I have Suse 7.2 with standard kernel 2.4.4, and have downloaded the Suse firewall 2. I am not sure how to install it. Having expanded it from the tar ball into a directory it seems that you copy the ip-up file to /etc/ppp and clicking on install does the rest of the installation. However I am not sure it is working correctly or whether it has installed correctly. Since f/w2 uses iptables and f/w1 uses chains, I have un installed f/w1 and personal firewall. However in this state leaves me without any protection. When on line if I run iptables --list from a terminal brings up a load of errors instead of what should be expected. Can someone put me on the right road please (basic instructions appreciated) Regards, David
* David;
I have Suse 7.2 with standard kernel 2.4.4, and have downloaded the Suse firewall 2.
Upgrading the kernel should be on your TODO get the 2.4.7 kernel rpm from the suseftp mirrors ( no need to be on the leading edge)
I am not sure how to install it. Having expanded it from the tar ball into a directory it seems that you copy the ip-up file to /etc/ppp and clicking on install does the rest of the installation. However I am not sure it is working correctly or whether it has installed correctly.
If running KDE or whatever open "xterm" or from the SuSE menu of KDE choose root terminal (could be a different name but it does have "root") change to the directory where you unistalled the SuSEFirewall2 # ./INSTALL should do all the things.
When on line if I run iptables --list from a terminal brings up a load of errors instead of what should be expected.
still as root edit /etc/rc.config.d/firewall2.rc.config it is heavily commented if in doubt have a look at /usr/share/doc/packages/SuSEFirewall/EXAMPLES and firewall2.rc.config.example
Can someone put me on the right road please (basic instructions appreciated)
Make sure you have the START_FW=yes in /etc/rc.config once all done issue rcSuSEfirewall2 test warning this will not protect you but show you what is allowed and what not. Also you may try the debug which will print the iptables rules ps. Let me get my own copy from the Mailinglist (no CC no To: pls) -- Togan Muftuoglu
I think everything Togan says is right, but I think it may need to be: START_FW2=yes (with a 2 in it)
Make sure you have the START_FW=yes in /etc/rc.config
But I think this info is in readme file, not at my console at present. As I remember, I just ran the install script and it did the alteration to rc.config on its own, could be just old and baffled though. Best Fergus
Thanks Fergus On Tue, 4 Dec 2001 15:12:17 -0000, Fergus Wilde wrote:
I think everything Togan says is right, but I think it may need to be:
START_FW2=yes (with a 2 in it)
Yes, I thought he meant that. See my replies to Dave & Togan. For some reason this firewall does not appear to install. I have unzipped the tarball again to be sure.
Make sure you have the START_FW=yes in /etc/rc.config
But I think this info is in readme file, not at my console at present. As I remember, I just ran the install script and it did the alteration to rc.config on its own, could be just old and baffled though.
Regards, David
Thanks Togan On Tue, 4 Dec 2001 16:59:38 +0200, Togan Muftuoglu wrote:
Upgrading the kernel should be on your TODO get the 2.4.7 kernel rpm from the suseftp mirrors ( no need to be on the leading edge)
Do I really need to do that? What is the advantage over 2.4.4? I thought iptables was in 2.4.4
If running KDE or whatever open "xterm" or from the SuSE menu of KDE choose root terminal (could be a different name but it does have "root")
change to the directory where you unistalled the SuSEFirewall2
# ./INSTALL
I assume that you mean to include # in the command. Anyway with that nothing appears to happen. There is no output - it just returns to the command prompt after a second. Incidentally iptables are installed.
should do all the things.
still as root edit /etc/rc.config.d/firewall2.rc.config it is heavily commented if in doubt have a look at That file does not exist
/usr/share/doc/packages/SuSEFirewall/EXAMPLES and firewall2.rc.config.example
There is nothing in that directory
Can someone put me on the right road please (basic instructions appreciated)
Make sure you have the START_FW=yes in /etc/rc.config Because of the above, I assume, the above command is not recognised
once all done issue rcSuSEfirewall2 test
Likewise with this
warning this will not protect you but show you what is allowed and what not. Also you may try the debug which will print the iptables rules
ps. Let me get my own copy from the Mailinglist (no CC no To: pls)
It seems that the firewall is not installing, which is what I suspected. No errors are being produced on install, so I am not sure what I should do next. Regards, David
Hi David
* David;
Do I really need to do that? What is the advantage over 2.4.4? I thought iptables was in 2.4.4
There happens to be a kernel security update and hence the reason iptables is the userspace module so netfilter parts are updated in 2.4.7
If running KDE or whatever open "xterm" or from the SuSE menu of KDE choose root terminal (could be a different name but it does have "root")
change to the directory where you unistalled the SuSEFirewall2
# ./INSTALL
I assume that you mean to include # in the command. Anyway with that nothing
No "#" was to make sure you have the root prompt
appears to happen. There is no output - it just returns to the command prompt after a second. Incidentally iptables are installed.
