Firewall Problem
I have never used SuSE Firewall because I have a router with a built-in firewall, but recently I lost my router and it took a few days to get a new one. Meanwhile, my machine was exposed. So, I decided it would be a good idea to go ahead and enable the firewall, even though I shouldn't really need it currently since I now have a new router. Well, I am having problems with the firewall. I have an Oracle database on the machine which I access from another machine via Oracle's built-in Apache server configuration (it comes with a complete Apache server configuration). Anyway, I am unable to connect to the machine with the newly enabled firewall via that http server (the browser says the site is unreachable, or something like that). I set "Allow All Services" for all zones and STILL I can't connect. Can someone tell me what I am missing here? Thanks, Greg Wallace
On Friday 20 October 2006 13:20, Greg Wallace wrote:
Well, I am having problems with the firewall. I have an Oracle database on the machine which I access from another machine via Oracle's built-in Apache server configuration (it comes with a complete Apache server configuration). Anyway, I am unable to connect to the machine with the newly enabled firewall via that http server (the browser says the site is unreachable, or something like that). I set "Allow All Services" for all zones and STILL I can't connect. Can someone tell me what I am missing here?
Thanks, Greg Wallace
Sounds like it is working exceptionally well. Blocks everything. What more could you ask of a firewall? Sorry, but your sad tale of woe perked up my day. Been there, etc. Can't help you further, though. Fred
On 20/10/06 12:20, Greg Wallace wrote:
I have never used SuSE Firewall because I have a router with a built-in firewall, but recently I lost my router and it took a few days to get a new one. Meanwhile, my machine was exposed. So, I decided it would be a good idea to go ahead and enable the firewall, even though I shouldn't really need it currently since I now have a new router.
Security should be a layered defence. A firewall on each internal network system simply adds protection to what you get from a firewall on the gateway. You only enable those services you actually need, and configure them with security in mind. Don't rely on a single point of failure to protect you.
Well, I am having problems with the firewall. I have an Oracle database on the machine which I access from another machine via Oracle's built-in Apache server configuration (it comes with a complete Apache server configuration). Anyway, I am unable to connect to the machine with the newly enabled firewall via that http server (the browser says the site is unreachable, or something like that). I set "Allow All Services" for all zones and STILL I can't connect. Can someone tell me what I am missing here?
Can't tell you a thing right now :-) What version of SuSE are you running? There seem to be minor differences in the SuSEfirewall between versions. Please post the results of: iptables-save cat /etc/sysconfig/SuSEfirewall2
On Friday, October 20, 2006 @ 2:07 PM, Darryl Gregorash wrote:
On 20/10/06 12:20, Greg Wallace wrote:
I have never used SuSE Firewall because I have a router with a built-in firewall, but recently I lost my router and it took a few days to get a new one. Meanwhile, my machine was exposed. So, I decided it would be a good idea to go ahead and enable the firewall, even though I shouldn't really need it currently since I now have a new router.
Security should be a layered defence. A firewall on each internal network system simply adds protection to what you get from a firewall on the gateway. You only enable those services you actually need, and configure them with security in mind. Don't rely on a single point of failure to protect you.
Well, I am having problems with the firewall. I have an Oracle database on the machine which I access from another machine via Oracle's built-in Apache server configuration (it comes with a complete Apache server configuration). Anyway, I am unable to connect to the machine with the newly enabled firewall via that http server (the browser says the site is unreachable, or something like that). I set "Allow All Services" for all zones and STILL I can't connect. Can someone tell me what I am missing here?
Can't tell you a thing right now :-) What version of SuSE are you running? There seem to be minor differences in the SuSEfirewall between versions.
