Suse Firewall2 allowing LAN to connect
What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem. What else is needed please? Regards, David
Hi Protect_from_local=no Jaska. Viestissä Sunnuntai 9. Joulukuuta 2001 15:15, David kirjoitti:
What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem.
What else is needed please?
Regards,
David
Thanks Jaakko However that does not work. I could not find that line in firewall2.rc.config to edit, so I put it in, but no go. There are 2 lines there that I thought would do it. FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" I set both to no but it won't allow a connection. I stopped and started the firewall after each alteration. With it off access is allowed, so it is only the firewall stopping it. Regards, David On Sun, 9 Dec 2001 15:26:09 +0200, Jaakko Tamminen wrote:
Hi
Protect_from_local=no
Jaska.
Viestissä Sunnuntai 9. Joulukuuta 2001 15:15, David kirjoitti:
What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem.
What else is needed please?
Regards,
David
Hello, David. In the rc.config you'll find a setting for FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP. Add the ports that you need to access in here, and it should work. On my box here, for example, I have FW_PROTECT_FROM_INTERNAL=yes FW_AUTOPROTECT_SERVICES=yes FW_SERVICES_INT_TCP=10000 FW_SERVICES_INT_UDP=10000 This is the only port I have enabled (it's for Webmin) and I could probably lose one of the UDP or TCP entries; I'm just too lazy to work out which one it should be, so I enabled both. If you wanted Telnet, FTP and SWAT enabled, for example, an entry might look like this:- FW_SERVICES_INT_TCP=ftp telnet 901 FW_SERVICES_INT_UDP=ftp telnet 901 Again, these services are probably only using one or other of TCP or UDP. The smallest amount of trial and error would probably tell me which uses which. Bye for now, Stuart. -----Original Message----- From: David [mailto:dg@stanwater.fsnet.co.uk] Sent: 09 December 2001 17:29 To: Suse mail list Subject: Re: [SLE] Suse Firewall2 allowing LAN to connect Thanks Jaakko However that does not work. I could not find that line in firewall2.rc.config to edit, so I put it in, but no go. There are 2 lines there that I thought would do it. FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" I set both to no but it won't allow a connection. I stopped and started the firewall after each alteration. With it off access is allowed, so it is only the firewall stopping it. Regards, David On Sun, 9 Dec 2001 15:26:09 +0200, Jaakko Tamminen wrote:
Hi
Protect_from_local=no
Jaska.
Viestissä Sunnuntai 9. Joulukuuta 2001 15:15, David kirjoitti:
What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem.
What else is needed please?
Regards,
David
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
On Sunday 09 December 2001 14:17 pm, Stuart Powell wrote:
Hello, David.
In the rc.config you'll find a setting for FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP. Add the ports that you need to access in here, and it should work. On my box here, for example, I have
FW_PROTECT_FROM_INTERNAL=yes FW_AUTOPROTECT_SERVICES=yes FW_SERVICES_INT_TCP=10000 FW_SERVICES_INT_UDP=10000
In my view, the thing to do is the use: FW_PROTECT_FROM_INTERNAL=no and then you don't need any of the other _INT settings. If it's a home LAN, why protect yourself from yourself? (unless your lazy brother_in_law is a linux cracker and uses your internal lan :o)
This is the only port I have enabled (it's for Webmin) and I could probably lose one of the UDP or TCP entries; I'm just too lazy to work out which one it should be, so I enabled both.
If you wanted Telnet, FTP and SWAT enabled, for example, an entry might look like this:-
FW_SERVICES_INT_TCP=ftp telnet 901 FW_SERVICES_INT_UDP=ftp telnet 901
Again, these services are probably only using one or other of TCP or UDP. The smallest amount of trial and error would probably tell me which uses which.
Bye for now, Stuart.
-----Original Message----- From: David [mailto:dg@stanwater.fsnet.co.uk] Sent: 09 December 2001 17:29 To: Suse mail list Subject: Re: [SLE] Suse Firewall2 allowing LAN to connect
Thanks Jaakko
However that does not work. I could not find that line in firewall2.rc.config to edit, so I put it in, but no go.