just to be sure check with rpm -q iptables
still as root edit /etc/rc.config.d/firewall2.rc.config it is heavily commented if in doubt have a look at That file does not exist
well once the INSTALL file works its way it should
/usr/share/doc/packages/SuSEFirewall/EXAMPLES and firewall2.rc.config.example There is nothing in that directory same as above
Can someone put me on the right road please (basic instructions appreciated)
Make sure you have the START_FW=yes in /etc/rc.config Because of the above, I assume, the above command is not recognised
actually as corrected before it sgould be START_FW2
once all done issue rcSuSEfirewall2 test
Likewise with this
once installed it should else /etc/init.d/SuSEfirewall2 test
It seems that the firewall is not installing, which is what I suspected. No errors are being produced on install, so I am not sure what I should do next.
try again as I mentioned with the ./INSTALL -- Togan Muftuoglu
Thanks On Wed, 5 Dec 2001 00:54:28 +0200, Togan Muftuoglu wrote:
Hi David
There happens to be a kernel security update and hence the reason iptables is the userspace module so netfilter parts are updated in 2.4.7
I was hoping you wouldn't say that. Having seen all the problems here with people installing kernels I wanted to avoid it. I mean I can't even install a firewall ! Is it straightforward or fraught with problems. I have found 2.4.10 on a mag cover disk. Will this do, or do I have to download from Suse, and if the latter must it be direct to Linux since the only firewall I have running at the moment is on a Win box.
No "#" was to make sure you have the root prompt
I forgot the case - makes a difference. So ok it is installed now.
just to be sure check with
rpm -q iptables
That gives iptables-1.2.1a-37
well once the INSTALL file works its way it should
same as above
Can someone put me on the right road please (basic instructions appreciated)
Make sure you have the START_FW=yes in /etc/rc.config Because of the above, I assume, the above command is not recognised
actually as corrected before it sgould be START_FW2
Yes I guessed that
once all done issue rcSuSEfirewall2 test
Likewise with this
once installed it should else
/etc/init.d/SuSEfirewall2 test
Bad command with that. SuSEfirewall2 is not in that directory. There are 3 SuSEfirewall2 files there with extensions final, init, setup
try again as I mentioned with the ./INSTALL
Regards, David
* David;
I was hoping you wouldn't say that. Having seen all the problems here with people installing kernels I wanted to avoid it. I mean I can't even install a firewall !
:-)
Is it straightforward or fraught with problems. I have found 2.4.10 on a mag cover disk. Will this do, or do I have to download from Suse, and if the latter must it be direct to Linux since the only firewall I have running at the moment is on a Win box.
That gives iptables-1.2.1a-37
Well there is iptables-1.2.1a-53 on my box for the kernel upgrade use SuSE kernel rpms to avoid problems and it is fairly simple get the kernel from the ftp mirrors of SuSE in the update directory for your SuSE version as root rpm -Uhv k_deflt.rpm (assuming you are using the default one to be sure rpm -q k_deflt should give you the installed version) After that type mk_initrd and type lilo Reboot and enjoy your new kernel
/etc/init.d/SuSEfirewall2 test
my mistake it shoud be /sbin/rcSuSEfirewall2 test or just rcSuSEfirewall2 test try the firewall part before upgrading the kernel if it is going to make you happier and next time before you hit the reply button check that my email is not listed in _To:_ or _CC:_ parts as being a list member I normaly get the mails very fast :-) -- Togan Muftuoglu
Hi Togan On Wed, 5 Dec 2001 02:07:33 +0200, Togan Muftuoglu wrote:
That gives iptables-1.2.1a-37
Well there is iptables-1.2.1a-53 on my box for the kernel upgrade use SuSE kernel rpms to avoid problems and it is fairly simple
get the kernel from the ftp mirrors of SuSE in the update directory for your SuSE version
as root rpm -Uhv k_deflt.rpm (assuming you are using the default one to be sure rpm -q k_deflt should give you the installed version)
After that type
mk_initrd and type lilo Reboot and enjoy your new kernel
Ok I'll have a look at that.
