On Friday, October 20, 2006 @ 2:07 PM, Darryl Gregorash wrote:
On 20/10/06 12:20, Greg Wallace wrote:
I have never used SuSE Firewall because I have a router with a built-in firewall, but recently I lost my router and it took a few days to get a new one. Meanwhile, my machine was exposed. So, I decided it would be a good idea to go ahead and enable the firewall, even though I shouldn't really need it currently since I now have a new router.
Security should be a layered defence. A firewall on each internal network system simply adds protection to what you get from a firewall on the gateway. You only enable those services you actually need, and configure them with security in mind. Don't rely on a single point of failure to protect you.
Well, I am having problems with the firewall. I have an Oracle database on the machine which I access from another machine via Oracle's built-in Apache server configuration (it comes with a complete Apache server configuration). Anyway, I am unable to connect to the machine with the newly enabled firewall via that http server (the browser says the site is unreachable, or something like that). I set "Allow All Services" for all zones and STILL I can't connect. Can someone tell me what I am missing here?
Can't tell you a thing right now :-) What version of SuSE are you running? There seem to be minor differences in the SuSEfirewall between versions.
Please post the results of:
iptables-save cat /etc/sysconfig/SuSEfirewall2
I'm running SUSE Linux 10.1. Here's the output you requested. I trimmed the comments out of /etc/sysconfig/SuSEfirewall2. Hopefully, I didn't cut out any parameters by mistake, but the comments made the list huge. Iptables-save # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *mangle :PREROUTING ACCEPT [29482:26507005] :INPUT ACCEPT [29482:26507005] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [21621:1318988] :POSTROUTING ACCEPT [21752:1348250] COMMIT # Completed on Fri Oct 20 23:23:14 2006 # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *nat :PREROUTING ACCEPT [1233:168093] :POSTROUTING ACCEPT [4224:265064] :OUTPUT ACCEPT [4224:265064] COMMIT # Completed on Fri Oct 20 23:23:14 2006 # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [18:936] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "SFW2-IN-ACC-RELATED " --log-tcp-options --log-ip-options -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Fri Oct 20 23:23:14 2006 cat /etc/sysconfig/SuSEfirewall2 FW_DEV_EXT="" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_SERVICES_EXT_TCP="5801 5901 domain http https imap imaps ipp iscsi-target ldap ldaps microsoft-ds mysql netbios-ssn pbs pbs_mom pbs_resmom pbs_sched pop3 pop3s rsync smtp ssh svrloc xdmcp" FW_SERVICES_EXT_UDP="bootpc bootps domain ipp ipsec-nat-t isakmp netbios-dgm netbios-ns ntp pbs_resmom svrloc tftp xdmcp" FW_SERVICES_EXT_IP="esp" FW_SERVICES_DMZ_TCP="5801 5901 domain http https imap imaps ipp iscsi-target ldap ldaps microsoft-ds mysql netbios-ssn pbs pbs_mom pbs_resmom pbs_sched pop3 pop3s rsync smtp ssh svrloc xdmcp" FW_SERVICES_DMZ_UDP="bootpc bootps domain ipp ipsec-nat-t isakmp netbios-dgm netbios-ns ntp pbs_resmom svrloc tftp xdmcp" FW_SERVICES_DMZ_IP="esp" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="bootpc" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_SERVICES_EXT_RPC="fypxfrd mountd nfs nfs_acl nlockmgr portmap sgi_fam status ypbind yppasswdd ypserv" FW_SERVICES_DMZ_RPC="fypxfrd mountd nfs nfs_acl nlockmgr portmap sgi_fam status ypbind yppasswdd ypserv" FW_SERVICES_INT_RPC="" FW_LOG="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_LIMIT="" FW_PROTECT_FROM_INT="no" FW_SERVICES_ACCEPT_EXT="" FW_ALLOW_FW_BROADCAST_EXT="bootps ipp ntp xdmcp svrloc netbios-ns netbios-dgm" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="bootps ipp ntp xdmcp svrloc netbios-ns netbios-dgm" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="yes" FW_IGNORE_FW_BROADCAST_DMZ="yes" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="" FW_FORWARD_ALWAYS_INOUT_DEV=""