* Nick Selby;
Other than that the only thing I can see regarding the firewall setup is total gibberish to me:
SuSE-FW-DROP means it would have dropped the request if it was running ( not in the test version)
May 8 14:50:13 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:80:48:c9 :4a:7d:08:00 SRC=192.168.10.102 DST=192.168.10.4 LEN=153 TOS=0x00 PREC=0x00 TTL=128 ID=15021 DF PROT O=TCP SPT=1031 DPT=139
192.168.10.102 from Sourceport 1031 is sending a to 192.168.10.4 destination port 139 (SAMBA) ANTI-SPOOF means internal addresses 192.168/16 10/8 172.12/16 shoudl don be coming in to the external interface
Hmmm. I did find / -name firewall2* and got nada. Where would that be?
if version < SUSE 8.0 /etc/rc.config.d/firewall2.rc.config if version = SuSE 8.0 /etc/sysconfig/SuSEfirewall2 -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Wednesday 08 May 2002 16:11, Togan Muftuoglu wrote:
* Nick Selby;
on 08 May, 2002 wrote: It is always better to send replies back to the list You may need to fix your mail client or check before you click the mouse or hit the key
Sorry ...
Other than that the only thing I can see regarding the firewall setup is total gibberish to me:
SuSE-FW-DROP means it would have dropped the request if it was running ( not in the test version)
May 8 14:50:13 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:80:48:c9 :4a:7d:08:00 SRC=192.168.10.102 DST=192.168.10.4 LEN=153 TOS=0x00 PREC=0x00 TTL=128 ID=15021 DF PROT O=TCP SPT=1031 DPT=139
192.168.10.102 from Sourceport 1031 is sending a to 192.168.10.4 destination port 139 (SAMBA) ANTI-SPOOF means internal addresses 192.168/16 10/8 172.12/16 shoudl don be coming in to the external interface
Thanks for that
if version < SUSE 8.0 /etc/rc.config.d/firewall2.rc.config
if version = SuSE 8.0 /etc/sysconfig/SuSEfirewall2
Okay. Looked that over. Fine and dandy. Now from the email before, it seems clear that I need
And still having to allow tcp port 139 ... could that be the problem I was having earlier when nothing got out - that I still had to allow etc. etc?
have you permit port 139 to internal in your firewall2.rc.config Okay. TCP port 139. In the config file it says, I *THINK*, that I need to write it like this: "ftp", "139" - is that right? Now I get confused when I look at the directions within the page because it seems that there are a number of places I could do that: # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") # # Common: smtp domain FW_SERVICES_EXT_TCP="http https pop3 pop3s rsync smtp ssh telnet" # Common: domain FW_SERVICES_EXT_UDP="" # Common: domain # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" # # Common: smtp domain FW_SERVICES_DMZ_TCP="" # Common: domain FW_SERVICES_DMZ_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" # # Common: ssh smtp domain FW_SERVICES_INT_TCP="" # Common: domain syslog FW_SERVICES_INT_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" Can anyone shed some more light? Thanks VERY much in advance, Nick
* Nick Selby;
On Wednesday 08 May 2002 16:11, Togan Muftuoglu wrote: # Common: smtp domain FW_SERVICES_EXT_TCP="http https pop3 pop3s rsync smtp ssh telnet"
are you really running telnet on your firewall machine and you are letting people in then why bother with ssh ? This is where you define the services which are accessible from the internet for anyone This is where you define the services which are accessible from the internet for anyone if you are not providing these to the world why did you defined them here ?
# Common: ssh smtp domain FW_SERVICES_INT_TCP="139" Can anyone shed some more light?
Yes reading the *README* *EXAMPLES* *FAQ* will help a lot they are all under /usr/share/doc/packages/susefirewall2. Marc has realy good documentation on configuring the SuSEfirewall the problem is most of the time hardly anybody is reading any documentation. ( Now if I can fix YaST2 the way I want it to be that would be better ) HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hmmm. At 06:25 PM 5/8/2002 +0300, you wrote:
* Nick Selby;
on 08 May, 2002 wrote: On Wednesday 08 May 2002 16:11, Togan Muftuoglu wrote: # Common: smtp domain FW_SERVICES_EXT_TCP="http https pop3 pop3s rsync smtp ssh telnet"
are you really running telnet on your firewall machine and you are letting people in then why bother with ssh ?