/etc/init.d/SuSEfirewall2 test
my mistake it shoud be
/sbin/rcSuSEfirewall2 test or just rcSuSEfirewall2 test
Ok that works. Results below linux:/ # rcSuSEfirewall2 test Usage: /sbin/rcSuSEfirewall2 {start|stop|status|restart|reload|force-reload} Now with the options linux:/ # rcSuSEfirewall2 start Starting Firewall Initialization: (phase 2 of 3) failed linux:/ # rcSuSEfirewall2 status Checking the status of the Firewall: Chain INPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination linux:/ # rcSuSEfirewall2 restart Starting Firewall Initialization: (phase 2 of 3) failed linux:/ # rcSuSEfirewall2 reload Starting Firewall Initialization: (phase 2 of 3) failed linux:/ # rcSuSEfirewall2 force-reload Starting Firewall Initialization: (phase 2 of 3) failed linux:/ # Any type of start brings up a failure.
try the firewall part before upgrading the kernel if it is going to make you happier and next time before you hit the reply button check that my email is not listed in _To:_ or _CC:_ parts as being a list member I normaly get the mails very fast :-)
Sorry if that is annoying you, but the instructions from the Suse faq are to reply to all, which is contrary to other lists I use. I have removed your address from this one, so I hope you get it. Regards, David
Hi David
* David;
linux:/ # rcSuSEfirewall2 force-reload Starting Firewall Initialization: (phase 2 of 3) failed linux:/ #
Any type of start brings up a failure.
himm are you online (or connected to internet) when you issue these commands. What does "iptables -L -n " shows you ? (provided you are online)
Sorry if that is annoying you, but the instructions from the Suse faq are to reply to all, which is contrary to other lists I use. I have removed your address from this one, so I hope you get it.
When you send it to the list of course I will get it :-) Regarding the FAQ please reread it as it says differently. Rather then just using reply (which causes only one person to receive the mail) the FAQ suggests to user either "reply to all" OR "reply to list". The correct behaviour would be "reply to list" . -- Togan Muftuoglu
Hi Togan On Wed, 5 Dec 2001 08:07:40 +0200, Togan Muftuoglu wrote:
himm are you online (or connected to internet) when you issue these commands.
That was offline, but I have just tried it online and it is exactly the same.
What does "iptables -L -n " shows you ? (provided you are online)
On line the result is:- linux:~ # iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination linux:~ # The same offline
When you send it to the list of course I will get it :-) Regarding the FAQ please reread it as it says differently. Rather then just using reply (which causes only one person to receive the mail) the FAQ suggests to user either "reply to all" OR "reply to list". The correct behaviour would be "reply to list" .
Slight qualification here - "if you have the reply to list button". I do not have that. Regards, David
* David;
target prot opt source destination linux:~ #
The same offline
are the iptables modules loaded ? what does lsmod shows ? have you configured the firewall2.rc.config ? have you set yes to START_FW2 in /etc/rc.config ?
Slight qualification here - "if you have the reply to list button". I do not have that.
