Hi. The personal firewall seems to need configuring because it asks for REJECT_ALL_INCOMING_CONNECTIONS If I put eth0 and eth1 there (our internet and local ethernet cards) once again nothing passes through. Can I just leave this blank and still be protected? Thanks, Steve. On Friday 19 April 2002 14:00, you wrote:
** On Fri, 19 Apr 2002 10:43:08 +0200 steve <fsanta@arrakis.es> tossed this note into the solar wind:
**Hi everyone ** **I see that SuSE sell a firewall on cd for over $1000. What is the difference **between this firewall and SuSE firewall2 that comes with 7.3? Is the latter **an inferior product? ** **Very confused!
None of the firewalls offered are inferior, just different types for different user settings
Have you tried just selecting the "personal" firewall for a start? it seems to protect things very nicely ( I've been *invisable* to some intentional scans by various security folks I know, using just the personal" version.)
It requires no setup ,by which I mean, it's configured "out of the box" and will protect you ( your lan etc) , as much as anything can do, while you learn what you need to know to setup Firewall 2 If you need it, Firewall2 is much more *user* ( i.e netadmin) configurable, so you can pick and choose the various ports tprograms can use , or not use .. etc. I don't believe in the current internet climate that anyone should just be surfing , emailing or anything else that requires a connection to the internet w/o some sort of firewall . Whether its a commercial product or a "roll your own"
oh yes, The firewall on a CD product is also something that comes preconfigured , but it's advantages are no cracker or haxsor can tamper w/ the firewall , ( neither can anyone who is already on your lan open any ports that aren't "permitted") usually this is for a larger group than a school lan.
Firewall2 isn't inferior , neither is the "personal" version, just different for diferent jobs. I have one SOHO that uses thepersonal version.. there are only a few computers there and the group doesn't need any exotic settings. whereas, another , larger company uses the FireWall2 product, but there are about 20 folks in that group and some more configurations were required to keep some computers ( and their users) inside the network from going out onto the internet ... hope this helps
* steve; <fsanta@arrakis.es> on 19 Apr, 2002 wrote:
Hi.
The personal firewall seems to need configuring because it asks for REJECT_ALL_INCOMING_CONNECTIONS If I put eth0 and eth1 there (our internet and local ethernet cards) once again nothing passes through. Can I just leave this blank and still be protected?
Now by following this thread if I say I understood your problem I am a liar. Which firewall are you trying to configure
I am trying to configure firewall2. It's just that someone said the personal firewall would work too. In desperation we have tried many combinations, none of which work! Thanks, Steve. On Friday 19 April 2002 16:53, you wrote:
* steve; <fsanta@arrakis.es> on 19 Apr, 2002 wrote:
Hi.
The personal firewall seems to need configuring because it asks for REJECT_ALL_INCOMING_CONNECTIONS If I put eth0 and eth1 there (our internet and local ethernet cards) once again nothing passes through. Can I just leave this blank and still be protected?
Now by following this thread if I say I understood your problem I am a liar. Which firewall are you trying to configure
* steve; <fsanta@arrakis.es> on 19 Apr, 2002 wrote:
I am trying to configure firewall2. It's just that someone said the personal firewall would work too. In desperation we have tried many combinations, none of which work!
OK so we are still on SuSEfirewall2 1) uninstall all other firewall packages (personal SuSEfirewall version1) 2) Make sure you have SuSEfirewall2 version 2.1 if not download from http://www.suse.de/~marc/suse.html and install it 3) Based on your previous mails configure as follows FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain " FW_SERVICES_EXT_UDP="domain" FW_SERVICES_INT_TCP="21 22 25 53 80 110 143 1113 3128" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" 4) Now start as /sbin/SuSEfirewall2 test 5) Try to ping www.suse.de save output (if any) 6) traceroute www.ssue.de save output (if any) 7) from the Local lan try to surf the net www.suse.de 8) from local lan ftp to ftp.gwdg.de 9 If everything works then /sbinSuSEfirewall2 start 10) if it fails send the output of item 5 item 6 along with /var/log/firewall ( not all of it relevant parts for item 7 and 8 ) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi to all... I remember that some one point to a very good PDF Document of how to install Suse on some IBM Boxes... I whink that was an article wrote Lenz Grimmer... I'm trying to locate again that Article in PDF Format... Does some one know from where can I found it ? thanks bye --ed
On Friday 19 April 2002 19:51, you wrote:
* steve; <fsanta@arrakis.es> on 19 Apr, 2002 wrote:
I am trying to configure firewall2. It's just that someone said the personal firewall would work too. In desperation we have tried many combinations, none of which work!
