On 26/09/06 21:59, Paul Abrahams wrote:
<snip>
Specifically, FW_DEVICE_INT, as the name suggests, specifies a device rather than a range of IP addresses.
Correct, and certainly if you are configuring a network with only one subnet in it, you don't need anything more than this.
However, based on your other posts (2 others thus far), I suspect you will be best served by defining your devices to be in the external zone,
Yes. I realized early on that since the internal zone is in general unprotected, I couldn't get protection from the outside world by using it. In fact, it seems that with only one interface (network card), turning off the firewall is pretty much equivalent to declaring that interface to be internal.
I see you bypassed where I said the internal zone device can be as protected as you want it to be: turn on the "protect from int" variable and see what happens.
and defining your LAN net/mask in the FW_TRUSTED_NETS variable, ie. FW_TRUSTED_NETS="192.168.0.0/24" (you will have to change this if you ever change the net on the router).
That is the critical hint. There's no way to do this setting through Yast as far as I can tell, though there ought to be. I hadn't realized until you pointed it out that there are a number of firewall-related settings in /etc/sysconfig and many of these are not manipulable through Yast.
Well, I don't think there is a way to do this in the security/firewall section, but there sure is a way to do all of this in system/sysconfig editor. It's under network/firewall, I believe. This definitely points to what might be regarded as a deficiency in Yast: surely the entire firewall should be configurable from that security section.
At this point, you should check to see that your Samba networking is functioning properly (it should be, and if it is not, verify that the router is not blocking the traffic before making any further changes on any workstation). If you have any NFS or CUPS functionality within the LAN, it should also be tested. Again, if the services are properly configured but do not work, check the router first.
After diddling FW_TRUSTED_NETS, Samba became available just as you said it should. A simple way to see what the router is blocking is to turn off the firewall; anything that's still inaccessible is inaccessible because of the router.
The FW_TRUSTED_NETS variable also accepts a list of services, which I didn't provide. Samba worked anyway.
Read the blurb again: the only thing that is required is the network (either a single IP, or a net/mask). The protocol/port stuff is only necessary if you want to restrict an IP/IP range to a specific service, eg: 192.168.1.0/24,tcp,21 means that 192.168.1.* can only connect to the system via ssh, but 192.168.0.0/24 means 192.168.0.* can connect to any service (tcp or udp) that the system offers.
<snip> This is no substitute for proper security in those config files themselves, and should not be treated as such. <snip>
If the outside connections are not listed in FW_TRUSTED_NETS, I'd think that the outsiders would be blocked from cupsd on that account.
I say again, this is no substitute for proper security in the config files -- what are you going to do if your firewalls are hacked? What are you going to do if an IP you thought to be trusted is spoofed?
<snip> It appears to me that including an IP address in the FW_TRUSTED-NETS range effectively moves it from the external zone to the internal zone. Is that correct?
Not at all, eg. you could allow anyone anywhere on the internet to connect to your IRC server by including this in your trusted-nets: 0/0,tcp,6667 (assuming, of course, that you forward port 6667 on your router). The big bad world is still in the external zone. However, apart from "/24" in place of "/255" (ahem :-) ) the following is correct:
assign the network card to the external zone and set FW_TRUSTED_NETS to 192.168.0.1/255. Then machines on the LAN have full access to each other and machines outside the net have none, other than what is explicitly allowed.