Aha broken mail client :-) -- Togan Muftuoglu
Hi Togan On Wed, 5 Dec 2001 12:39:07 +0200, Togan Muftuoglu wrote:
are the iptables modules loaded ? what does lsmod shows ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ linux:~ # lsmod Module Size Used by iptable_filter 2080 0 (autoclean) (unused) ip_tables 10720 1 [iptable_filter] ppp_deflate 39840 0 (autoclean) bsd_comp 4192 0 (autoclean) ppp_async 6480 0 (autoclean) ppp_generic 14416 0 (autoclean) [ppp_deflate bsd_comp ppp_async] snd-pcm-oss 18816 0 (autoclean) snd-pcm-plugin 15024 0 (autoclean) [snd-pcm-oss] snd-mixer-oss 5120 0 (autoclean) [snd-pcm-oss] snd-card-es1968 12832 0 snd-pcm 30560 0 [snd-pcm-oss snd-pcm-plugin snd-card-es1968] snd-timer 8560 0 [snd-pcm] snd-ac97-codec 24576 0 [snd-card-es1968] snd-mixer 24224 0 [snd-mixer-oss snd-ac97-codec] snd-mpu401-uart 2512 0 [snd-card-es1968] snd-rawmidi 9664 0 [snd-mpu401-uart] snd-seq-device 4032 0 [snd-rawmidi] snd 34032 1 [snd-pcm-oss snd-pcm-plugin snd-mixer-oss snd-card-es1968 snd-pcm snd-timer snd-ac97-codec snd-mixer snd-mpu401-uart snd-rawmidi snd-seq-device] soundcore 3632 2 [snd] parport_pc 18480 1 (autoclean) lp 5392 0 (autoclean) parport 24352 1 (autoclean) [parport_pc lp] ipv6 126272 -1 (autoclean) 8139too 11520 1 (autoclean) linux:~ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
have you configured the firewall2.rc.config ? No. Is that in /root/SuSEfirewall2-1.9/firewall2 rc.config
have you set yes to START_FW2 in /etc/rc.config ?
Yes. But on boot up I still get "loading firewall 2 of 3 ..............failed"
Slight qualification here - "if you have the reply to list button". I do not
have that.
Aha broken mail client :-)
Probably can do it through the scripting. Will get on to the author about that. Regards, David
* David;
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
have you configured the firewall2.rc.config ? No. Is that in /root/SuSEfirewall2-1.9/firewall2 rc.config
Aha edit /etc/rc.config.d/firewall2.rc.config
Yes. But on boot up I still get "loading firewall 2 of 3 ..............failed"
first edit above -- Togan Muftuoglu
Hi Togan On Wed, 5 Dec 2001 16:36:12 +0200, Togan Muftuoglu wrote:
* David;
on 05 Dec, 2001 wrote: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
have you configured the firewall2.rc.config ? No. Is that in /root/SuSEfirewall2-1.9/firewall2 rc.config
Aha edit /etc/rc.config.d/firewall2.rc.config
Well I have looked at that, but it might as well be in French for all it means to me. Surely it installs with a default set of safe rules that will enable it to load. I have put in FW_DEV_EXT="pppo" That seems to get it to work, but does not allow any outside communication. I really do not know what I am doing here. A simple interface would make life so much simpler. Are there any basic settings I can use?
Regards, David
* David (dg@stanwater.fsnet.co.uk) [011205 12:07]:
That seems to get it to work, but does not allow any outside communication.
That's a firewall.
I really do not know what I am doing here. A simple interface would make life so much simpler.
Why are you trying to use the SuSEfirewall2 and not the personal firewall?
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES -- -ckm
On Wed, 5 Dec 2001 12:19:09 -0800, Christopher Mahmood wrote:
* David (dg@stanwater.fsnet.co.uk) [011205 12:07]:
That seems to get it to work, but does not allow any outside communication.
That's a firewall.
That's being pedantic - surely you know what I mean.
Why are you trying to use the SuSEfirewall2 and not the personal firewall?
That was the consensus of the advice here. As I understand it, it uses iptables instead of ipchains, the former being more secure
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
Yes sure there are. You are an expert and understand the intricacies. It shows for a standalone machine, or more complex networks. I have a Win box networked to a Lin box. It does not show that. If I knew what to change it would be ok, but I don't. In any case taking the first example which is FW_DEV_EXT="pppo" causes the firewall fail to load, so the examples cannot be trusted. Regards, David
* David (dg@stanwater.fsnet.co.uk) [011205 15:24]:
On Wed, 5 Dec 2001 12:19:09 -0800, Christopher Mahmood wrote:
* David (dg@stanwater.fsnet.co.uk) [011205 12:07]:
That seems to get it to work, but does not allow any outside communication.
That's a firewall.
That's being pedantic - surely you know what I mean.
Yes, but that is what's supposed to do.
Why are you trying to use the SuSEfirewall2 and not the personal firewall?
