # FW_KERNEL_SECURITY="no" ## Type: yesno ## Default: no # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # If you are using diald, or automatic dialing via ISDN, if packets need # to be sent to the internet, you need to turn this on. The script will then # not turn off routing and masquerading when stopped. # You *might* also need this if you have got a DMZ. # Please note that this is *insecure*! If you unload the rules, but are still # connected, you might your internal network open to attacks! # The better solution is to remove "/sbin/SuSEfirewall2 stop" or # "/sbin/init.d/firewall stop" from the ip-down script! # # # Choices "yes" or "no", if not set defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="yes" ## Type: yesno ## Default: yes # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="no" ## Type: yesno ## Default: no # FW_ALLOW_PING_DMZ="no" ## Type: yesno ## Default: no # FW_ALLOW_PING_EXT="no" ## # END of /etc/sysconfig/SuSEfirewall2 ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # ## Type: yesno ## Default: yes # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes" ## Type: yesno ## Default: yes # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", if not set defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" ## Type: yesno ## Default: no # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_FW_BROADCAST="yes" ## Type: yesno ## Default: yes # FW_IGNORE_FW_BROADCAST="no" ## Type: yesno ## Default: no # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", if not set defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" ## Type: string # # 25.) # Do you want to load customary rules from a file? #10000 111 137:139 2049 445 4661:4665 901 telnet # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuS10000 111 137:139 2049 445 4661:4665 901 telnetEfirewall2-custom" FW_CUSTOMRULES="" ## Type: yesno ## Default: no # # 26.) # Do you want to REJECT packets instead of DROPing? # # DROPing (which is the default) will make portscans and attacks much # slower, as no replies to the packets will be sent. REJECTing means, that # for every illegal packet, a connection reject packet is sent to the # sender. # # Choice: "yes" or "no", if not set defaults to "no" # FW_REJECT="no" ## Type: string # # 27.) # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket) # for more information about HTB see http://www.lartc.org # # If your download collapses while you have a parallel upload, # this parameter might be an option for you. It manages your # upload stream and reserves bandwidth for special packets like # TCP ACK packets or interactive SSH. # It's a list of devices and maximum bandwidth in kbit. # For example, the german TDSL account, provides 128kbit/s upstream # and 768kbit/s downstream. We can only tune the upstream. # # Example: # If you want to tune a 128kbit/s upstream DSL device like german TDSL set # the following values: # FW_HTB_TUNE_DEV="ppp0,125" # where ppp0 is your pppoe device and 125 stands for 125kbit/s upstream # # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll # get a better performance if you keep the value a few percent under your # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in # it's own buffers because queing is done by us now. # So for a 256kbit upstream # FW_HTB_TUNE_DEV="ppp0,250" # might be a better value than "ppp0,256". There is no perfect value for a # special kind of modem. The perfect value depends on what kind of traffic you # have on your line but 5% under your maximum upstream might be a good start. # Everthing else is special fine tuning. # If you want to know more about the technical background, # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ # is a good start # FW_HTB_TUNE_DEV=""
participants (1)
-
funfactor@t-online.de