Okay. Let's be a bit clearer here. Am *I* running it? No. Togan you seem to be accusing me of competence, a charge to which I plead a defiant Not Guilty. Did the thing default to this? Yessireebob. I was asking for help when the port 139 issue came up, and found these entries ALREADY entered by Yast2 (or by default from the factory which is also where my guitar was last tuned).
This is where you define the services which are accessible from the internet for anyone
Well. No. I don't want people to be able to get in like that. Thanks for pointing this out!
This is where you define the services which are accessible from the internet for anyone if you are not providing these to the world why did you defined them here ?
Again, I did not. Geez it's as if you think I have some computing experience or something.
# Common: ssh smtp domain FW_SERVICES_INT_TCP="139" Can anyone shed some more light?
Yes reading the *README* *EXAMPLES* *FAQ* will help a lot they are all under /usr/share/doc/packages/susefirewall2. Marc has realy good documentation on configuring the SuSEfirewall the problem is most of the time hardly anybody is reading any documentation. ( Now if I can fix YaST2 the way I want it to be that would be better )
Doh. RTFM. Okay. good point. But I warn you all....I'll be back. I sure hope SOMEONE ELSE is benefiting from all this, too! ; ) Nick
* Nick Selby;
Did the thing default to this? Yessireebob. I was asking for help when the port 139 issue came up, and found these entries ALREADY entered by Yast2 (or by default from the factory which is also where my guitar was last tuned).
I knew yast2 is joke :-)
Again, I did not. Geez it's as if you think I have some computing experience or something.
Well if YaST2 is doing this I would say it is undocumented feature (sorry I do not have SuSEfirewall2 installed and can not confirm this) My firewall is still running 2.2.19 with SuSEfirewall-5.1 using ipchains
Doh. RTFM. Okay. good point. But I warn you all....I'll be back.
If you do not come back that means you are still busy reading or gave up (you should not give up) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi, On Wednesday 08 May 2002 16:11, Togan Muftuoglu wrote:
# Common: smtp domain FW_SERVICES_EXT_TCP="http https pop3 pop3s rsync smtp ssh telnet"
are you really running telnet on your firewall machine and you are letting people in then why bother with ssh ?
I have read the FAQ and the README. I have removed the above to read: FW_SERVICES_EXT_TCP="" I did this: # Common: ssh smtp domain FW_SERVICES_INT_TCP="139" After reading that ""Masquerading" means that all your internal machines which use services on the internet seem to come from your firewall." I made sure that Iwas not letting that happen: FW_MASQUERADE="no" And FW_MASQ_DEV="" I then stopped the previous test mode and started it again /etc/sbin/SuSEfirewall2 test I got no warnings other than the fact that I was in text mode. When I looked in in the log (/var/log/firewall), it was a reassuring block o' gibberish that augered well May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2801 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2802 PROTO=UDP SPT=53 DPT=1070 LEN=141 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=179 TOS=0x00 PREC=0x00 TTL=64 ID=2803 PROTO=UDP SPT=53 DPT=1071 LEN=159 May 8 17:50:00 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2804 PROTO=UDP SPT=53 DPT=1072 LEN=141 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=161 TOS=0x00 PREC=0x00 TTL=64 ID=2811 PROTO=UDP SPT=53 DPT=1073 LEN=141 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2812 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:01 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2813 PROTO=UDP SPT=53 DPT=1073 LEN=126 May 8 17:50:02 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=2816 PROTO=UDP SPT=67 DPT=68 LEN=308 May 8 17:50:05 linux kernel: SuSE-FW-DROP-ANTI-SPOOF IN=eth0 OUT= MAC=00:d0:59:31:57:27:00:e0:98:96:1b:fc:08:00 SRC=192.168.10.1 DST=192.168.10.4 LEN=146 TOS=0x00 PREC=0x00 TTL=64 ID=2823 PROTO=UDP SPT=53 DPT=1073 LEN=126 linux:/var/log # /sbin/SuSEfirewall2 stop I then stopped the test and started the firewall like this: /etc/sbin/SuSEfirewall2 start And it said it did. And I couldn't acess the internet!! QUESTION 1: The FAQ and the config file say this: # 8.) # Do you want to autoprotect all running network services on the firewall? # # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes" Okay, now I have a network running here, over which I must access the internet from another machine which dials and provides IP forwarding and masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP network. Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and hence stop me from using my local network to access the internet? Or is that just too simple? TIA, Nick
* Nick Selby;
that Iwas not letting that happen:
FW_MASQUERADE="no"
set this to "yes"
FW_MASQ_DEV=""
set this $DEV_WORLD and set the MASQ_NETS to your network scheme and try again
QUESTION 1: The FAQ and the config file say this: # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes"
Okay, now I have a network running here, over which I must access the internet from another machine which dials and provides IP forwarding and masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP network.
Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and hence stop me from using my local network to access the internet? Or is that just too simple?
no when you say autodetetect and basicly running netstat lsof and a combination of awk, shell scripts SuSEfirewall2 finds out the services that you are rınning on the firewall machine like smtp ssh ftp www and protects default if you define the services at FW_SERVICES_EXTERNAL_TCP="ssh" for instance it will let access to ssh otherwise everything is protected. Actually pretty neat -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi, I hope we're almost there and appreciate the advice so far. And your comment not to give up. I have to leave the office in a few minutes for a couple of hours... On Wednesday 08 May 2002 18:40, Togan Muftuoglu wrote:
* Nick Selby;
on 08 May, 2002 wrote: that Iwas not letting that happen:
FW_MASQUERADE="no"
set this to "yes"
FW_MASQ_DEV=""
set this $DEV_WORLD
and set the MASQ_NETS to your network scheme and try again
Er... My network scheme? Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. So if my machines all have a 192.168.X.X in there, how would I enter that ? With 192.0.0.0 ? I have several machines connected on the network with Samba allowing the windows machine to talk to me. All of us are connected to a Suse 7.2 machine running the iSDN and the masq/ip forward.
QUESTION 1: The FAQ and the config file say this: # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes"
Okay, now I have a network running here, over which I must access the internet from another machine which dials and provides IP forwarding and masquerading. It talks to my ISP and I talk to it. Now, This is a TCP/IP network.
Does leaving this FW_AUTOPROTECT_SERVICES="yes" DISABLE my TCP/IP and hence stop me from using my local network to access the internet? Or is that just too simple?
no when you say autodetetect and basicly running netstat lsof and a combination of awk, shell scripts SuSEfirewall2 finds out the services that you are rınning on the firewall machine like smtp ssh ftp www and protects default if you define the services at FW_SERVICES_EXTERNAL_TCP="ssh" for instance it will let access to ssh otherwise everything is protected. Actually pretty neat
Ah. Funny you should mention that because I foresaw a daywhen I'd like to SSH into it and added that!!
* Nick Selby;
So if my machines all have a 192.168.X.X in there, how would I enter that ? With 192.0.0.0 ? I have several machines connected on the network with Samba allowing the windows machine to talk to me. All of us are connected to a Suse 7.2 machine running the iSDN and the masq/ip forward.
192.168.0.0/16 would be very generic but usable :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Wednesday 08 May 2002 19:16, Togan Muftuoglu wrote:
* Nick Selby;
on 08 May, 2002 wrote: So if my machines all have a 192.168.X.X in there, how would I enter that ? With 192.0.0.0 ? I have several machines connected on the network with Samba allowing the windows machine to talk to me. All of us are connected to a Suse 7.2 machine running the iSDN and the masq/ip forward.
192.168.0.0/16 would be very generic but usable :-)
Nada. Nichts. Niente. Zip. I'd love to look for other options. I got NO warnings on starting the firewall. I set all the options, I believe, as we have been discussing here on this string and now I have the following firewall settings: FW_DEV_EXT="eth0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$DEV_WORLD" FW_MASQ_NETS="192.168.0.0/16" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="139" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" # END of rc.firewall Can anyone help? Thanks in advance, Nick
participants (2)
-
Nick Selby
-
Togan Muftuoglu