[opensuse] simple firewall scripts
Hi, for smaller installations (using a Linux gateway) I used to use SuSEfirewall2 which basically has everything I needed so far. Now I'd something for another usecase: An old Linux gateway (with SuSEfirewall) got a hardware gateway in front of it now which blocks traffic from outside. So there is no need anymore to do extensive filtering and also masquerading on the old gateway while it's still there as kind of second stage hiding the internal network behind it. Now I still need to control which traffic is allowed from the inside to the internet which was done via FW_MASQ_NETS in SF2. Since I want to get rid of a second masquerading, SuSEfirewall has no mechanism to control this traffic anymore. Now I could write all iptables rules on my own (which is possible but I'm kind of lazy in that case) but I wonder if there is no other simple iptables "generator" outside which does it already. I plan to look at shorewall but thought I'd just ask here for recommendations. Thanks, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall. YMMV Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sloan wrote:
Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall.
YMMV
Joe Have yu looked at firestarter?
-- Joseph Loo jloo@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Joseph Loo wrote:
Sloan wrote:
Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall.
YMMV
Joe Have yu looked at firestarter?
I remember looking at it a few years ago - maybe time to revisit it. Do you have good experiences with it? Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
joe wrote:
Joseph Loo wrote:
Sloan wrote:
Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall.
YMMV
Joe Have yu looked at firestarter?
I remember looking at it a few years ago - maybe time to revisit it. Do you have good experiences with it?
Joe
Instead of writing the rules manually, this was the only way I could get fedora 7 to do an nfs share. -- Joseph Loo jloo@acm.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Fri, 27 Jul 2007, by jloo@acm.org:
Sloan wrote:
Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
I personally prefer the basic linux firewall module that comes with webmin. I found it very easy to understand, and easier to implement exactly the rules I wanted than with the suse firewall.
YMMV
Joe Have yu looked at firestarter?
Yes, and I don't like GUIs for such basic funcionality. First of all I'm almost always login in through ssh to the server that's running the firewall, so that makes a frontend with text-files much easier to use. Second; seeing all the rules in one page, exactly as they are going to be installed is the only way to make sure the frontend does what I mean, not what a program with fuzzy controls thinks I mean. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 27 July 2007 23:14, Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
That's worrying. Simple firewall script(s)? How about etc/sysconfig/SuSEfirewall2? It's there and it just works. Yast edits it for you if you want pure simplicity. Please tell me that this script is rubbish and I should look elsewhere. Or else please tell me what I'm missing. Cheers, Lynn. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sat, 28 Jul 2007, by lynn@steve-ss.com:
On Friday 27 July 2007 23:14, Theo v. Werkhoven wrote:
Fri, 27 Jul 2007, by wolfgang@rosenauer.org:
I plan to look at shorewall but thought I'd just ask here for recommendations.
Look no further.
That's worrying.
Simple firewall script(s)? How about etc/sysconfig/SuSEfirewall2? It's there and it just works. Yast edits it for you if you want pure simplicity.
Maybe it's just me, but I don't find the way SuSEFW2 does things simple at all. For a 'set and forget' network it probably works, but for a network with rules that are subject to change weekly, if not daily, this file is just too unreadable, because of all the comments lines that clutter the content. The small, less than 1 page, files in Shorewall have man-pages, so if I'm puzzled, I do '^Z; man shorewall-<..>; q; fg' and carry on.
Please tell me that this script is rubbish and I should look elsewhere. Or else please tell me what I'm missing.
It's not rubbish, but it does have serious limitations, at least, for me. Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 07/29/2007 06:14 AM, Theo v. Werkhoven wrote:
Maybe it's just me, but I don't find the way SuSEFW2 does things simple at all. For a 'set and forget' network it probably works, but for a network with rules that are subject to change weekly, if not daily, this file is just too unreadable, because of all the comments lines that clutter the content.
We are all different. Those comments are one of the main reasons I was able to get it working when I first started with 6.4. The docs, etc were less than helpful, but the comments in the config file were (are) fantastic, and for me explain each setting in a way that I was and am able to work with it. To see you call those clutter shows me how different we all are. -- Joe Morris Registered Linux user 231871 running openSUSE 10.2 x86_64 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Sun, 29 Jul 2007, by Joe_Morris@ntm.org:
On 07/29/2007 06:14 AM, Theo v. Werkhoven wrote:
Maybe it's just me, but I don't find the way SuSEFW2 does things simple at all. For a 'set and forget' network it probably works, but for a network with rules that are subject to change weekly, if not daily, this file is just too unreadable, because of all the comments lines that clutter the content.
