SuSe Firewalling and protecting against hackers
Dear Gurus, I am using SuSe 7.1 and I would like to configure firewall for this server machine. I edit the file /etc/rc.config.d/firewall.rc.config like the following: START_FW="yes" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" I would like to open SMTP, WWW for outsider and open SSH, SMTP, DNS, WWW, POP3, SQUID for the LAN. Is my configuration above correct? What is the better solution/method to protect the server from being hack by the hacker (they always scan my server's port)? Thank you so much for your assistance. Regards, Choth
Hi This seems to be okay for now.. Just make sure, that You have upgraded to latest version of ipchains, so all known security holes are blocked. Also comment out all unneccessary services in /etc/inetd.conf out (like telnet etc..), and restart inetd daemon "kill -HUP <inetd-daemon pid number>" Jaska.
I am using SuSe 7.1 and I would like to configure firewall for this server machine. I edit the file /etc/rc.config.d/firewall.rc.config like the following:
START_FW="yes" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes"
Dear Gurus, When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop How can I know that when I use this firewall and my ports are not open to the outside world again? Thank you so much for your assistance. Regards, Choth jaakko tamminen wrote:
Hi
This seems to be okay for now.. Just make sure, that You have upgraded to latest version of ipchains, so all known security holes are blocked.
Also comment out all unneccessary services in /etc/inetd.conf out (like telnet etc..), and restart inetd daemon "kill -HUP <inetd-daemon pid number>"
Jaska.
I am using SuSe 7.1 and I would like to configure firewall for this server machine. I edit the file /etc/rc.config.d/firewall.rc.config like the following:
START_FW="yes" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes"
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Tue, 01 Oct 2002 17:27:17 +0700
PUTH CHAN CHOTH
When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done
Are you using SuSEfirewall2? Your firewall.rc.config looks like a firewall2 config, yet you are talking about ipchains instead of iptables. Maybe you should switch to SuSEfirewall2? You will probably get more help from the list, as it is what almost everyone is using now. I'm using 7.2 currently and SuSEfirewall2 works on it with a 2.4xx kernel.
How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop
server machine. I edit the file /etc/rc.config.d/firewall.rc.config like the following:
START_FW="yes" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes"
-- use Perl; #powerful programmable prestidigitation
Hi In Your previous e-mail You said:
FW_DEV_EXT="eth1" So the external interface is devined... Maybe You need to run "SuSEconfig" as root, and then try again.
If You want to stop the firewall, it is best done with "SuSEfirewall stop". There is nothing against that You "flush" them manually with "-F" option, but the script is only one simple command. It actually uses the "-F" for clearing the firewall rules. If You want to check the firewall, one good place is http://www.grc.com, select "shields up", then again find "shields up", then select "test my shields", wait for output, and run also "probe my ports". This will give You quite good indication of Your protection level. But to go more deep into protecting Your system, this is just the beginning... Enjoy! Jaska. On Tuesday 01 October 2002 13:27, PUTH CHAN CHOTH wrote:
Dear Gurus,
When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done
How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop
How can I know that when I use this firewall and my ports are not open to the outside world again? Thank you so much for your assistance.
Regards,
Choth
Dear Gurus,
When I log in as root and fire the command SuSEconfig and then I see like the
following:
Started the SuSE-Configuration Tool.
Running in full featured mode.
Reading /etc/rc.config and updating the system...
XFree86 not configured yet! No graphical login. Check /etc/X11/XF86Config or
/etc/XF86Config.
Executing /sbin/conf.d/SuSEconfig.alljava...
Executing /sbin/conf.d/SuSEconfig.alsa...
Executing /sbin/conf.d/SuSEconfig.apache...
Executing /sbin/conf.d/SuSEconfig.fonts...
Updating fonts.scale for truetype
Updating fonts.scale for CID
Executing /sbin/conf.d/SuSEconfig.groff...
Executing /sbin/conf.d/SuSEconfig.java...
Executing /sbin/conf.d/SuSEconfig.kdm2...
Executing /sbin/conf.d/SuSEconfig.pam...
Executing /sbin/conf.d/SuSEconfig.pcmcia...
