On Saturay, October 21, 2006 @ 12:10 AM, Darryl Gregorash wrote:
On 20/10/06 22:54, Greg Wallace wrote:
I'm running SUSE Linux 10.1. Here's the output you requested. I trimmed the comments out of /etc/sysconfig/SuSEfirewall2. Hopefully, I didn't cut out any parameters by mistake, but the comments made the list huge.
No big deal, if I need them I can read my own config file :-)
Iptables-save
# Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 <snip> That stuff isn't any help, because....
cat /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT=""
FW_DEV_INT=""
FW_DEV_DMZ=""
You really must have one of these defined, because without it, the firewall rules are essentially meaningless. In particular, you will note in the iptables-save stuff that there is no rule to accept NEW connections of any kind (except, of course, on device lo). Nothing you've entered in the FW_SERVICES* entries have a corresponding rule.
Here's what these should look like with the naming conventions in SuSE:
FW_DEV_EXT="eth-id-00:50:ba:c4:91:43" FW_DEV_INT="eth-id-00:50:fc:8b:4d:d1"
If you only have one network card in the system, then define it as the external interface. IMO, the firewall is easier to configure that way. Look in /etc/sysconfig/network for the device names, eg.
# ls /etc/sysconfig/network/ . config if-down.d ifcfg-eth-id-00:50:ba:c4:91:43 ifcfg-lo ifroute-lo scripts .. dhcp if-up.d ifcfg-eth-id-00:50:fc:8b:4d:d1 ifcfg.template providers wireless
Once you've done this change, restart the firewall, and see if things start working. Sorry it took me so long to get back on this, but I had major problems on my Winblows machine (and still do have). Anyway, you hit it right on the head as far as what the problem was. I was actually able to make the change you described in the YaST Firewall GUI as opposed to going in and modifying the config file. There's a tab in the GUI called "Interfaces". Under "Interface or String", there was one entry, eth-id-00:08:74:24:85:82, which must be for the one network interface I have. Under "Configured in", it had "No Zone Assigned". I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
Greg Wallace