On 22/10/06 20:55, Greg Wallace wrote:
<snip> Sorry it took me so long to get back on this, but I had major problems on my Winblows machine (and still do have). Anyway, you hit it right on the head as far as what the problem was. I was actually able to make the change you described in the YaST Firewall GUI as opposed to going in and modifying the config file. There's a tab in the GUI called "Interfaces". Under "Interface or String", there was one entry, eth-id-00:08:74:24:85:82, which must be for the one network interface I have. Under "Configured in", it had "No Zone Assigned". I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
This Allowed Services setting should do the same as editing the FW_SERVICES_<zone>_* variables manually, eg. in the Yast sysconfig editor. I have no idea what will happen if you check the protect from internal zone box, given that you only have an external interface defined. Clearly what is happening isn't what you want to happen :-) I would probably have to look at the results of iptables-save with this setting in effect to know what it does. The config file says this about the variable: # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. Since you don't even have an internal device defined, protecting the system on the internal zone isn't even necessary.