That was the consensus of the advice here. As I understand it, it uses iptables instead of ipchains, the former being more secure
That's very debatable. In theory, yes iptables has lots of nice features like stateful inspection that that ipchains doesn't. In reality, the 2.4 kernel hasn't seen nearly the amount of abuse that 2.2 has and undoubtedly has lots of bugs yet to be found. Unless you there's a feature of iptables that you must have, I'd reconsider. I haven't followed this thread so I'm probably missing something, but it sounds like you don't really know much about this sort of thing and don't care to--you just want a simple, easy to configure firewall so you can get on with actually using your system instead of twidling with a firewall script that is overkill for what you need. That is exactly what the personal one is designed for.
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
In any case taking the first example which is FW_DEV_EXT="pppo" causes the firewall fail to load, so the examples cannot be trusted.
That's '0', not an 'o'. So what you want is to setup your linux box as a firewall and also use it to masquerade a private network for your windows machine(s). I.e., (big bad world) | | __windows 1 (linux box)---<__ windows 2 ^ \ (there will be a switch or hub there probably) I don't know what your connection is to outside but I'll assume it's DSL or cable modem so that you have two ethernet cards in the machine. Then, should only have to set FW_DEV_WORLD="eth0" # it might be eth1 depending on the ordering # of your cards FW_DEV_INT="eth1" # eth0 if FW_DEV_WORLD=eth1 FW_ROUTE="yes" # this will allow routing between eth1 and eth0 FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" That last one allows you to have a private class C network for your windows machines so your windows machines can use 192.168.0.2 through 192.168.0.254 with a netmask of 255.255.255.0 and a gateway of 192.168.0.1 or whatever ip address on the 192.168.0.0/24 network you give the internal interface on the linux box. The rest you can leave with the default values. -- -ckm
On Wednesday 05 December 2001 19:16 pm, Christopher Mahmood wrote:
* David (dg@stanwater.fsnet.co.uk) [011205 15:24]:
On Wed, 5 Dec 2001 12:19:09 -0800, Christopher Mahmood wrote:
* David (dg@stanwater.fsnet.co.uk) [011205 12:07]:
That seems to get it to work, but does not allow any outside communication.
That's a firewall.
That's being pedantic - surely you know what I mean.
Yes, but that is what's supposed to do.
Not necessarily.... One advantage of iptables is that it keeps track of connections made from the 'inside out' and therefore will let the responses back in. Firewall2 should be much easier to work with in trying to do special functions from within the firewall... such as using a VPN to some other machine on the net. It remains aware of what the local machine is doing with the net and allows it to take place without having to set up special rules.
Why are you trying to use the SuSEfirewall2 and not the personal firewall?
That was the consensus of the advice here. As I understand it, it uses iptables instead of ipchains, the former being more secure
That's very debatable. In theory, yes iptables has lots of nice features like stateful inspection that that ipchains doesn't. In reality, the 2.4 kernel hasn't seen nearly the amount of abuse that 2.2 has and undoubtedly has lots of bugs yet to be found. Unless you there's a feature of iptables that you must have, I'd reconsider. I haven't followed this thread so I'm probably missing something, but it sounds like you don't really know much about this sort of thing and don't care to--you just want a simple, easy to configure firewall so you can get on with actually using your system instead of twidling with a firewall script that is overkill for what you need. That is exactly what the personal one is designed for.
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
In any case taking the first example which is FW_DEV_EXT="pppo" causes the firewall fail to load, so the examples cannot be trusted.
That's '0', not an 'o'.
So what you want is to setup your linux box as a firewall and also use it to masquerade a private network for your windows machine(s). I.e.,
(big bad world)
| __windows 1
(linux box)---<__ windows 2 ^ \ (there will be a switch or hub there probably)
I don't know what your connection is to outside but I'll assume it's DSL or cable modem so that you have two ethernet cards in the machine. Then, should only have to set
FW_DEV_WORLD="eth0" # it might be eth1 depending on the ordering # of your cards FW_DEV_INT="eth1" # eth0 if FW_DEV_WORLD=eth1 FW_ROUTE="yes" # this will allow routing between eth1 and eth0 FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24"
That last one allows you to have a private class C network for your windows machines so your windows machines can use 192.168.0.2 through 192.168.0.254 with a netmask of 255.255.255.0 and a gateway of 192.168.0.1 or whatever ip address on the 192.168.0.0/24 network you give the internal interface on the linux box.
