On Monday, October 23, 2006 @ 2:38 PM, Darryl Gregorash wrote:
On 22/10/06 20:55, Greg Wallace wrote:
<snip> I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
This Allowed Services setting should do the same as editing the FW_SERVICES_<zone>_* variables manually, eg. in the Yast sysconfig editor. I have no idea what will happen if you check the protect from internal zone box, given that you only have an external interface defined. Clearly what is happening isn't what you want to happen :-) I would probably have to look at the results of iptables-save with this setting in effect to know what it does.
The config file says this about the variable:
# Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT
# If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall.
Since you don't even have an internal device defined, protecting the system on the internal zone isn't even necessary.
Ok, I see what you're saying. So checking that box has no bearing on how the firewall works. I still have questions about the "Allowed Services", however. If I add HTTP CLIENT and HTTP SERVER as allowed services in the external zone, I still can't access my Apache server from an outside machine. Only if I specifically enter the ports that they serve can I access them. And if I do that, it doesn't matter if I have HTTP CLIENT and/or HTTP SERVER selected as allowed services. It just makes me wonder what the purpose of those allowed services is. Maybe there is a specific port applicable to each and I am not using that particular port. Otherwise, I don't know what the purpose of those allowed services is. Greg Wallace