There are 2 lines there that I thought would do it. FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
I set both to no but it won't allow a connection. I stopped and started the firewall after each alteration. With it off access is allowed, so it is only the firewall stopping it.
Regards,
David
On Sun, 9 Dec 2001 15:26:09 +0200, Jaakko Tamminen wrote:
Hi
Protect_from_local=no
Jaska.
Viestissä Sunnuntai 9. Joulukuuta 2001 15:15, David kirjoitti:
What is the setting in Suse Firewall 2 that allows a Win computer to
connect
to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The
address
has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up
modem.
What else is needed please?
Regards,
David
-- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/09/01 14:55 + +----------------------------------------------------------------------------+ "Change is inevitable, except from a vending machine."
Hi Bruce On Sun, 9 Dec 2001 14:57:39 -0500, Bruce Marshall wrote:
In my view, the thing to do is the use:
FW_PROTECT_FROM_INTERNAL=no
Doesn't make any difference. I can kludge it at the moment by starting Firestarter, but that needs to be shut down before accessing the 'net
and then you don't need any of the other _INT settings.
If it's a home LAN, why protect yourself from yourself? (unless your lazy brother_in_law is a linux cracker and uses your internal lan :o)
Wish I had - might at least sort me out, but he is an artist :)
Regards, David
On Sunday 09 December 2001 19:10 pm, David wrote:
Hi Bruce
On Sun, 9 Dec 2001 14:57:39 -0500, Bruce Marshall wrote:
In my view, the thing to do is the use:
FW_PROTECT_FROM_INTERNAL=no
Doesn't make any difference. I can kludge it at the moment by starting Firestarter, but that needs to be shut down before accessing the 'net
What does firestarter do?
and then you don't need any of the other _INT settings.
If it's a home LAN, why protect yourself from yourself? (unless your lazy brother_in_law is a linux cracker and uses your internal lan :o)
Wish I had - might at least sort me out, but he is an artist :)
Regards,
David
-- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/09/01 19:31 + +----------------------------------------------------------------------------+ "What is a "free"gift? Aren't all gifts free?"
Hi Stuart, Bit lost with that. Had a poke around but did not seem to make any difference. I am using Samba for the LAN, not sure what that uses Regards, David On Sun, 9 Dec 2001 19:17:32 -0000, Stuart Powell wrote:
Hello, David.
In the rc.config you'll find a setting for FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP. Add the ports that you need to access in here, and it should work. On my box here, for example, I have
FW_PROTECT_FROM_INTERNAL=yes FW_AUTOPROTECT_SERVICES=yes FW_SERVICES_INT_TCP=10000 FW_SERVICES_INT_UDP=10000
This is the only port I have enabled (it's for Webmin) and I could probably lose one of the UDP or TCP entries; I'm just too lazy to work out which one it should be, so I enabled both.
If you wanted Telnet, FTP and SWAT enabled, for example, an entry might look like this:-
FW_SERVICES_INT_TCP=ftp telnet 901 FW_SERVICES_INT_UDP=ftp telnet 901
Again, these services are probably only using one or other of TCP or UDP. The smallest amount of trial and error would probably tell me which uses which.
Bye for now, Stuart.