The rest you can leave with the default values.
-- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/05/01 20:53 + +----------------------------------------------------------------------------+ "If God had really intended men to fly, he'd make it easier to get to the airport." - George Winters
Hi David,
* Christopher Mahmood;
* David (dg@stanwater.fsnet.co.uk) [011205 15:24]:
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
Your case would be scenario #3 adapt to your needs or just follow Chris's advice. -- Togan Muftuoglu
Thanks Togan, I will look at that. On Thu, 6 Dec 2001 08:52:34 +0200, Togan Muftuoglu wrote:
Hi David,
* Christopher Mahmood;
on 05 Dec, 2001 wrote: * David (dg@stanwater.fsnet.co.uk) [011205 15:24]:
Are there any basic settings I can use?
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
Your case would be scenario #3 adapt to your needs or just follow Chris's advice.
-- Togan Muftuoglu
Regards, David
Thanks for the reply On Wed, 5 Dec 2001 16:16:18 -0800, Christopher Mahmood wrote:
That's very debatable. In theory, yes iptables has lots of nice features like stateful inspection that that ipchains doesn't. In reality, the 2.4 kernel hasn't seen nearly the amount of abuse that 2.2 has and undoubtedly has lots of bugs yet to be found. Unless you there's a feature of iptables that you must have, I'd reconsider. I haven't followed this thread so I'm probably missing something, but it sounds like you don't really know much about this sort of thing and don't care to--you just want a simple, easy to configure firewall so you can get on with actually using your system instead of twidling with a firewall script that is overkill for what you need. That is exactly what the personal one is designed for.
That is your opinion, but I see that Bruce can offer another, and as I said Suse f/w2 seemed to be the one to go for. At the end of the day having read all the advice, it is up to me to make a choice based on what I have read.. Having come from Windows where the firewalls, (I use Tiny Personal Firewall who have just won an award and a contract to I think the US Navy), where they are very configurable through an easy interface. There you can block and control ports, access etc to your hearts content. In Linux there is not that facility. It is fine if you are into scripting but some of us do not want that. It depends on whether you want Suse/Linux to stay as a geek o/s, or whether you want it to be better than Windows.
See /usr/share/doc/packages/SuSEfirewall/EXAMPLES
In any case taking the first example which is FW_DEV_EXT="pppo" causes the firewall fail to load, so the examples cannot be trusted.
That's '0', not an 'o'.
Yes I know. It was getting late and finger happy.
So what you want is to setup your linux box as a firewall and also use it to masquerade a private network for your windows machine(s). I.e.,
(big bad world) | | __windows 1 (linux box)---<__ windows 2 ^ \ (there will be a switch or hub there probably)
I don't know what your connection is to outside but I'll assume it's DSL or cable modem so that you have two ethernet cards in the machine. Then, should only have to set
FW_DEV_WORLD="eth0" # it might be eth1 depending on the ordering # of your cards FW_DEV_INT="eth1" # eth0 if FW_DEV_WORLD=eth1 FW_ROUTE="yes" # this will allow routing between eth1 and eth0 FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24"
That last one allows you to have a private class C network for your windows machines so your windows machines can use 192.168.0.2 through 192.168.0.254 with a netmask of 255.255.255.0 and a gateway of 192.168.0.1 or whatever ip address on the 192.168.0.0/24 network you give the internal interface on the linux box.
The rest you can leave with the default values.
I didn't describe it properly. They are direct connected, no hub, and a dial up modem on the Linux box. At the moment I have guessed at some settings enough to get a connection. I then use Firestarter to sit on top which takes over control and alter the settings. This still has to be refined, but it comes up clean at Shields Up for the moment. Regards, David
Maybe you could use watchdog and guarddog to give you a nice gui to Linux firewalling. I cant comment on how good they are as I havent tried them yet. http://www.simonzone.com/software/watchdog/ Pat -- ----------------------------------- Pat Colbeck E-mail: pcolbeck@bashq.org Tel: I'm not telling -----------------------------------
On Wednesday 05 December 2001 15:06 pm, David wrote:
I have put in FW_DEV_EXT="pppo"
That seems to get it to work, but does not allow any outside communication. I really do not know what I am doing here. A simple interface would make life so much simpler. Are there any basic settings I can use?
