how to get internet to cross suse firewall2
Hi We have a server with eth0 for our internal samba network and the internet cable is plugged into eth1. We have Squid running. The server is 192.168.0.1 and the clients 192.168.0.2 etc. The internal lan works fine and we have set up a local intranet to prove it. If I set FW_DEV_EXT to eth1 nothing gets through from the internet. If I leave it blank, then it's fine but presumably unprotected. What else do I need to set apart from FW_DEV_EXT. I'd prefer to use Yast 2 to set up suse firewall2. Thanks for any help. Steve.
* scc; <fsanta@arrakis.es> on 22 Mar, 2002 wrote:
Hi
If I set FW_DEV_EXT to eth1 nothing gets through from the internet. If I leave it blank, then it's fine but presumably unprotected. What else do I need to set apart from FW_DEV_EXT. I'd prefer to use Yast 2 to set up suse firewall2.
Regardless of the method you need to give some info of the current settings. open up an xterm (or whatever terminal program you prefer) grep -v ^# /etc/rc.config.d/firewall2.rc.config and send the output to the list then I am sure we can get it going on via YaST2 (might upcoming nightmare) or via YaST (yes the tool) or the masochist way via vim :-) -- Togan Muftuoglu
On Fri, Mar 22, 2002 at 05:35:12PM +0200, Togan Muftuoglu wrote:
and send the output to the list then I am sure we can get it going on via YaST2 (might upcoming nightmare) or via YaST (yes the tool) or the masochist way via vim :-)
Count me among the masochists :) Regards, Keith -- LPIC-2, MSCE, N+ you may say I'm a dreamer, but I'm not the only one Got spam? Get SPASTIC http://spastic.sourceforge.net
* Keith Winston; <kwinston@twmi.rr.com> on 22 Mar, 2002 wrote:
On Fri, Mar 22, 2002 at 05:35:12PM +0200, Togan Muftuoglu wrote:
and send the output to the list then I am sure we can get it going on via YaST2 (might upcoming nightmare) or via YaST (yes the tool) or the masochist way via vim :-)
Count me among the masochists :)
Makes two of us so far -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Friday 22 March 2002 18.20, Togan Muftuoglu wrote:
* Keith Winston; <kwinston@twmi.rr.com> on 22 Mar, 2002 wrote:
On Fri, Mar 22, 2002 at 05:35:12PM +0200, Togan Muftuoglu wrote:
and send the output to the list then I am sure we can get it going on via YaST2 (might upcoming nightmare) or via YaST (yes the tool) or the masochist way via vim :-)
Count me among the masochists :)
Makes two of us so far
I don't know what's so masochistic about it. firewall2.rc.config is exceptionally well documented. If you don't like vim use kedit or nedit. It should still be faster than starting up yast2. Besides, I didn't know you could set the firewall options in YaST. Where would that be? //Anders
* Anders Johansson; <andjoh@cicada.linux-site.net> on 22 Mar, 2002 wrote:
On Friday 22 March 2002 18.20, Togan Muftuoglu wrote:
I don't know what's so masochistic about it. firewall2.rc.config is exceptionally well documented. If you don't like vim use kedit or nedit. It should still be faster than starting up yast2.
Ok ok with you we make three now :-)
Besides, I didn't know you could set the firewall options in YaST. Where would that be?
Yast -->System Administration--->Change Configuration you will see the FW_DEV_WORLD and all the other stuff yet the comments are limited (Not like reading the firewall2.rc.config) That is also same with Yast2 it just reads the firewall2.rc.config and it is placed under a different heading (Security) IIRC. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Friday 22 March 2002 16:35, you wrote:
* scc; <fsanta@arrakis.es> on 22 Mar, 2002 wrote:
Hi
If I set FW_DEV_EXT to eth1 nothing gets through from the internet. If I leave it blank, then it's fine but presumably unprotected. What else do I need to set apart from FW_DEV_EXT. I'd prefer to use Yast 2 to set up suse firewall2.
Regardless of the method you need to give some info of the current settings. open up an xterm (or whatever terminal program you prefer)
grep -v ^# /etc/rc.config.d/firewall2.rc.config
and send the output to the list then I am sure we can get it going on via YaST2 (might upcoming nightmare) or via YaST (yes the tool) or the masochist way via vim :-)
Hi. Here is the grep. Thanks. FW_DEV_EXT="eth1" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="3128 53 21 139" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"
* scc; <fsanta@arrakis.es> on 23 Mar, 2002 wrote:
On Friday 22 March 2002 16:35, you wrote:
* scc; <fsanta@arrakis.es> on 22 Mar, 2002 wrote: Hi. Here is the grep. Thanks.
FW_DEV_EXT="eth1"
FW_DEV_INT=""
IIRC Correctly you mentioning eth0 was your internal connecting dvice s� FW_DEV_INT=eth0
FW_MASQUERADE="no"
should be yes
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" 192.168.0.0/16 or whatever your LOCAL_NET mask is
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="3128 53 21 139"
Areyou running these services ? I doubt 139 if you are not providing anything to the internet then leave the above blank -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi! Where could I get a list of usual port numbers? I know a ew by heart, but there must ba a full list somewhere! TIA Thomas
thomas@noproblem.net wrote:
Hi!
Where could I get a list of usual port numbers? I know a ew by heart, but there must ba a full list somewhere!
TIA
Thomas
Try here: http://www.isi.edu/in-notes/iana/assignments/port-numbers
Thomas Beauchamp wrote:
Hi!
Where could I get a list of usual port numbers? I know a ew by heart, but there must ba a full list somewhere!
/etc/services -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871
Hi! I have a 7.1 Pro box, running Samba. I'd like to upgrade to 7.3 Pro. Would YaST2 do the job? Any precaution to take? Any disaster to expect? TIA
Hi! It looks as if I can't track any answer! Is this such an impossible mission? :-) Thomas -----Original Message----- From: Thomas Beauchamp [mailto:thomas@noproblem.net] Sent: Tuesday, March 26, 2002 12:46 AM To: 'SuSE' Subject: [SLE] From 7.1 Pro to 7.3 Pro Hi! I have a 7.1 Pro box, running Samba. I'd like to upgrade to 7.3 Pro. Would YaST2 do the job? Any precaution to take? Any disaster to expect? TIA -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com
Thomas Beauchamp wrote:
Hi!
I have a 7.1 Pro box, running Samba. I'd like to upgrade to 7.3 Pro.
I've do it in 3 machines. Smooth job, SuSE style.
Would YaST2 do the job?
Yes :-)
Any precaution to take?
It takes the same time as installing. Your favourite food + drink :-D
Any disaster to expect?
Use a UPS and make a backup of all your important data. CD-R are cheap. Lost data is ...
TIA
Best Regards and Happy Update -- [-----------------------------------------------------------] [ Prof. Andres Augusto Nogueiras Melendez ] [ Departamento de Tecnologia Electronica ] [ Universidad de Vigo ] [ Campus Lagoas Marcosende, 9 http://www.dte.uvigo.es ] [ 36280 - Vigo mailto:aaugusto@uvigo.es ] [ Pontevedra tel: +34-986 812 091 ] [ Spain fax: +34-986 469 547 ] [-----------------------------------------------------------]
participants (8)
-
Anders Johansson -
Andrés A. Nogueiras Meléndez -
Joe & Sesil Morris (NTM) -
John Scott -
Keith Winston -
scc -
Thomas Beauchamp -
Togan Muftuoglu