OK so we are still on SuSEfirewall2
1) uninstall all other firewall packages (personal SuSEfirewall version1) 2) Make sure you have SuSEfirewall2 version 2.1 if not download from http://www.suse.de/~marc/suse.html and install it
3) Based on your previous mails configure as follows
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="domain " FW_SERVICES_EXT_UDP="domain" FW_SERVICES_INT_TCP="21 22 25 53 80 110 143 1113 3128" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_REDIRECT="192.168.0.0/24,0/0,tcp,80,3128" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="no"
4) Now start as /sbin/SuSEfirewall2 test 5) Try to ping www.suse.de save output (if any) 6) traceroute www.ssue.de save output (if any) 7) from the Local lan try to surf the net www.suse.de 8) from local lan ftp to ftp.gwdg.de 9 If everything works then /sbinSuSEfirewall2 start 10) if it fails send the output of item 5 item 6 along with /var/log/firewall ( not all of it relevant parts for item 7 and 8 )
Hi. Thanks for all this effort. 5, 6, 7 and 8 work fine in test mode but lock tight after 9. There is no /var/log/firewall (we installed SuSEfirewall2-2.1 after uninstalling the normal 7.3 installation packages and uninstalling the personal firewall) and var/log/messages gives nothing relevant. We can't ask you for anymore. We tried pmfirewall and it works. It's not what we really wanted but it's time that we must save. Thanks again. Steve.
Hi guys... from where can I get some information or examples on how to setup a firewall using SuSEfirewall2 ? I know that there is some information at http://www.suse.de/~marc/suse.html but... any manual... examples of configuration a simple firewall, one with a DMZ, etc thanks in advance
* Linux - User (linux@ods.co.cr) [020425 16:18]:
I know that there is some information at http://www.suse.de/~marc/suse.html but... any manual... examples of configuration a simple firewall, one with a DMZ, etc
/usr/share/doc/packages/SuSEfirewall -- -ckm
----- Original Message ----- From: "steve" <fsanta@arrakis.es> To: "SuSE" <suse-linux-e@suse.com> Sent: Thursday, April 25, 2002 10:24 PM Subject: Re: [SLE] suse firewall on cd
On Friday 19 April 2002 19:51, you wrote:
Hi. Thanks for all this effort. 5, 6, 7 and 8 work fine in test mode but lock tight after 9. There is no /var/log/firewall (we installed SuSEfirewall2-2.1 after uninstalling the normal 7.3 installation packages and uninstalling the personal firewall) and var/log/messages gives nothing relevant. We can't ask you for anymore. We tried pmfirewall and it works. It's not what we really wanted but it's time that we must save. Thanks again. Steve.
I would think that if PMFirewall worked, then you don't have iptables installed. IIRC, SuSEFirewall2 works with iptables. PMFirewall only works with ipchains. Or am I missing something? Stan Koper
At 17:24 19/04/02 +0200, steve wrote:
I am trying to configure firewall2. It's just that someone said the personal firewall would work too. In desperation we have tried many combinations, none of which work!
Dump firewall2 and roll your own firewall script using iptables... Far easier to customise, and a much better solution. I have my own running on my gateway - I'm happy to make it available to anyone who wants it. It's still a work in progress, of course, and I'm always refining the rules and plugging holes, but it would be a good start, jon
participants (6)
-
Christopher Mahmood -
Jon Biddell -
Linux - User -
Stan Koper -
steve -
Togan Muftuoglu