Regards, David
David wrote:
Hi Stuart,
Bit lost with that. Had a poke around but did not seem to make any difference. I am using Samba for the LAN, not sure what that uses
David, I'm not sure if this will give any clues, and since I am not using Firewall2 (I am using SuSEFirewall [1]), I can't be sure exactly how much may have changed, but... Check Dev_World (i.e. internet facing interface[s]) DEV_INT (LAN facing interface) answer yes to FW_Route and FW_Masquerading (assuming you have one IP you will masquerade for your LAN) Check FW_MASQ_NETS (this is where I think you might have missed it, this should either be the whole subnet, i.e. 192.168.1.0/24, or a machines address, i.e. 192.168.0.4) Choose which ports you need to open with FW_Services_External (i.e. internet side) and Internal (LAN side) for both UDP and TCP. FW_ALLOW_INCOMING_HIGHPORTS_TCP I have set to ftp-data, UDP to yes With Firewall 1, you need to set the Services DNS, DHCP, and DHclient separately, which you should set depending on your setup. For a dial-up connection, you need to add a line to restart the firewall in ip-up (i.e. /sbin/SuSEFirewall). I believe this is basically the same as the third boot script. This is needed to load the rules for the new ppp interface that was non-existent when the firewall originally loaded. This has worked like a dream for me. HTH, YMMV. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: www.mydestiny.net/~joe_morris Registered Linux user 231871 "We can stand affliction better than we can prosperity, for in prosperity we forget God." --Dwight Lyman Moody
Thanks Stuart, but I have cheated and bolted firestarter on the front and that does all the thinking for me. Regards, David On Mon, 10 Dec 2001 09:27:33 +0800, Joe & Sesil Morris (NTM) wrote:
David wrote:
Hi Stuart,
Bit lost with that. Had a poke around but did not seem to make any difference. I am using Samba for the LAN, not sure what that uses
David, I'm not sure if this will give any clues, and since I am not using Firewall2 (I am using SuSEFirewall [1]), I can't be sure exactly how much may have changed, but... Check Dev_World (i.e. internet facing interface[s]) DEV_INT (LAN facing interface) answer yes to FW_Route and FW_Masquerading (assuming you have one IP you will masquerade for your LAN) Check FW_MASQ_NETS (this is where I think you might have missed it, this should either be the whole subnet, i.e. 192.168.1.0/24, or a machines address, i.e. 192.168.0.4) Choose which ports you need to open with FW_Services_External (i.e. internet side) and Internal (LAN side) for both UDP and TCP. FW_ALLOW_INCOMING_HIGHPORTS_TCP I have set to ftp-data, UDP to yes With Firewall 1, you need to set the Services DNS, DHCP, and DHclient separately, which you should set depending on your setup. For a dial-up connection, you need to add a line to restart the firewall in ip -up (i.e. /sbin/SuSEFirewall). I believe this is basically the same as the third boot script. This is needed to load the rules for the new ppp interface that was non-existent when the firewall originally loaded. This has worked like a dream for me. HTH, YMMV.
-- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: www.mydestiny.net/~joe_morris Registered Linux user 231871 "We can stand affliction better than we can prosperity, for in prosperity we forget God." --Dwight Lyman Moody
Hello again. It also occured to me that there is a parameter to enter trusted hosts, which are granted access to services. I haven't used that parameter myself, so I can't guarantee that it is what you need, but it is probably worth investigating. Bye for now, Stuart. -----Original Message----- From: David [mailto:dg@stanwater.fsnet.co.uk] Sent: 09 December 2001 17:29 To: Suse mail list Subject: Re: [SLE] Suse Firewall2 allowing LAN to connect Thanks Jaakko However that does not work. I could not find that line in firewall2.rc.config to edit, so I put it in, but no go. There are 2 lines there that I thought would do it. FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" I set both to no but it won't allow a connection. I stopped and started the firewall after each alteration. With it off access is allowed, so it is only the firewall stopping it. Regards, David On Sun, 9 Dec 2001 15:26:09 +0200, Jaakko Tamminen wrote:
Hi
Protect_from_local=no
Jaska.
Viestissä Sunnuntai 9. Joulukuuta 2001 15:15, David kirjoitti:
What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem.
What else is needed please?
Regards,
David
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Did you setup your Ruindows boxes with automatic address in TCP/IP? In SuSEfirewall2 you must include in FW_MASQ_NETS="192.168.x.x/16" so that all your private network can catch your server ip address. But first take a look at your ruindows machines, and change the TCP/IP setup: no address configured, but automatic. I hope this would be right for you! Alejandro Ortega. El dom, 09-12-2001 a las 14:15, David escribió: What is the setting in Suse Firewall 2 that allows a Win computer to connect to it. I have looked in the examples and have put in the example 3 but the Win box is still blocked. Masquerading is enabled in rc-config. The address has been put into the firewall2.rc.config. Setup is direct cable connection (x-over) on Ethernet cards. Dial up modem. What else is needed please? Regards, David -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com hudibras@rootsistemas.com
participants (6)
-
Alejandro Ortega Paez
-
Bruce Marshall
-
David
-
Jaakko Tamminen
-
Joe & Sesil Morris (NTM)
-
Stuart Powell