Please post the results of:
iptables-save cat /etc/sysconfig/SuSEfirewall2
I'm running SUSE Linux 10.1. Here's the output you requested. I trimmed the comments out of /etc/sysconfig/SuSEfirewall2. Hopefully, I didn't cut out any parameters by mistake, but the comments made the list huge. Iptables-save # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *mangle :PREROUTING ACCEPT [29482:26507005] :INPUT ACCEPT [29482:26507005] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [21621:1318988] :POSTROUTING ACCEPT [21752:1348250] COMMIT # Completed on Fri Oct 20 23:23:14 2006 # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *nat :PREROUTING ACCEPT [1233:168093] :POSTROUTING ACCEPT [4224:265064] :OUTPUT ACCEPT [4224:265064] COMMIT # Completed on Fri Oct 20 23:23:14 2006 # Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [18:936] :reject_func - [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j LOG --log-prefix "SFW2-IN-ACC-RELATED " --log-tcp-options --log-ip-options -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options -A INPUT -j DROP -A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options -A OUTPUT -o lo -j ACCEPT -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A OUTPUT -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options -A reject_func -p tcp -j REJECT --reject-with tcp-reset -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable -A reject_func -j REJECT --reject-with icmp-proto-unreachable COMMIT # Completed on Fri Oct 20 23:23:14 2006 cat /etc/sysconfig/SuSEfirewall2 FW_DEV_EXT="" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_SERVICES_EXT_TCP="5801 5901 domain http https imap imaps ipp iscsi-target ldap ldaps microsoft-ds mysql netbios-ssn pbs pbs_mom pbs_resmom pbs_sched pop3 pop3s rsync smtp ssh svrloc xdmcp" FW_SERVICES_EXT_UDP="bootpc bootps domain ipp ipsec-nat-t isakmp netbios-dgm netbios-ns ntp pbs_resmom svrloc tftp xdmcp" FW_SERVICES_EXT_IP="esp" FW_SERVICES_DMZ_TCP="5801 5901 domain http https imap imaps ipp iscsi-target ldap ldaps microsoft-ds mysql netbios-ssn pbs pbs_mom pbs_resmom pbs_sched pop3 pop3s rsync smtp ssh svrloc xdmcp" FW_SERVICES_DMZ_UDP="bootpc bootps domain ipp ipsec-nat-t isakmp netbios-dgm netbios-ns ntp pbs_resmom svrloc tftp xdmcp" FW_SERVICES_DMZ_IP="esp" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="bootpc" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" :-( FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_SERVICES_EXT_RPC="fypxfrd mountd nfs nfs_acl nlockmgr portmap sgi_fam status ypbind yppasswdd ypserv" FW_SERVICES_DMZ_RPC="fypxfrd mountd nfs nfs_acl nlockmgr portmap sgi_fam status ypbind yppasswdd ypserv" FW_SERVICES_INT_RPC="" FW_LOG="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_LOG_LIMIT="" FW_PROTECT_FROM_INT="no" FW_SERVICES_ACCEPT_EXT="" FW_ALLOW_FW_BROADCAST_EXT="bootps ipp ntp xdmcp svrloc netbios-ns netbios-dgm" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="bootps ipp ntp xdmcp svrloc netbios-ns netbios-dgm" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="yes" FW_IGNORE_FW_BROADCAST_DMZ="yes" FW_ZONES="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="" FW_FORWARD_ALWAYS_INOUT_DEV=""
On 20/10/06 22:54, Greg Wallace wrote:
I'm running SUSE Linux 10.1. Here's the output you requested. I trimmed the comments out of /etc/sysconfig/SuSEfirewall2. Hopefully, I didn't cut out any parameters by mistake, but the comments made the list huge.
No big deal, if I need them I can read my own config file :-)
Iptables-save
# Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 <snip> That stuff isn't any help, because....
cat /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT=""
FW_DEV_INT=""
FW_DEV_DMZ=""
You really must have one of these defined, because without it, the firewall rules are essentially meaningless. In particular, you will note in the iptables-save stuff that there is no rule to accept NEW connections of any kind (except, of course, on device lo). Nothing you've entered in the FW_SERVICES* entries have a corresponding rule. Here's what these should look like with the naming conventions in SuSE: FW_DEV_EXT="eth-id-00:50:ba:c4:91:43" FW_DEV_INT="eth-id-00:50:fc:8b:4d:d1" If you only have one network card in the system, then define it as the external interface. IMO, the firewall is easier to configure that way. Look in /etc/sysconfig/network for the device names, eg. # ls /etc/sysconfig/network/ . config if-down.d ifcfg-eth-id-00:50:ba:c4:91:43 ifcfg-lo ifroute-lo scripts .. dhcp if-up.d ifcfg-eth-id-00:50:fc:8b:4d:d1 ifcfg.template providers wireless Once you've done this change, restart the firewall, and see if things start working.
On Saturay, October 21, 2006 @ 12:10 AM, Darryl Gregorash wrote:
On 20/10/06 22:54, Greg Wallace wrote:
I'm running SUSE Linux 10.1. Here's the output you requested. I trimmed the comments out of /etc/sysconfig/SuSEfirewall2. Hopefully, I didn't cut out any parameters by mistake, but the comments made the list huge.
No big deal, if I need them I can read my own config file :-)
Iptables-save
# Generated by iptables-save v1.3.5 on Fri Oct 20 23:23:14 2006 <snip> That stuff isn't any help, because....
cat /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT=""
FW_DEV_INT=""
FW_DEV_DMZ=""
You really must have one of these defined, because without it, the firewall rules are essentially meaningless. In particular, you will note in the iptables-save stuff that there is no rule to accept NEW connections of any kind (except, of course, on device lo). Nothing you've entered in the FW_SERVICES* entries have a corresponding rule.
Here's what these should look like with the naming conventions in SuSE:
FW_DEV_EXT="eth-id-00:50:ba:c4:91:43" FW_DEV_INT="eth-id-00:50:fc:8b:4d:d1"
If you only have one network card in the system, then define it as the external interface. IMO, the firewall is easier to configure that way. Look in /etc/sysconfig/network for the device names, eg.
