On Tue, 01 Oct 2002 17:27:17 +0700 PUTH CHAN CHOTH wrote:

When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done

Are you using SuSEfirewall2? Your firewall.rc.config looks like a firewall2 config, yet you are talking about ipchains instead of iptables. Maybe you should switch to SuSEfirewall2? You will probably get more help from the list, as it is what almost everyone is using now. I'm using 7.2 currently and SuSEfirewall2 works on it with a 2.4xx kernel.

How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop

...

...

server machine. I edit the file /etc/rc.config.d/firewall.rc.config like the following:

START_FW="yes" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes"

-- use Perl; #powerful programmable prestidigitation

Dear Gurus, When I log in as root and fire the command SuSEconfig and then I see like the following: Started the SuSE-Configuration Tool. Running in full featured mode. Reading /etc/rc.config and updating the system... XFree86 not configured yet! No graphical login. Check /etc/X11/XF86Config or /etc/XF86Config. Executing /sbin/conf.d/SuSEconfig.alljava... Executing /sbin/conf.d/SuSEconfig.alsa... Executing /sbin/conf.d/SuSEconfig.apache... Executing /sbin/conf.d/SuSEconfig.fonts... Updating fonts.scale for truetype Updating fonts.scale for CID Executing /sbin/conf.d/SuSEconfig.groff... Executing /sbin/conf.d/SuSEconfig.java... Executing /sbin/conf.d/SuSEconfig.kdm2... Executing /sbin/conf.d/SuSEconfig.pam... Executing /sbin/conf.d/SuSEconfig.pcmcia... Executing /sbin/conf.d/SuSEconfig.perl... Executing /sbin/conf.d/SuSEconfig.profiles... Executing /sbin/conf.d/SuSEconfig.sendmail... ATTENTION: You have modified /etc/sendmail.cf. Leaving it untouched... You can find my version in /etc/sendmail.cf.SuSEconfig... Executing /sbin/conf.d/SuSEconfig.susehilf... Executing /sbin/conf.d/SuSEconfig.susewm... Executing /sbin/conf.d/SuSEconfig.ypclient... Processing index files of all manpages... Finished. And then when I fire the command: /sbin/SuSEfirewall start and then I see like the following: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done My eth1 is connected to the Internet and eth0 is connected to the LAN. I would like to configure my firewall and can let the LAN be able to use Squid on port 3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access only WWW:80, SMTP:25. My /etc/rc.config.d/firewall.rc.config is like the following: # Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse , 1999,2000 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into /usr/share/doc/packages/SuSEfirewall/EXAMPLES ! # # If you are running SuSE < 7.0 then copy the ip-up script from # /usr/share/doc/packages/SuSEfirewall/ip-up to /etc/ppp/ip-up ! # # /etc/rc.config.d/firewall.rc.config # # for use with /sbin/SuSEfirewall version 4.2 # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall you are # not secure per se! There is *not* such a thing you install and hence you # are safed from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks (internet) # You can do this by using software which has been designed with # security in mind (like postfix, apop3d, ssh), setting these up without # misconfiguration and praying, that they have got really no holes. # SuSEcompartment can help in most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can you trust # SuSE or any other software distributor?) # * Harden your server(s) with the harden_suse package/script # * Recompile your kernel with the openwall-linux kernel patch # (former secure-linux patch, from Solar Designer) www.openwall.com # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the internet # for an internal network, try to run proxy services for everything and # disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone transfers and # either don't allow access to it from the internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Note: For 2.4 kernels, you need to have ipchains support enabled. # Compile it statically into the kernel or have the ipchains module # loaded. The SuSEfirewall_init script tries to do it for you. # # ------------------------------------------------------------------------ # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example. # # # All types have to set START_FW in /etc/rc.config to "yes" ;-) # # If you are running SuSE <= 6.4 then copy the ip-up script from # /usr/share/doc/packages/SuSEfirewall/ip-up to /etc/ppp/ip-up ! # # If you are a end-user who is NOT connected to two networks you just have to # reconfigure (all other settings are OK): 2), and maybe 9), 11), and 18). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are end end-user connected to the # internet and to a internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 10), 11) # 12), 14) and 18). # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 15), 18). # # If you want to run a DMZ in either of the above three standard setups, you # just have to config 4), 9), 13) and maybe 19). # # If you know what you are doing, you may also change 8), 16), 17), 18) # and the expert options 20), 21), 22) at the far end, but you should NOT. # # If you use diald or ISDN autodialing, you might want to set 18). # # To get programs like traceroutes to your firewall to work is a bit tricky, # you have to set the following options to "yes" : 11 (UDP only), 19 and 20. # # If you want to load the full firewall rules for an interface even if it's not # available, configure a static IP and netmask (see 2, 3 and 4 for an example). # # Please note that if you use service names, that they exist in /etc/services. # There is no service "dns", it's called "domain"; email is called "smtp" etc. # # *Any* routing between interfaces except masquerading requires to set FW_ROUTE # to "yes" and use FW_FORWARD_TCP and/or FW_FORWARD_UDP. # # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" with your masquerade/external interface): # ipchains -A forward -j MASQ -i ippp0 # # ------------------------------------------------------------------------ # # 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") ################# #START_FW="yes" I have already configured START_FW="yes" in /etc/rc.config so I commented this out ################# # # 2.) # Which is the interface that points to the internet? # # Enter all the network devices here which are untrusted. # # Choice: any number of devices, seperated by a space # e.g. "eth0", "ippp0 ippp1" # #FW_DEV_WORLD="" ####################### #FW_DEV_WORLD="eth1" ####################### # # You *may* configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_WORLD_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # You will still need to set FW_DEV_WORLD first! # #FW_DEV_WORLD_ippp0="10.0.0.1 255.255.255.0" # e.g. for exernal interface ippp0 # # 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_INT="" ########################### #FW_DEV_INT="eth0" ########################### # # You may configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_INT_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # You will still need to set FW_DEV_INT first! # #FW_DEV_INT_eth0="192.168.1.1 255.255.255.0" # e.g. for internal interface eth0 ############################################## #FW_DEV_INT_eth0="192.168.110.2 255.255.255.0" ############################################## # # 4.) # Which is the interface that points to the dmz network? # # Enter all the network devices here which point to the dmz. # A "dmz" is a special, seperated network, which is only connected to the # firewall, and should be reachable from the internet to provide services, # e.g. WWW, Mail, etc. and hence are at risk from attacks. # See /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example. # # Special note: You have to configure FW_FORWARD_TCP and FW_FORWARD_UDP to # define the services which should be available to the internet and set # FW_ROUTE to yes. # Very special note: servers/networks in FW_MASQ_NETS may access the DMZ to # the same extent they are allowed to access the internet! No FW_FORWARD_* # needed ... # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_DMZ="" # # You may configure a static IP and netmask to force rule loading even if the # interface is not up and running: set a variable called # FW_DEV_INT_[device]="IP_ADDRESS NETMASK" # see below for an example. Otherwise automatic detection is done. # You will still need to set FW_DEV_DMZ first! # #FW_DEV_DMZ_eth1="192.168.1.1 255.255.255.0" # e.g. for dmz interface eth1 # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ # # You need only set this to yes, if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but this is not # a good idea). This option supersedes IP_FORWARD from /etc/rc.config! # # Setting this