We are all different. Those comments are one of the main reasons I was able to get it working when I first started with 6.4. The docs, etc were less than helpful, but the comments in the config file were (are) fantastic, and for me explain each setting in a way that I was and am able to work with it. To see you call those clutter shows me how different we all are.
To each his own, or, as the French say: Vive la Différence Theo -- Theo v. Werkhoven Registered Linux user# 99872 http://counter.li.org ICBM 52 13 26N , 4 29 47E. + ICQ: 277217131 SUSE 10.2 + Jabber: muadib@jabber.xs4all.nl Kernel 2.6.20 + See headers for PGP/GPG info. Claimer: any email I receive will become my property. Disclaimers do not apply. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 07/28/2007 04:14 PM, Theo v. Werkhoven wrote:
Sat, 28 Jul 2007, by lynn@steve-ss.com: <snip>
Please tell me that this script is rubbish and I should look elsewhere. Or else please tell me what I'm missing.
It's not rubbish, but it does have serious limitations, at least, for me.
Quite true. SFW2 is a nice generic firewall that can fill many basic needs, but that is also its greatest drawback: it is designed to fulfil a great many basic needs, and so is not nearly as flexible as is needed in a more complex situation. Most opensuse users can probably do all the firewalling they need with SFW2, but more serious requirements demand a more serious and flexible firewall builder. -- Hypocrisy is the homage vice pays to virtue. -- François de La Rochefoucauld -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Wolfgang Rosenauer wrote:
Hi,
Hi,
for smaller installations (using a Linux gateway) I used to use SuSEfirewall2 which basically has everything I needed so far.
Now I'd something for another usecase: An old Linux gateway (with SuSEfirewall) got a hardware gateway in front of it now which blocks traffic from outside. So there is no need anymore to do extensive filtering and also masquerading on the old gateway while it's still there as kind of second stage hiding the internal network behind it. Now I still need to control which traffic is allowed from the inside to the internet which was done via FW_MASQ_NETS in SF2. Since I want to get rid of a second masquerading, SuSEfirewall has no mechanism to control this traffic anymore.
Now I could write all iptables rules on my own (which is possible but I'm kind of lazy in that case) but I wonder if there is no other simple iptables "generator" outside which does it already.
I plan to look at shorewall but thought I'd just ask here for recommendations. Also try Firewall Builder at http://www.fwbuilder.org/ Since the v2.1.12 version, is able to import your existing iptables configurations, witch is a nice thing to upgrade your existing machines as well. Also has an excellent GUI.
Thanks, Wolfgang
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos wrote:
Also try Firewall Builder at http://www.fwbuilder.org/ Since the v2.1.12 version, is able to import your existing iptables configurations, witch is a nice thing to upgrade your existing machines as well. Also has an excellent GUI.
Good to hear that - that was the one thing that turned me off to fwbuilder - if it can now import existing iptables configs, that removes it from the category of "non-starter" for me. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Friday 27 July 2007 13:29:56 Wolfgang Rosenauer wrote:
Now I still need to control which traffic is allowed from the inside to the internet which was done via FW_MASQ_NETS in SF2. Since I want to get rid of a second masquerading, SuSEfirewall has no mechanism to control this traffic anymore.
How about FW_FORWARD, which controls which IP addresses or subnets are allowed through, without any masquerading being done Grüß Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Anders, Anders Johansson wrote:
On Friday 27 July 2007 13:29:56 Wolfgang Rosenauer wrote:
Now I still need to control which traffic is allowed from the inside to the internet which was done via FW_MASQ_NETS in SF2. Since I want to get rid of a second masquerading, SuSEfirewall has no mechanism to control this traffic anymore.
How about FW_FORWARD, which controls which IP addresses or subnets are allowed through, without any masquerading being done
Hmm, somehow I missed this because I've read the sentence "Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)?" So I always thought it would only work from FW_DEV_EXT to the other interfaces and not the other way round without looking deeper into it. But in fact it seems to be independent from the actual devices. Thanks for the heads up, Wolfgang -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (11)
-
Anders Johansson -
Cristian Rodriguez R. -
Darryl Gregorash -
joe -
Joe Morris (NTM) -
Joseph Loo -
primm -
Rui Santos -
Sloan
-
Theo v. Werkhoven -
Wolfgang Rosenauer