[SLE] firewall question
I have installed my firewall, and done some test to see if it is working (nmap, ipchains -L, etc.) all of these things have come back and said that I have ports open that I thought were closed. I also told the firewall script not to enable ftp (did not give the ip address of the ftp server in the rc.config script) and all other services of the sort, but e-mail. However I'm still able to ftp to this computer from the outside world. What gives. Is the default firewall script that came with suse 6.1 broken or should I have configured things differently. In order for me to promote this distribution which I have gladly done in the past, I must be able to prove without a shadow a doubt that it is very tight and secure, otherwise those that make the choices will not choose wisely ;-) any help would be great and below I have attached the firewall portion of the config file: FW_START="no" FW_LOCALNETS="192.168.0.0/24" FW_FTPSERVER="" FW_WWWSERVER="" FW_SSLSERVER="" FW_SSLPORT="" FW_MAILSERVER="199.218.243.183" FW_DNSSERVER="" FW_NNTPSERVER="" FW_NEWSFEED="" FW_WORLD_DEV="ppp0" FW_INT_DEV="eth0" FW_LOG_ACCEPT="no" FW_LOG_DENY="yes" FW_ROUTER="" FW_FRIENDS="no" FW_INOUT="no" FW_SSH="no" FW_TRANSPROXY_OUT="" FW_TRANSPROXY_IN="" FW_REDIRECT="" FW_TCP_LOCKED_PORTS="1:1023" FW_UDP_LOCKED_PORTS="1:1023" Thanks, Robert -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
Robert, Sorry if that's too obvious, but I thought it's better to ask: Apparently you don't start the firewall automatically at system start-up (FW_START=no) so you must start it manually (i.e. /sbin/init.d/firewall start or rcfirewall start)?
FW_START="no" FW_LOCALNETS="192.168.0.0/24" FW_FTPSERVER="" FW_WWWSERVER="" FW_SSLSERVER="" FW_SSLPORT="" FW_MAILSERVER="199.218.243.183" FW_DNSSERVER="" FW_NNTPSERVER="" FW_NEWSFEED="" FW_WORLD_DEV="ppp0" FW_INT_DEV="eth0" FW_LOG_ACCEPT="no" FW_LOG_DENY="yes" FW_ROUTER="" FW_FRIENDS="no" FW_INOUT="no" FW_SSH="no" FW_TRANSPROXY_OUT="" FW_TRANSPROXY_IN="" FW_REDIRECT="" FW_TCP_LOCKED_PORTS="1:1023" FW_UDP_LOCKED_PORTS="1:1023"
Regards, Michael Doerner -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
No, actually, that will still fail. test "$FW_START" = yes || exit 0 is in the firewall script. You might think that if you manually start it, it should work, but not under SuSE. I suppose you could edit /etc/rc.d/init.d/firewall to have a "do-it-dammit" command, but it seems like more work than an admin should have to do. If I call "./firewall start", I expect the firewalling code to start. Period. If SuSE wants to use silly "FW_START" environment variables, let them write something that parses /etc/rc.config and creates/unlinks the /etc/rcX.d/* symlinks appropriately. D At 01:30 PM 3/25/00 +1200, Michael Doerner wrote:
Robert,
Sorry if that's too obvious, but I thought it's better to ask: Apparently you don't start the firewall automatically at system start-up (FW_START=no) so you must start it manually (i.e. /sbin/init.d/firewall start or rcfirewall start)?
FW_START="no" FW_LOCALNETS="192.168.0.0/24" FW_FTPSERVER="" FW_WWWSERVER="" FW_SSLSERVER="" FW_SSLPORT="" FW_MAILSERVER="199.218.243.183" FW_DNSSERVER="" FW_NNTPSERVER="" FW_NEWSFEED="" FW_WORLD_DEV="ppp0" FW_INT_DEV="eth0" FW_LOG_ACCEPT="no" FW_LOG_DENY="yes" FW_ROUTER="" FW_FRIENDS="no" FW_INOUT="no" FW_SSH="no" FW_TRANSPROXY_OUT="" FW_TRANSPROXY_IN="" FW_REDIRECT="" FW_TCP_LOCKED_PORTS="1:1023" FW_UDP_LOCKED_PORTS="1:1023"
Regards, Michael Doerner
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
yes I start a manual firewall On Sat, 25 Mar 2000, Michael Doerner wrote:
Robert,
Sorry if that's too obvious, but I thought it's better to ask: Apparently you don't start the firewall automatically at system start-up (FW_START=no) so you must start it manually (i.e. /sbin/init.d/firewall start or rcfirewall start)?
FW_START="no" FW_LOCALNETS="192.168.0.0/24" FW_FTPSERVER="" FW_WWWSERVER="" FW_SSLSERVER="" FW_SSLPORT="" FW_MAILSERVER="199.218.243.183" FW_DNSSERVER="" FW_NNTPSERVER="" FW_NEWSFEED="" FW_WORLD_DEV="ppp0" FW_INT_DEV="eth0" FW_LOG_ACCEPT="no" FW_LOG_DENY="yes" FW_ROUTER="" FW_FRIENDS="no" FW_INOUT="no" FW_SSH="no" FW_TRANSPROXY_OUT="" FW_TRANSPROXY_IN="" FW_REDIRECT="" FW_TCP_LOCKED_PORTS="1:1023" FW_UDP_LOCKED_PORTS="1:1023"
Regards, Michael Doerner
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/
participants (3)
-
dredd@megacity.org
-
michael@baypc.co.nz
-
rlyons@faithdesign.com