I'm also a home user, but use ADSL. After reading various stuff about firewalls, including some of the IPChains doc, SeaWall, etc. I took another look at the doc on SuSEfirewall and decided it wasn't so complicated after all. With my current SuSEfirewall config, I can use http, ftp, X via ssh, RealAudio and can catch at least some scans. It probably needs a lot of improvement, but here it is anyway. If there are experts who can point out the obvious holes, please let me know. I especially want to know how to keep RealAudio and still DENY INCOMING_HIGHPORTS_UDP. I made a one line change in /sbin/SuSEfirewall to prevent DENY of port-unreachable: #$IPCHAINS -A output -j "$DENY" -p icmp -s $i --icmp-type port-unreachable $LDC # Unreachable Here is everything in my /etc/rc.config.d/firewall.rc.config which is not commented out or set to "": FW_DEV_WORLD="eth0 ppp0" FW_DEV_WORLD_eth0="10.10.0.1 255.255.255.0" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" # "yes" is a good choice FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "DNS" or "domain ntp" FW_SERVICE_DNS="no" # if yes, FW_SERVICES_*_TCP needs to have port 53 FW_SERVICE_DHCLIENT="yes" # if you use dhclient to get an ip address FW_SERVICE_DHCPD="no" # set to "yes" if this server is a DHCP server FW_SERVICE_SAMBA="no" # set to "yes" if this server uses samba as client FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" Note: I am running pppoed via an ethernet card attached to an ADSL modem. This should explain the 10.10.0.1 address.
Run out to: http://www.sdesign.com/securitytest/ and get a basic site scan done for free. It will tell you where your holes are! JLK On Sunday 18 March 2001 07:50, Paul C.Leopardi wrote:
I'm also a home user, but use ADSL. After reading various stuff about firewalls, including some of the IPChains doc, SeaWall, etc. I took another look at the doc on SuSEfirewall and decided it wasn't so complicated after all. With my current SuSEfirewall config, I can use http, ftp, X via ssh, RealAudio and can catch at least some scans. It probably needs a lot of improvement, but here it is anyway.
If there are experts who can point out the obvious holes, please let me know. I especially want to know how to keep RealAudio and still DENY INCOMING_HIGHPORTS_UDP.
I made a one line change in /sbin/SuSEfirewall to prevent DENY of port-unreachable: #$IPCHAINS -A output -j "$DENY" -p icmp -s $i --icmp-type port-unreachable $LDC # Unreachable
Here is everything in my /etc/rc.config.d/firewall.rc.config which is not commented out or set to "":
FW_DEV_WORLD="eth0 ppp0" FW_DEV_WORLD_eth0="10.10.0.1 255.255.255.0" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_WORLD" # e.g. "ippp0" or "$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" # "yes" is a good choice FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # Common: "ftp-data" (sadly!) FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # Common: "DNS" or "domain ntp" FW_SERVICE_DNS="no" # if yes, FW_SERVICES_*_TCP needs to have port 53 FW_SERVICE_DHCLIENT="yes" # if you use dhclient to get an ip address FW_SERVICE_DHCPD="no" # set to "yes" if this server is a DHCP server FW_SERVICE_SAMBA="no" # set to "yes" if this server uses samba as client FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"
Note: I am running pppoed via an ethernet card attached to an ADSL modem. This should explain the 10.10.0.1 address.
participants (2)
-
Jerry Kreps
-
Paul C.Leopardi