# ls /etc/sysconfig/network/ . config if-down.d ifcfg-eth-id-00:50:ba:c4:91:43 ifcfg-lo ifroute-lo scripts .. dhcp if-up.d ifcfg-eth-id-00:50:fc:8b:4d:d1 ifcfg.template providers wireless
Once you've done this change, restart the firewall, and see if things start working. Sorry it took me so long to get back on this, but I had major problems on my Winblows machine (and still do have). Anyway, you hit it right on the head as far as what the problem was. I was actually able to make the change you described in the YaST Firewall GUI as opposed to going in and modifying the config file. There's a tab in the GUI called "Interfaces". Under "Interface or String", there was one entry, eth-id-00:08:74:24:85:82, which must be for the one network interface I have. Under "Configured in", it had "No Zone Assigned". I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
Greg Wallace
On 22/10/06 20:55, Greg Wallace wrote:
<snip> Sorry it took me so long to get back on this, but I had major problems on my Winblows machine (and still do have). Anyway, you hit it right on the head as far as what the problem was. I was actually able to make the change you described in the YaST Firewall GUI as opposed to going in and modifying the config file. There's a tab in the GUI called "Interfaces". Under "Interface or String", there was one entry, eth-id-00:08:74:24:85:82, which must be for the one network interface I have. Under "Configured in", it had "No Zone Assigned". I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
This Allowed Services setting should do the same as editing the FW_SERVICES_<zone>_* variables manually, eg. in the Yast sysconfig editor. I have no idea what will happen if you check the protect from internal zone box, given that you only have an external interface defined. Clearly what is happening isn't what you want to happen :-) I would probably have to look at the results of iptables-save with this setting in effect to know what it does. The config file says this about the variable: # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. Since you don't even have an internal device defined, protecting the system on the internal zone isn't even necessary.
On Monday, October 23, 2006 @ 2:38 PM, Darryl Gregorash wrote:
On 22/10/06 20:55, Greg Wallace wrote:
<snip> I simply changed that to "External Zone", went to the "Allowed Services" tab, checked "Protect Firewall from Internal Zone", added the two ports I access via a web browser to "TCP" under "Advanced", and everything is working perfectly. Interestingly, with "Protect Firewall from Internal Zone" unchecked, I can access the HTTP server with no problem, even with no "Allowed Services" specified. On the other hand, with "Protect Firewall from Internal Zone" checked, I cannot access the HTTP server no matter what service I allow. The only way to access it is to specify the ports under TCP under Advanced, and I don't need to specify any Allowed Services. So, I'm wondering just what the heck Allowed Services is supposed to do. Choosing them or not seemed to have absolutely no effect on what services were allowed.
This Allowed Services setting should do the same as editing the FW_SERVICES_<zone>_* variables manually, eg. in the Yast sysconfig editor. I have no idea what will happen if you check the protect from internal zone box, given that you only have an external interface defined. Clearly what is happening isn't what you want to happen :-) I would probably have to look at the results of iptables-save with this setting in effect to know what it does.
The config file says this about the variable:
# Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT
# If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall.
Since you don't even have an internal device defined, protecting the system on the internal zone isn't even necessary.
Ok, I see what you're saying. So checking that box has no bearing on how the firewall works. I still have questions about the "Allowed Services", however. If I add HTTP CLIENT and HTTP SERVER as allowed services in the external zone, I still can't access my Apache server from an outside machine. Only if I specifically enter the ports that they serve can I access them. And if I do that, it doesn't matter if I have HTTP CLIENT and/or HTTP SERVER selected as allowed services. It just makes me wonder what the purpose of those allowed services is. Maybe there is a specific port applicable to each and I am not using that particular port. Otherwise, I don't know what the purpose of those allowed services is. Greg Wallace
On 23/10/06 14:43, Greg Wallace wrote:
On Monday, October 23, 2006 @ 2:38 PM, Darryl Gregorash wrote:
<snip>
Since you don't even have an internal device defined, protecting the system on the internal zone isn't even necessary.
Ok, I see what you're saying. So checking that box has no bearing on how the firewall works. I still have questions about the "Allowed Services",
From what you've been saying, evidently it does. However, I have no idea what it does when there is no internal network device specified.
however. If I add HTTP CLIENT and HTTP SERVER as allowed services in the external zone, I still can't access my Apache server from an outside machine. Only if I specifically enter the ports that they serve can I access them. And if I do that, it doesn't matter if I have HTTP CLIENT and/or HTTP SERVER selected as allowed services. It just makes me wonder what the purpose of those allowed services is. Maybe there is a specific port applicable to each and I am not using that particular port. Otherwise, I don't know what the purpose of those allowed services is. Interesting.. I never use the Security/Firewall section, but instead use the sysconfig editor (or a text editor for minor changes).
The "allowed services" section seems to work for the internal zone (when the protect firewall from internal zone box is checked, of course -- if it isn't, then the internal zone is wide open), but not the external zone. I have a whole list of services the silly thing claims are open on my external zone, but they sure are not in the actual firewall. I can add a service, eg. DHCP client, which properly adds the bootpc port to the ext_udp list, but cannot remove things like HTTP server, which I do not have, and which is definitely *not* open. Soon as I can remember my username/password at Novell I'll see about a bug report.
participants (3)
-
Darryl Gregorash -
Greg Wallace -
Stevens