On Tuesday 26 September 2006 5:01 pm, Theo v. Werkhoven wrote:
Mon, 25 Sep 2006, by abrahams@acm.org:
I want to configure the SuSE firewall so that communication within my LAN is uninhibited but communication outside the LAN is fully protected. Looking at the firewall configuration in Yast, I see that the external zone is protected but the internal zone is not. However, I don't see how to specify that the internal zone consists of hosts with addresses 192.168.0.x. This would seem to be a pretty common requirement.
Please be more specific about your setup. Do you have a network-card with an alias IP address or something?
My network card is assigned its IP address by the router using DHCP. Incoming traffic is processed using Network Address Translation. I have several Linux machines with this setup, each cabled to the router.
It appears that the firewall configurator can specify that an interface is external or internal, but I have only one interface (network card). It connects to the LAN and to the router; the router in turn talks to the world. It's a very common setup.
I should have phrased this better. The network card is cabled to the router, which on its external side is cabled to a broadband modem.
Perhaps, but that doesn't make it the best setup. Having your LAN systems on the same segment and IP range as the "firewall" means that there's nothing between the Internet and the 'other' systems, except the router's rules for port-forwarding etc.
The router (a standard D-Link 4-porter) has an internal net address of 192.168.0.1 and assigns the computers on the LAN addresses of the form 192.168.0.x. Seen externally, it has an IP address assigned by Comcast, my broadband provider, also using DHCP, which Comcast requires. All the systems on the LAN are supposed to have the same firewall protection, using SuSE firewall (or in some cases the Windows firewall). So each machine has two levels of protection: the router, which itself provides pretty good protection, and the firewall on the individual machine. The main weakness of the router firewall is that it doesn't filter outgoing packets, only incoming ones.
If you want to have a better protection I'd look for a "real" router, that can be configured for multiple LAN IP ranges, or setup the Linux machine as such.
I'd settle for any degree of protection as long as I can share files with other machines on the LAN. Sharing could be either with NFS or with Samba. Thanks for your help. Paul