Dear susers, I have been sending a whole bunch of messages to this list regarding SuSEfirewall2. I have a Linux box (SuSE7.2 installed) and I have upgraded firewall to SuSEfirewall2 (managed to install iptables as well). The network configuration is simple: The SuSE box acts as a DHCP server and a Samba server as well. IPs for clients range in the 192.168.10.0 range with linux being 192.168.10.1. Squid is up and running (tested this and works ok) on port 8080. All machines can ping eachother and the linux box. So far so good! All problems begun when the clients of the Server started to request connections to programs such as Winmx and Mirc. So I started to play with SuSEfirewall2 since I have seen in the past in this list similar questions and they all managed to get things going with the help of SuSEfirewall2. With the help of all of you from this list, I managed to configure the SuSEfirewall2 configuration as follows (configuration documentantion is missing in order to make this as short as possible): # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse <marc@suse.de>, 2001 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into # -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES ! # -> /usr/share/doc/packages/SuSEfirewall2/FAQ ! # -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE ! # # /etc/sysconfig/SuSEfirewall2 # # for use with /sbin/SuSEfirewall2 version 2.1 which is for 2.4 kernels! # # ------------------------------------------------------------------------ # # # 1.) # Should the Firewall be started? # # This setting is done via the links in the /etc/init.d/rc?.d runlevel # directories, which can be tweaked with a runlevel editor (or manually) #You should have a yes here in yours. # # 2.) # FW_DEV_EXT="ppp0" # # 3.) # FW_DEV_INT="eth0" # # 4.) # Which is the interface that points to the dmz or dialup network? # FW_DEV_DMZ="" # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ FW_ROUTE="yes" # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE # FW_MASQUERADE="yes" # FW_MASQ_NETS="192.168.10.0/24" . # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT FW_PROTECT_FROM_INTERNAL="yes" # # 8.) # Do you want to autoprotect all running network services on the firewall? FW_AUTOPROTECT_SERVICES="yes" # # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX # # Common: smtp domain FW_SERVICES_EXT_TCP="" # Common: domain FW_SERVICES_EXT_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_EXT_IP="" # # Common: smtp domain FW_SERVICES_DMZ_TCP="" # Common: domain FW_SERVICES_DMZ_UDP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" # # Common: ssh smtp domain FW_SERVICES_INT_TCP="22 25 53 110 139 1024:65535" # Common: domain syslog FW_SERVICES_INT_UDP="53 123 137 138 139" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP="" # # 10.) # Which services should be accessible from trusted hosts/nets? FW_TRUSTED_NETS="" # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" # Common: "DNS" or "domain ntp", better is "yes" to be sure ... FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won?t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # if not set. # FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting # # If you are running bind/named set to yes. Remember that you have to open # port 53 (or "domain") as udp/tcp to allow incoming queries. # Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DNS="no" # # if you use dhclient to get an ip address you have to set this to "yes" ! FW_SERVICE_DHCLIENT="no" # # set to "yes" if this server is a DHCP server FW_SERVICE_DHCPD="yes" # # set to "yes" if this server is running squid. You still have to open the # tcp port 3128 to allow remote access to the squid proxy service. FW_SERVICE_SQUID="yes" # # set to "yes" if this server is running a samba server. You still have to open # the tcp port 139 to allow remote access to SAMBA. FW_SERVICE_SAMBA="yes" # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? # REQUIRES: FW_ROUTE # FW_FORWARD="" # Beware to use this! # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE FW_FORWARD_MASQ="" # Beware to use this! # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? FW_REDIRECT="" # # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="no" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="no" # # only change/activate this if you know what you are doing! FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # # 17.) # Do you want to enable additional kernel TCP/IP security features? # FW_KERNEL_SECURITY="no" # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # FW_STOP_KEEP_ROUTING_STATE="yes" # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="no" # FW_ALLOW_PING_EXT="no" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" So once I changed all the above, I executed rcSuSEfirewall2 start. The script executes and Squid works, as well as samba. DHCP continues to work just fine. However, mirc and winmx will not operate. Mirc kept saying that it couldn't resolve the servers. So I entered rcSuSEfirewall2 stop and tried to execute the test firewall as follows: #csh#> SuSEfirewall2 test and among other lines, I get something like this (please forgive me because I am away fromw the linux box now): Found named running setting FW_DNS to yes ... FW_DNS is set to yes but there is no DNS server found running! I cannot understand why it is saying this so I thought I should send it to the list and see if someone could help me. Looking forward to hearing from you!! Chris