Executing /sbin/conf.d/SuSEconfig.perl...
Executing /sbin/conf.d/SuSEconfig.profiles...
Executing /sbin/conf.d/SuSEconfig.sendmail...
ATTENTION: You have modified /etc/sendmail.cf. Leaving it untouched...
You can find my version in /etc/sendmail.cf.SuSEconfig...
Executing /sbin/conf.d/SuSEconfig.susehilf...
Executing /sbin/conf.d/SuSEconfig.susewm...
Executing /sbin/conf.d/SuSEconfig.ypclient...
Processing index files of all manpages...
Finished.
And then when I fire the command: /sbin/SuSEfirewall start and then I see like the
following:
The firewall script needs to know the external (internet) interface!
SuSEfirewall: clearing rules now ... done
My eth1 is connected to the Internet and eth0 is connected to the LAN. I would
like to configure my firewall and can let the LAN be able to use Squid on port
3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access
only WWW:80, SMTP:25.
My /etc/rc.config.d/firewall.rc.config is like the following:
# Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved.
#
# Author: Marc Heuse
Hi
In Your previous e-mail You said:
FW_DEV_EXT="eth1" So the external interface is devined... Maybe You need to run "SuSEconfig" as root, and then try again.
If You want to stop the firewall, it is best done with "SuSEfirewall stop". There is nothing against that You "flush" them manually with "-F" option, but the script is only one simple command. It actually uses the "-F" for clearing the firewall rules.
If You want to check the firewall, one good place is http://www.grc.com, select "shields up", then again find "shields up", then select "test my shields", wait for output, and run also "probe my ports".
This will give You quite good indication of Your protection level.
But to go more deep into protecting Your system, this is just the beginning...
Enjoy!
Jaska.
On Tuesday 01 October 2002 13:27, PUTH CHAN CHOTH wrote:
Dear Gurus,
When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done
How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop
How can I know that when I use this firewall and my ports are not open to the outside world again? Thank you so much for your assistance.
Regards,
Choth
* PUTH CHAN CHOTH;
The firewall script needs to know the external (internet) interface!
Define the FW_DEV_WORLD variable ( there is no commenting out in the SuSEfirewall script you either use the choices "yes" or "no" or define the interfaces ie "eth0" "ppp0" and write the services "25" or "smtp"
SuSEfirewall: clearing rules now ... done
My eth1 is connected to the Internet and eth0 is connected to the LAN. I would like to configure my firewall and can let the LAN be able to use Squid on port 3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access only WWW:80, SMTP:25.
# 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") ################# #START_FW="yes" I have already configured START_FW="yes" in /etc/rc.config so I commented this out
START_FW="yes
# 2.) # #FW_DEV_WORLD="" #######################
why do you comment it out the script has to read this variable FW_DEV_WORLD="eth1"
# 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_INT="" ###########################
why do you comment it out the script has to read this variable FW_DEV_INT="eth0" -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Dear Gurus, Well, I would like to give all ny /etc/rc.config.d/firewall.rc.config like the following: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" And then when I type: SuSEfirewall start and then my LAN cannot access to the Internet and I do not know why? Would you mind to tell me what can I do to make this firewall up and running? Thank you so much for your assistance. Best regards, Choth Togan Muftuoglu wrote:
* PUTH CHAN CHOTH;
on 02 Oct, 2002 wrote: The firewall script needs to know the external (internet) interface!
Define the FW_DEV_WORLD variable ( there is no commenting out in the SuSEfirewall script you either use the choices "yes" or "no" or define the interfaces ie "eth0" "ppp0" and write the services "25" or "smtp"
SuSEfirewall: clearing rules now ... done
My eth1 is connected to the Internet and eth0 is connected to the LAN. I would like to configure my firewall and can let the LAN be able to use Squid on port 3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access only WWW:80, SMTP:25.
# 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") ################# #START_FW="yes" I have already configured START_FW="yes" in /etc/rc.config so I commented this out
START_FW="yes
# 2.) # #FW_DEV_WORLD="" #######################
why do you comment it out the script has to read this variable
FW_DEV_WORLD="eth1"
# 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_INT="" ###########################
why do you comment it out the script has to read this variable
FW_DEV_INT="eth0"
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* PUTH CHAN CHOTH;
START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_MASQ="yes" FW_MASQ_NETS=" " # fill with your local net addressing ie 192.168.1.0/24 -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Dear Gurus, Thank you so much for your reply. I do all the things that you tell me but my LAN cannot access the Internet again. Would you mind telling how can I do it next? Thank you so much for your assistance. This is what I did: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_MASQ="yes" FW_MASQ_NETS="192.168.1.0/24" # My LAN is 192.168.1.0/24 Best regards, Choth Togan Muftuoglu wrote:
* PUTH CHAN CHOTH;
on 02 Oct, 2002 wrote: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_MASQ="yes" FW_MASQ_NETS=" " # fill with your local net addressing ie 192.168.1.0/24
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Hi One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2 Do the change with zast2, and it will automatically run SuSEconfig for you. Jaska. On Wednesday 02 October 2002 10:57, PUTH CHAN CHOTH wrote:
Dear Gurus,
Thank you so much for your reply. I do all the things that you tell me but my LAN cannot access the Internet again. Would you mind telling how can I do it next? Thank you so much for your assistance. This is what I did: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_MASQ="yes" FW_MASQ_NETS="192.168.1.0/24" # My LAN is 192.168.1.0/24 Best regards,
Choth
Togan Muftuoglu wrote:
* PUTH CHAN CHOTH;
on 02 Oct, 2002 wrote: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_MASQ="yes" FW_MASQ_NETS=" " # fill with your local net addressing ie 192.168.1.0/24
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
* jaakko tamminen;
Hi
One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2
he is using susefirewall 4.6 which is ipchains and using SuSE7.1 so no /stc/syconfig and no TO nor CC please let me grab my own copy from the mailserver -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi Sorry, forgot that he was using the older distro, and sorry my speedy rat-finger so my eyes did not catch You on receiver list... Jaska. On Wednesday 02 October 2002 11:35, Togan Muftuoglu wrote:
* jaakko tamminen;
on 02 Oct, 2002 wrote: Hi
One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2
he is using susefirewall 4.6 which is ipchains and using SuSE7.1 so no /stc/syconfig
and no TO nor CC please let me grab my own copy from the mailserver
Dear Gurus, I do not see that I have this file /etc/sysconfig/SuSEfirewall2. What can I do to have this file? Thank you so much for your assistance. Best regards, Choth Togan Muftuoglu wrote:
* jaakko tamminen;
on 02 Oct, 2002 wrote: Hi
One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2
he is using susefirewall 4.6 which is ipchains and using SuSE7.1 so no /stc/syconfig
and no TO nor CC please let me grab my own copy from the mailserver
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Hi As You have older distro, You don't have this file, and You don't need it. Please start "zast", select "system administration", then select "change configuration file", and do the changes. Network should start working... Jaska. Ps. the changes were:
IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes
* PUTH CHAN CHOTH;
Thank you so much for your reply. I do all the things that you tell me but my LAN cannot access the Internet again. Would you mind telling how can I do it next? Thank you so much for your assistance.
One thing I am 99 % sure is you have not bothered to read the /etc/rc.config.d/firewall.rc.config and you want us to feed you with the fish for today and tommorrow. Read and complete item 6 in the above mentioned file and you should be able to reach internet. If you are using squid for proxy make sure you have configured that also and let me grab my own copy from the mailserver no CC nor TO nor BCC please -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
PUTH CHAN CHOTH wrote:
Well, I would like to give all ny /etc/rc.config.d/firewall.rc.config like the following:
START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
And then when I type: SuSEfirewall start and then my LAN cannot access to the Internet and I do not know why? Would you mind to tell me what can I do to make this firewall up and running? Thank you so much for your assistance.
You should also be masquerading and it needs to know what network it is masq. Comments are for reading. ;-) -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
participants (5)
-
jaakko tamminen
-
Joe & Sesil Morris (NTM)
-
PUTH CHAN CHOTH
-
Togan Muftuoglu
-
zentara