Where did you get your copy of firewall2? The 7.3 distribution had a bug in firewall2 that would cause it to fail. Try this first: 1) Start your ppp0 connection. (dial up) 2) Test that you can't talk to the outside world. 3) Issue: SuSEfirewall2 stop 4) Issue: SuSEfirewall2 start If you have the bug, it should start working. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/05/01 15:29 + +----------------------------------------------------------------------------+ Ducharm's Axiom: "If you view a problem closely enoough, you will recognize yourself as part of the problem."
Thanks Bruce On Wed, 5 Dec 2001 15:31:32 -0500, Bruce Marshall wrote:
Where did you get your copy of firewall2?
From Suse
The 7.3 distribution had a bug in firewall2 that would cause it to fail.
Maybe I have a later version.
Try this first:
1) Start your ppp0 connection. (dial up)
2) Test that you can't talk to the outside world.
3) Issue: SuSEfirewall2 stop
4) Issue: SuSEfirewall2 start
If you have the bug, it should start working.
I fiddled around with some of the settings there and managed to get it to start, also on boot up. The problem is now that it is blocking the connection and causing Netscape to crash. I was expecting it to load with default settings allow at least a connection. I am not sure what setting I should change. Regards, David
On Wednesday 05 December 2001 18:23 pm, David wrote:
I fiddled around with some of the settings there and managed to get it to start, also on boot up. The problem is now that it is blocking the connection and causing Netscape to crash. I was expecting it to load with default settings allow at least a connection. I am not sure what setting I should change.
But if there is a bug in it and you are experiencing that bug......... IT WON"T MATTER WHAT SETTINGS YOU USE. -- +----------------------------------------------------------------------------+ + Bruce S. Marshall bmarsh@bmarsh.com Bellaire, MI 12/05/01 20:47 + +----------------------------------------------------------------------------+ "Virtue is like a rich stone, best plain set." - Francis Bacon
* Bruce Marshall;
On Wednesday 05 December 2001 18:23 pm, David wrote:
I fiddled around with some of the settings there and managed to get it to start, also on boot up. The problem is now that it is blocking the connection and causing Netscape to crash. I was expecting it to load with default settings allow at least a connection. I am not sure what setting I should change.
But if there is a bug in it and you are experiencing that bug.........
Well David is using the latest version downloaded from Marc's page which fixes a lot of known bugs. OTH it should be adjusted to personal needs before firing it up. Firewall should not be PnP (Plug and Pray) -- Togan Muftuoglu
Thanks I meant to add that when I reboot, I see firewall stage 1 of 3 ok firewall stage 2 of 3 failed. On Wed, 5 Dec 2001 00:54:28 +0200, Togan Muftuoglu wrote:
Hi David
There happens to be a kernel security update and hence the reason iptables is the userspace module so netfilter parts are updated in 2.4.7
I was hoping you wouldn't say that. Having seen all the problems here with people installing kernels I wanted to avoid it. I mean I can't even install a firewall ! Is it straightforward or fraught with problems. I have found 2.4.10 on a mag cover disk. Will this do, or do I have to download from Suse, and if the latter must it be direct to Linux since the only firewall I have running at the moment is on a Win box.
No "#" was to make sure you have the root prompt
I forgot the case - makes a difference. So ok it is installed now.
just to be sure check with
rpm -q iptables
That gives iptables-1.2.1a-37
well once the INSTALL file works its way it should
same as above
Can someone put me on the right road please (basic instructions appreciated)
Make sure you have the START_FW=yes in /etc/rc.config Because of the above, I assume, the above command is not recognised
actually as corrected before it sgould be START_FW2
Yes I guessed that
once all done issue rcSuSEfirewall2 test
Likewise with this
once installed it should else
/etc/init.d/SuSEfirewall2 test
Bad command with that. SuSEfirewall2 is not in that directory. There are 3 SuSEfirewall2 files there with extensions final, init, setup
try again as I mentioned with the ./INSTALL
Regards, David
participants (6)
-
Bruce Marshall
-
Christopher Mahmood
-
David
-
Fergus Wilde
-
Pat Colbeck
-
Togan Muftuoglu