option one alone doesn't do anything. Either activate # massquerading with FW_MASQUERADE below if you want to masquerade your # internal network to the internet, or configure FW_FORWARD_TCP and/or # FW_FORWARD_UDP to define what is allowed to be forwarded! # # Choice: "yes" or "no", defaults to "no" # FW_ROUTE="no" # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT, FW_ROUTE # # "Masquerading" means that all your internal machines which use services on # the internet seem to come from your firewall. # Please note that it is more secure to communicate via proxies to the # internet than masquerading # # Choice: "yes" or "no", defaults to "no" # FW_MASQUERADE="no" # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Please note this config changed in firewals-2.3: You may either use just # hosts/nets to allow all traffic from them to the internet, or use an extended # syntax, to restrict internet access to certain services! # # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A protocol and service is appended by a comma to the host/network. # e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with unrestricted access # "10.0.1.0/24,tcp,80 10.0.1.0/24,tcp,21" allows the 10.0.1.0 network to use # www/ftp to the internet. "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # You may NOT set this variable to "0/0" ! # FW_MASQ_NETS="" # # If you want (and you should) you may also set the FW_MASQ_DEV option, to # specify the outgoing interface to masquerade on. (You would normally use # the external interface(s), the FW_DEV_WORLD device(s), e.g. "ippp0") # FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_GLOBAL_SERVICES option. # If you set this to "no", any user can connect (and attack) any service on # the firewall. # # Choice: "yes" or "no", defaults to "yes" # FW_PROTECT_FROM_INTERNAL="yes" ############################## #FW_PROTECT_FROM_INTERNAL="no" ############################## # # 8.) # Do you want to autoprotect all global running services? # # If set to "yes", all network access to services TCP and UDP on this machine # which are not bound to a special IP address will be prevented (except to # those which you explicitly allow, see below: FW_*_SERVICES_*) # Example: "0.0.0.0:23" would be protected, but "10.0.0.1:53" not. # # Choice: "yes" or "no", defaults to "yes" # ########################## #FW_AUTOPROTECT_GLOBAL_SERVICES="yes" # "yes" is a good choice ############################### # # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) # # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. # e.g. if a webserver on the firewall should be accessible from the internet: # FW_SERVICES_EXTERNAL_TCP="www" # e.g. if the firewall should receive syslog messages from the dmz: # FW_SERVICES_DMZ_UDP="syslog" # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this, from 1 to 10: "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") # FW_SERVICES_EXTERNAL_TCP="" # Common: smtp domain FW_SERVICES_EXTERNAL_UDP="" # Common: domain FW_SERVICES_EXTERNAL_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain syslog FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INTERNAL_TCP="" # Common: ssh smtp domain FW_SERVICES_INTERNAL_UDP="" # Common: domain syslog FW_SERVICES_INTERNAL_IP="" # For VPN/Routing which END at the firewall!! # # 10.) # Which services should be accessible from trusted hosts/nets on the internet? # # Define trusted networks on the internet, and the TCP and/or UDP services # they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1", "172.20.0.0/16" # #FW_TRUSTED_NETS="" ################################### #FW_TRUSTED_NETS="192.168.110.0/24" ################################### # # leave FW_SERVICES_TRUSTED_* empty or any number of ports, known portnames # (from /etc/services) and port ranges seperated by a space. # e.g. "25", "ssh", "1:65535", "1 3:5" # FW_SERVICES_TRUSTED_TCP="" # Common: ssh FW_SERVICES_TRUSTED_UDP="" # Common: syslog time ntp FW_SERVICES_TRUSTED_IP="" # For VPN/Routing which END at the firewall!! # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("DNS"). # Note that if you want to use normal (active) ftp, you have to set the TCP # option to ftp-data. If you use passive ftp, you don't need that. # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXTERNAL_UDP ...). # # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no" # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "DNS" or "domain ntp" # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won´t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # FW_SERVICE_DNS="no" # if yes, FW_SERVICES_*_TCP needs to have port 53 # (or "domain") set to allow incoming queries. # also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address # you have to set this to "yes" ! FW_SERVICE_DHCPD="no" # set to "yes" if this server is a DHCP server FW_SERVICE_SAMBA="no" # set to "yes" if this server uses samba as client # or server. As a server, you still have to set # FW_SERVICES_{WORLD,DMZ,INT}_TCP="139" # Everyone may send you udp 137/138 packets if set # to yes! (samba on the firewall is not a good idea!) # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were assigned to # you by your ISP. This opens a direct link to your network, so only use # this option for access to your dmz!!!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forwarding rules, seperated each by a space. # A forwarding rule consists of 1) source IP/net, 2) destination IP (dmz/intern) # and 3) destination port (or IP protocol), seperated by a comma (","), e.g. # "4.0.0.0/8,1.1.1.1,22" [means: net 4.0.0.0 with netmask 255.0.0.0 is # allowed to connect to the single server 1.1.1.1 on port 22 (which is SSH)] # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" # For FW_FORWARD_IP it is "4.0.0.0/8,1.1.1.1,igmp" or "4.0.0.0/8,1.1.1.1,1" # FW_FORWARD_TCP="" # Beware to use this! FW_FORWARD_UDP="" # Beware to use this! FW_FORWARD_IP="" # Beware to use this! # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE, FW_MASQUERADE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public IP addesses! # Hint: if FW_DEV_MASQ is set to the external interface you have to set # FW_FORWARD_* from internal to DMZ for the service as well! # # Please note that this should *not* be used for security reasons! You are # opening a hole to your precious internal network. If e.g. the webserver there # is compromised - your full internal network is compromised!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forward masquerade rules, seperated each by a space. # A forward masquerade rule consists of 1) source IP/net, 2) destination IP # (dmz/intern) and 3) destination port, seperated by a comma (","), e.g. # "4.0.0.0/8,1.1.1.1,22", # "4.4.4.4/12,20.20.20.20,22 12.12.12.12/12,20.20.20.20,22" # FW_FORWARD_MASQ_TCP="" # Beware to use this! FW_FORWARD_MASQ_UDP="" # Beware to use this! # it is not possible to masquerade other IP protocols, hence no _IP variable # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) original destination port and 4) local port to redirect the traffic to, # seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080" # FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" #####################################################FW_REDIRECT_TCP="192.168.110.0/24,0/0,80,3128 0/0,192.168.110.2,80,3128" #FW_REDIRECT_TCP="192.168.110.0/24,0/0,3128,3128" ##################################################### # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", defaults to "yes" # FW_KERNEL_SECURITY="yes" # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # If you are using diald, or automatic dialing via ISDN, if packets need # to be sent to the internet, you need to turn this on. The script will then # not turn off routing and masquerading when stopped. # You *might* also need this if you have got a DMZ. # Please note that this is *insecure*! If you unload the rules, but are still # connected, you might your internal network open to attacks! # The better solution is to remove "/sbin/SuSEfirewall stop" or # "/sbin/init.d/firewall stop" from the ip-down script! # # # Choices "yes" or "no", defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no" # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="no" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Which masquerading modules should be loaded? # REQUIRES: FW_ROUTE, FW_MASQUERADE # # (omit the path or "ip_masq_" prefix as well as the ".o" suffix!) # FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" # # 23.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall-custom.rc.config # #FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config" Thank you so much for your assistance. Best regards, Choth jaakko tamminen wrote:

Hi

In Your previous e-mail You said:

...

...

...

FW_DEV_EXT="eth1" So the external interface is devined... Maybe You need to run "SuSEconfig" as root, and then try again.

If You want to stop the firewall, it is best done with "SuSEfirewall stop". There is nothing against that You "flush" them manually with "-F" option, but the script is only one simple command. It actually uses the "-F" for clearing the firewall rules.

If You want to check the firewall, one good place is http://www.grc.com, select "shields up", then again find "shields up", then select "test my shields", wait for output, and run also "probe my ports".

This will give You quite good indication of Your protection level.

But to go more deep into protecting Your system, this is just the beginning...

Enjoy!

Jaska.

On Tuesday 01 October 2002 13:27, PUTH CHAN CHOTH wrote:

...

Dear Gurus,

When I do what I said and then I fire the following command: $ /sbin/SuSEfirewall start and it says: The firewall script needs to know the external (internet) interface! SuSEfirewall: clearing rules now ... done

How to clear the firewall, I means when I use ipchains I fire the command: $ipchains -F $ipchains -X But what about SuSe is it $ /sbin/SuSEfirewall stop

How can I know that when I use this firewall and my ports are not open to the outside world again? Thank you so much for your assistance.

Regards,

Choth

Dear Gurus, Well, I would like to give all ny /etc/rc.config.d/firewall.rc.config like the following: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" And then when I type: SuSEfirewall start and then my LAN cannot access to the Internet and I do not know why? Would you mind to tell me what can I do to make this firewall up and running? Thank you so much for your assistance. Best regards, Choth Togan Muftuoglu wrote:

* PUTH CHAN CHOTH; on 02 Oct, 2002 wrote:

...

The firewall script needs to know the external (internet) interface!

Define the FW_DEV_WORLD variable ( there is no commenting out in the SuSEfirewall script you either use the choices "yes" or "no" or define the interfaces ie "eth0" "ppp0" and write the services "25" or "smtp"

...

SuSEfirewall: clearing rules now ... done

My eth1 is connected to the Internet and eth0 is connected to the LAN. I would like to configure my firewall and can let the LAN be able to use Squid on port 3128, WWW:80, SMTP:25, POP3:110, SSH:22 and let the outsider to be able to access only WWW:80, SMTP:25.

...

# 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") ################# #START_FW="yes" I have already configured START_FW="yes" in /etc/rc.config so I commented this out

START_FW="yes

...

# 2.) # #FW_DEV_WORLD="" #######################

why do you comment it out the script has to read this variable

FW_DEV_WORLD="eth1"

...

# 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1" or "" # FW_DEV_INT="" ###########################

why do you comment it out the script has to read this variable

FW_DEV_INT="eth0"

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

Dear Gurus, Thank you so much for your reply. I do all the things that you tell me but my LAN cannot access the Internet again. Would you mind telling how can I do it next? Thank you so much for your assistance. This is what I did: START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_MASQ="yes" FW_MASQ_NETS="192.168.1.0/24" # My LAN is 192.168.1.0/24 Best regards, Choth Togan Muftuoglu wrote:

* PUTH CHAN CHOTH; on 02 Oct, 2002 wrote:

...

START_FW="yes" FW_DEV_WORLD="eth1" FW_DEV_INT="eth0" FW_DEV_EXT="eth1" FW_ROUTE="yes" FW_SERVICES_EXT_TCP="25 80" FW_SERVICES_INT_TCP="22 25 53 80 110 3128" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_MASQ="yes" FW_MASQ_NETS=" " # fill with your local net addressing ie 192.168.1.0/24

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

* jaakko tamminen; on 02 Oct, 2002 wrote:

Hi

One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2

he is using susefirewall 4.6 which is ipchains and using SuSE7.1 so no /stc/syconfig and no TO nor CC please let me grab my own copy from the mailserver -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

Dear Gurus, I do not see that I have this file /etc/sysconfig/SuSEfirewall2. What can I do to have this file? Thank you so much for your assistance. Best regards, Choth Togan Muftuoglu wrote:

* jaakko tamminen; on 02 Oct, 2002 wrote:

...

Hi

One addenum: IP_FORWARD=yes Also check FW_SERVICE_DHCLIENT=yes in /etc/sysconfig/SuSEfirewall2

he is using susefirewall 4.6 which is ipchains and using SuSE7.1 so no /stc/syconfig

and no TO nor CC please let me grab my own copy from the mailserver

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com

* PUTH CHAN CHOTH; on 02 Oct, 2002 wrote:

Thank you so much for your reply. I do all the things that you tell me but my LAN cannot access the Internet again. Would you mind telling how can I do it next? Thank you so much for your assistance.

One thing I am 99 % sure is you have not bothered to read the /etc/rc.config.d/firewall.rc.config and you want us to feed you with the fish for today and tommorrow. Read and complete item 6 in the above mentioned file and you should be able to reach internet. If you are using squid for proxy make sure you have configured that also and let me grab my own copy from the mailserver no CC nor TO nor BCC please -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx