Hello community,
here is the log from the commit of package SuSEfirewall2 for openSUSE:Factory
checked in at Fri Mar 19 15:22:18 CET 2010.
--------
--- SuSEfirewall2/SuSEfirewall2.changes 2010-02-16 14:53:55.000000000 +0100
+++ SuSEfirewall2/SuSEfirewall2.changes 2010-03-19 15:15:57.000000000 +0100
@@ -1,0 +2,7 @@
+Fri Mar 19 13:34:10 UTC 2010 - lnussel@suse.de
+
+- add entry about drbd to FAQ
+- update docu
+- implement FW_BOOT_FULL_INIT
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
SuSEfirewall2-3.6.231.tar.bz2
New:
----
SuSEfirewall2-3.6.238.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ SuSEfirewall2.spec ++++++
--- /var/tmp/diff_new_pack.8kBY2T/_old 2010-03-19 15:21:49.000000000 +0100
+++ /var/tmp/diff_new_pack.8kBY2T/_new 2010-03-19 15:21:49.000000000 +0100
@@ -1,5 +1,5 @@
#
-# spec file for package SuSEfirewall2 (Version 3.6.231)
+# spec file for package SuSEfirewall2 (Version 3.6.238)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -20,7 +20,7 @@
Name: SuSEfirewall2
-Version: 3.6.231
+Version: 3.6.238
Release: 1
License: GPLv2+
Group: Productivity/Networking/Security
++++++ SuSEfirewall2-3.6.231.tar.bz2 -> SuSEfirewall2-3.6.238.tar.bz2 ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/SuSEfirewall2.sysconfig new/SuSEfirewall2-3.6.238/SuSEfirewall2.sysconfig
--- old/SuSEfirewall2-3.6.231/SuSEfirewall2.sysconfig 2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/SuSEfirewall2.sysconfig 2010-03-19 15:14:46.000000000 +0100
@@ -586,8 +586,6 @@
## Type: string
#
-# 13a.)
-#
# same as FW_FORWARD but packages are rejected instead of accepted
#
# Requires: FW_ROUTE
@@ -596,8 +594,6 @@
## Type: string
#
-# 13b.)
-#
# same as FW_FORWARD but packages are dropped instead of accepted
#
# Requires: FW_ROUTE
@@ -1010,7 +1006,6 @@
## Type: yesno
## Default: yes
#
-# 28a.)
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
@@ -1189,3 +1184,15 @@
# Defaults to "yes" if not set
#
FW_LO_NOTRACK=
+
+## Type: yesno
+## Default: no
+#
+# Specifies whether /etc/init.d/SuSEfirewall2_init should install the
+# full rule set already. Default is to just install minimum rules
+# that block incoming traffic. Set to "yes" if you user services
+# such as drbd that require open ports during boot already.
+#
+# Defaults to "no" if not set
+#
+FW_BOOT_FULL_INIT=""
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/SuSEfirewall2_init new/SuSEfirewall2-3.6.238/SuSEfirewall2_init
--- old/SuSEfirewall2-3.6.231/SuSEfirewall2_init 2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/SuSEfirewall2_init 2010-03-19 15:14:46.000000000 +0100
@@ -25,6 +25,11 @@
test -x $SUSEFWALL || exit 5
test -r /etc/sysconfig/SuSEfirewall2 || exit 6
+startmode=close
+if (. /etc/sysconfig/SuSEfirewall2; test "$FW_BOOT_FULL_INIT" = yes); then
+ startmode=start
+fi >/dev/null 2>&1
+
. /etc/rc.status
rc_reset
@@ -35,7 +40,7 @@
if test -x /usr/sbin/iptables; then
echo -n '(phase 1 of 2) '
/bin/rm -rf /var/run/SuSEfirewall2
- $SUSEFWALL --bootlock -q close
+ $SUSEFWALL --bootlock -q $startmode
else
echo -n "${extd}iptables not available (yet)${norm}"
rc_failed 5
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.html new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.html
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.html 2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.html 2010-03-19 15:14:46.000000000 +0100
@@ -1,88 +1,30 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div class="titlepage"><div><div><h2 class="title"><a id="id311997"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div class="qandaset" title="Frequently Asked Questions"><a id="id312008"></a><dl><dt>1. <a href="#id312011">
- How do I allow access to my application XYZ on my firewall?
- </a></dt><dt>2. <a href="#id274901">
- How can I reduce the generated rule set as much as possible?
- </a></dt><dt>3. <a href="#id274280">
- How can I be sure that the firewall rules are active when I connect
- to the internet?
- </a></dt><dt>4. <a href="#id274340">
- How many interfaces are supported for each zone (EXT/DMZ/INT)?
- </a></dt><dt>5. <a href="#id274358">
+<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>SuSEfirewall2 FAQ</title><link rel="stylesheet" href="susebooks.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.75.2" /></head><body><div class="article" title="SuSEfirewall2 FAQ"><div class="titlepage"><div><div><h2 class="title"><a id="id301529"></a>SuSEfirewall2 FAQ</h2></div></div><hr /></div><div class="qandaset" title="Frequently Asked Questions"><a id="id301543"></a><dl><dt>1. <a href="#id301545">
Why is communication between two interfaces in the same zone not working?
- </a></dt><dt>6. <a href="#id274386">
- I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
- people on the internet access my pages?
- </a></dt><dt>7. <a href="#id293638">
- What if my Server has a private IP address, how do I enable external access then?
- </a></dt><dt>8. <a href="#id293686">Some service does not work when the firewall is enabled. How do I find out what's wrong?
- </a></dt><dt>9. <a href="#id273985">
+ </a></dt><dt>2. <a href="#id265830">Some service does not work when the firewall is enabled. How do I find out what's wrong?
+ </a></dt><dt>3. <a href="#id297412">
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
- </a></dt><dt>10. <a href="#id274007">
+ </a></dt><dt>4. <a href="#id304338">
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
- </a></dt><dt>11. <a href="#id274028">
+ </a></dt><dt>5. <a href="#id305185">
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
- </a></dt><dt>12. <a href="#id274048">
+ </a></dt><dt>6. <a href="#id292467">
The ipsec0 interface I had with kernel 2.4 is
gone. How do I assign IPsec traffic to a different zone now?
- </a></dt><dt>13. <a href="#id274099">
+ </a></dt><dt>7. <a href="#id300867">
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
- </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="id312011"></a><a id="id312013"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
- How do I allow access to my application XYZ on my firewall?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
- Usually you need an entry in <code class="varname">FW_SERVICES_EXT_TCP</code>
- or <code class="varname">FW_SERVICES_EXT_UDP</code>. The most common problem is
- to determine which port the application uses. Let's say you are
- running an apache web server and want to allow access to it. Execute
- <span class="command"><strong>netstat -tunlp</strong></span> and look for httpd. You will
- see a line like this:
-
- </p><div class="informalexample"><pre class="screen">tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4497/httpd</pre></div><p>
-
- The number 80 is the port you are looking for. In this example put it
- into <code class="varname">FW_SERVICES_EXT_TCP</code> and execute
- <span class="command"><strong>SuSEfirewall2</strong></span> again.
-
- </p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="id274901"></a><a id="id274904"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>
- How can I reduce the generated rule set as much as possible?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
- Set <code class="varname">FW_PROTECT_FROM_INTERNAL</code> to <code class="literal">"no"</code>
- </p></li><li class="listitem"><p>
- Disable Logging
- </p></li><li class="listitem"><p>
- Set all <code class="varname">FW_ALLOW_*</code> and
- <code class="varname">FW_SERVICE_*</code> to no
- </p></li><li class="listitem"><p>
- Do not use routing or masquerading
- </p></li><li class="listitem"><p>
- Only enable routing/services you really need and make the statements
- as general as possible to reduce the number of definitions.
- Then you will have got much less rules, but also a lesser security.
- Better spend 50$ on a faster processor and more ram instead of
- using an old 486 as firewall.
- </p></li></ul></div></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="id274280"></a><a id="id274283"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
- How can I be sure that the firewall rules are active when I connect
- to the internet?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
- Make sure that the <code class="literal">SuSEfirewall2</code> boot scripts are
- enabled and that <code class="filename">/etc/sysconfig/network/config</code>
- contains <code class="literal">FIREWALL=yes</code>. Also check that the
- <code class="filename">/etc/sysconfig/network/ifcfg-*</code> files don't
- contain <code class="literal">FIREWALL="no"</code>. You can check whether
- packet filtering rules are actually installed with the command
- <span class="command"><strong>SuSEfirewall2 status</strong></span>
-
- </p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="id274340"></a><a id="id274342"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
- How many interfaces are supported for each zone (EXT/DMZ/INT)?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
- Any number you want
- </p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="id274358"></a><a id="id274361"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
+ </a></dt><dt>8. <a href="#id283911">
+ Enabling drbd blocks the boot process. How to get around that?
+ </a></dt><dt>9. <a href="#id265332">
+ My wireless LAN network interface is configured for the
+ external zone. Sometimes I need to connect to trusted
+ networks that offer e.g. printing or file sharing. How can
+ I solve that without opening ports in the external zone?
+ </a></dt></dl><table border="0" width="100%" summary="Q and A Set"><col align="left" width="1%" /><col /><tbody><tr class="question" title="1."><td align="left" valign="top"><a id="id301545"></a><a id="id301547"></a><p><b>1.</b></p></td><td align="left" valign="top"><p>
Why is communication between two interfaces in the same zone not working?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
@@ -93,32 +35,7 @@
traffic with <code class="varname">FW_FORWARD</code>. Keep in mind that this
affects all interfaces in all zones.
- </p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="id274386"></a><a id="id293606"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
- I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
- people on the internet access my pages?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
- Lets say your web server has got an official
- IP address of 1.1.1.1 which you received from your ISP. You would
- just configure <code class="varname">FW_FORWARD_TCP</code> like this:
- </p><div class="informalexample"><pre class="programlisting">FW_FORWARD="0/0,1.1.1.1,tcp,80"</pre></div><p>
-
- </p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="id293638"></a><a id="id293641"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
- What if my Server has a private IP address, how do I enable external access then?
- </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
-
- You can use reverse masquerading. For this you need to set
- <code class="varname">FW_ROUTE</code> and <code class="varname">FW_MASQUERADE</code> to
- <code class="literal">"yes"</code>, and additionally
- <code class="varname">FW_FORWARD_MASQ</code> for the web servers private IP
- (lets say it is 10.0.0.1):
-
- </p><div class="informalexample"><pre class="programlisting">
-FW_ROUTE="yes"
-FW_MASQUERADE="yes"
-FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</pre></div><p>
-
- </p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a id="id293686"></a><a id="id293689"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong?
+ </p></td></tr><tr class="question" title="2."><td align="left" valign="top"><a id="id265830"></a><a id="id265832"></a><p><b>2.</b></p></td><td align="left" valign="top"><p>Some service does not work when the firewall is enabled. How do I find out what's wrong?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Enable logging of all dropped packets and disable the log limit in
@@ -146,7 +63,7 @@
If everything works again don't forget to set the log options back to
normal to not fill up you log files.
- </p></td></tr><tr class="question" title="9."><td align="left" valign="top"><a id="id273985"></a><a id="id273988"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="3."><td align="left" valign="top"><a id="id297412"></a><a id="id291503"></a><p><b>3.</b></p></td><td align="left" valign="top"><p>
Some web site that offers port scanning claims my system is not
protected properly as it still responds to ICMP echo requests (ping)
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
@@ -155,20 +72,20 @@
seriously impact the ability to track down network problems. It is
therefore not considered nice behaviour for an internet citizen to
drop pings.
- </p></td></tr><tr class="question" title="10."><td align="left" valign="top"><a id="id274007"></a><a id="id274010"></a><p><b>10.</b></p></td><td align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="4."><td align="left" valign="top"><a id="id304338"></a><a id="id292572"></a><p><b>4.</b></p></td><td align="left" valign="top"><p>
Can't the evil guys detect whether my host is online if it responds
to ICMP echo requests?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
Yes but they can detect that anyways. The router at your provider
behaves different depending on whether someone is dialed in or not.
- </p></td></tr><tr class="question" title="11."><td align="left" valign="top"><a id="id274028"></a><a id="id274030"></a><p><b>11.</b></p></td><td align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="5."><td align="left" valign="top"><a id="id305185"></a><a id="id302781"></a><p><b>5.</b></p></td><td align="left" valign="top"><p>
SuSEfirewall2 drops most packets but it doesn't fully hide the
presence of my machine. Isn't that a security hole?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
You machine is never fully invisible, see previous question. The
purpose of dropping packets is not to hide your machine but to slow
down port scans.
- </p></td></tr><tr class="question" title="12."><td align="left" valign="top"><a id="id274048"></a><a id="id274051"></a><p><b>12.</b></p></td><td align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="6."><td align="left" valign="top"><a id="id292467"></a><a id="id293084"></a><p><b>6.</b></p></td><td align="left" valign="top"><p>
The <code class="literal">ipsec0</code> interface I had with kernel 2.4 is
gone. How do I assign IPsec traffic to a different zone now?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
@@ -184,21 +101,89 @@
FW_SERVICES_EXT_UDP="isakmp"
FW_PROTECT_FROM_INT="no"</pre></div><p>
- </p></td></tr><tr class="question" title="13."><td align="left" valign="top"><a id="id274099"></a><a id="id274102"></a><p><b>13.</b></p></td><td align="left" valign="top"><p>
+ </p></td></tr><tr class="question" title="7."><td align="left" valign="top"><a id="id300867"></a><a id="id292485"></a><p><b>7.</b></p></td><td align="left" valign="top"><p>
Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
</p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
<code class="literal">SuSEfirewall2</code> is implemented in bourne shell which is not exactly the
fastest thing on earth especially if it has that much work to do as
<code class="literal">SuSEfirewall2</code>. Administrators still prefer bourne shell scripts
- because of readability <span class="emphasis"><em>*cough*</em></span>. To be able to
- use <span class="command"><strong>iptables-restore</strong></span>
- <code class="literal">SuSEfirewall2</code> would need a lot more logic than
- what is be possible with bourne shell as it would need to sort and
- reorder the rules for example. Furthermore interfaces are not static.
- They can arbitrarily appear and disapper with different names so a
- generic solution can't just dump the rules with
- <span class="command"><strong>iptables-store</strong></span> and re-apply them with
- <span class="command"><strong>iptables-restore</strong></span>.
+ because of readability <span class="emphasis"><em>*cough*</em></span>.
+ </p><p>
+ <code class="literal">SuSEfirewall2</code> already uses a method
+ similar to <code class="literal">iptables-restore</code> to apply
+ as much filter rules as possible at once.
+ <code class="literal">SuSEfirewall2</code> doesn't use
+ <code class="literal">iptables-restore</code> natively to be able to
+ easily fall back to individual <code class="literal">iptables</code>
+ calls in case of error.
+ </p></td></tr><tr class="question" title="8."><td align="left" valign="top"><a id="id283911"></a><a id="id283913"></a><p><b>8.</b></p></td><td align="left" valign="top"><p>
+ Enabling drbd blocks the boot process. How to get around that?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+
+ During boot process all incoming traffic is blocked
+ unconditionally. The very last boot script then sets up
+ the configured firewall rules. The problem is that drbd
+ blocks the boot process while waiting for incoming
+ connection from other nodes. Therefore configuring the
+ drbd port in <code class="literal">SuSEfirewall2</code> has no
+ effect.
+
+ </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>
+ SLES10
+ </p><p>
+ Add a manual iptables call to
+ <code class="literal">/etc/init.d/boot.local</code>:
+ </p><div class="informalexample"><pre class="programlisting">iptables -A INPUT -p tcp --dport 7788 -j ACCEPT</pre></div><p>
+
+ </p></li><li class="listitem"><p>
+ SLES11, openSUSE <= 11.2
+ </p><p>
+ On SLES11 SuSEfirewall2_init is called after
+ boot.local, therefore the method for SLES10
+ doesn't work anymore. It's possible to modify the
+ dependencies of the SuSEfirewall2_setup script to run
+ before drbd though:
+ </p><div class="itemizedlist"><ul class="itemizedlist" type="circle"><li class="listitem"><p>
+ Create the directory
+ <code class="filename">/etc/insserv/overrides</code>
+ </p></li><li class="listitem"><p>
+ Create a new file
+ <code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
+ </p></li><li class="listitem"><p>
+ Copy the the LSB header (the part between and
+ including the lines "<code class="literal">### BEGIN INIT
+ INFO</code>" and "<code class="literal">### END INIT
+ INFO</code>") from
+ <code class="filename">/etc/init.d/SuSEfirewall2_setup</code>
+ to
+ <code class="filename">/etc/insserv/overrides/SuSEfirewall2_setup</code>
+ </p></li><li class="listitem"><p>
+ Replace <code class="literal">$ALL</code> with
+ <code class="literal">$null</code> and add the following
+ line:
+ </p><div class="informalexample"><pre class="programlisting"># X-Start-Before: drbd</pre></div><p>
+
+ </p></li><li class="listitem"><p>
+ run <span class="command"><strong>/sbin/insserv</strong></span>
+ </p></li></ul></div><p>
+
+ </p></li><li class="listitem"><p>
+ openSUSE >= 11.3
+ </p><p>
+ Configure the open ports for <code class="literal">drbd</code> and set
+ </p><div class="informalexample"><pre class="programlisting">FW_BOOT_FULL_INIT="yes"</pre></div><p>
+
+ </p></li></ul></div></td></tr><tr class="question" title="9."><td align="left" valign="top"><a id="id265332"></a><a id="id265334"></a><p><b>9.</b></p></td><td align="left" valign="top"><p>
+ My wireless LAN network interface is configured for the
+ external zone. Sometimes I need to connect to trusted
+ networks that offer e.g. printing or file sharing. How can
+ I solve that without opening ports in the external zone?
+ </p></td></tr><tr class="answer"><td align="left" valign="top"></td><td align="left" valign="top"><p>
+
+ The <a class="ulink" href="http://lizards.opensuse.org/2009/08/28/firewall-zone-switcher-updated/" target="_top">Firewall
+ Zone Switcher applet</a> allows desktop users to
+ switch zones with only few mouse clicks. It's included in
+ openSUSE since version 11.2.
</p></td></tr></tbody></table></div></div></body></html>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.txt new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.txt
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.txt 2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.txt 2010-03-19 15:14:46.000000000 +0100
@@ -2,158 +2,144 @@
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
-1. How do I allow access to my application XYZ on my firewall?
-2. How can I reduce the generated rule set as much as possible?
-3. How can I be sure that the firewall rules are active when I connect to the
- internet?
-4. How many interfaces are supported for each zone (EXT/DMZ/INT)?
-5. Why is communication between two interfaces in the same zone not working?
-6. I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
- people on the internet access my pages?
-7. What if my Server has a private IP address, how do I enable external access
- then?
-8. Some service does not work when the firewall is enabled. How do I find out
+1. Why is communication between two interfaces in the same zone not working?
+2. Some service does not work when the firewall is enabled. How do I find out
what's wrong?
-9. Some web site that offers port scanning claims my system is not protected
+3. Some web site that offers port scanning claims my system is not protected
properly as it still responds to ICMP echo requests (ping)
-10. Can't the evil guys detect whether my host is online if it responds to ICMP
+4. Can't the evil guys detect whether my host is online if it responds to ICMP
echo requests?
-11. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
+5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
my machine. Isn't that a security hole?
-12. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
+6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
traffic to a different zone now?
-13. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
+7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
+8. Enabling drbd blocks the boot process. How to get around that?
+9. My wireless LAN network interface is configured for the external zone.
+ Sometimes I need to connect to trusted networks that offer e.g. printing or
+ file sharing. How can I solve that without opening ports in the external
+ zone?
-1. How do I allow access to my application XYZ on my firewall?
+1. Why is communication between two interfaces in the same zone not working?
- Usually you need an entry in FW_SERVICES_EXT_TCP or FW_SERVICES_EXT_UDP. The
- most common problem is to determine which port the application uses. Let's say
- you are running an apache web server and want to allow access to it. Execute
- netstat -tunlp and look for httpd. You will see a line like this:
+ For security reasons, no network may communicate to another until configured
+ otherwise. Even if both are "trusted" internal networks. You can allow full
+ traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed traffic with
+ FW_FORWARD. Keep in mind that this affects all interfaces in all zones.
- tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4497/httpd
+2. Some service does not work when the firewall is enabled. How do I find out
+ what's wrong?
- The number 80 is the port you are looking for. In this example put it into
- FW_SERVICES_EXT_TCP and execute SuSEfirewall2 again.
+ Enable logging of all dropped packets and disable the log limit in /etc/
+ sysconfig/SuSEfirewall2:
-2. How can I reduce the generated rule set as much as possible?
+ FW_LOG_DROP_CRIT="yes"
+ FW_LOG_DROP_ALL="yes"
+ FW_LOG_LIMIT="no"
- ● Set FW_PROTECT_FROM_INTERNAL to "no"
+ Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with log
+ messages about dropped packets when you try to use the not working service.
+ Those messages tell you the protocol and port you need to open.
- ● Disable Logging
+ You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try to
+ connect to the service in a way which failed before. It will work because
+ SuSEfirewall2 does not actually filter any packets this time. However, it
+ will still log all packets it normally would have dropped.
- ● Set all FW_ALLOW_* and FW_SERVICE_* to no
+ If everything works again don't forget to set the log options back to normal
+ to not fill up you log files.
- ● Do not use routing or masquerading
+3. Some web site that offers port scanning claims my system is not protected
+ properly as it still responds to ICMP echo requests (ping)
- ● Only enable routing/services you really need and make the statements as
- general as possible to reduce the number of definitions. Then you will have
- got much less rules, but also a lesser security. Better spend 50$ on a
- faster processor and more ram instead of using an old 486 as firewall.
+ ICMP echo requests are harmless however they are a fundametal means to
+ determine whether hosts are still reachable. Blocking them would seriously
+ impact the ability to track down network problems. It is therefore not
+ considered nice behaviour for an internet citizen to drop pings.
-3. How can I be sure that the firewall rules are active when I connect to the
- internet?
+4. Can't the evil guys detect whether my host is online if it responds to ICMP
+ echo requests?
- Make sure that the SuSEfirewall2 boot scripts are enabled and that /etc/
- sysconfig/network/config contains FIREWALL=yes. Also check that the /etc/
- sysconfig/network/ifcfg-* files don't contain FIREWALL="no". You can check
- whether packet filtering rules are actually installed with the command
- SuSEfirewall2 status
+ Yes but they can detect that anyways. The router at your provider behaves
+ different depending on whether someone is dialed in or not.
-4. How many interfaces are supported for each zone (EXT/DMZ/INT)?
+5. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of
+ my machine. Isn't that a security hole?
- Any number you want
+ You machine is never fully invisible, see previous question. The purpose of
+ dropping packets is not to hide your machine but to slow down port scans.
-5. Why is communication between two interfaces in the same zone not working?
+6. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
+ traffic to a different zone now?
- For security reasons, no network may communicate to another until configured
- otherwise. Even if both are "trusted" internal networks. You can allow full
- traffic with FW_ALLOW_CLASS_ROUTING or specifying all allowed traffic with
- FW_FORWARD. Keep in mind that this affects all interfaces in all zones.
+ Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0
+ into before. For example if your IPsec tunnel is set up on the external
+ interface but you want to grant the decrypted traffic access to all your
+ services as if it was in the internal zone:
-6. I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
- people on the internet access my pages?
+ FW_IPSEC_TRUST="int"
+ FW_SERVICES_EXT_IP="esp"
+ FW_SERVICES_EXT_UDP="isakmp"
+ FW_PROTECT_FROM_INT="no"
- Lets say your web server has got an official IP address of 1.1.1.1 which you
- received from your ISP. You would just configure FW_FORWARD_TCP like this:
+7. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
- FW_FORWARD="0/0,1.1.1.1,tcp,80"
+ SuSEfirewall2 is implemented in bourne shell which is not exactly the
+ fastest thing on earth especially if it has that much work to do as
+ SuSEfirewall2. Administrators still prefer bourne shell scripts because of
+ readability *cough*.
-7. What if my Server has a private IP address, how do I enable external access
- then?
+ SuSEfirewall2 already uses a method similar to iptables-restore to apply as
+ much filter rules as possible at once. SuSEfirewall2 doesn't use
+ iptables-restore natively to be able to easily fall back to individual
+ iptables calls in case of error.
- You can use reverse masquerading. For this you need to set FW_ROUTE and
- FW_MASQUERADE to "yes", and additionally FW_FORWARD_MASQ for the web servers
- private IP (lets say it is 10.0.0.1):
+8. Enabling drbd blocks the boot process. How to get around that?
- FW_ROUTE="yes"
- FW_MASQUERADE="yes"
- FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"
+ During boot process all incoming traffic is blocked unconditionally. The
+ very last boot script then sets up the configured firewall rules. The
+ problem is that drbd blocks the boot process while waiting for incoming
+ connection from other nodes. Therefore configuring the drbd port in
+ SuSEfirewall2 has no effect.
-8. Some service does not work when the firewall is enabled. How do I find out
- what's wrong?
+ ● SLES10
- Enable logging of all dropped packets and disable the log limit in /etc/
- sysconfig/SuSEfirewall2:
+ Add a manual iptables call to /etc/init.d/boot.local:
- FW_LOG_DROP_CRIT="yes"
- FW_LOG_DROP_ALL="yes"
- FW_LOG_LIMIT="no"
-
- Run SuSEfirewall2 again. /var/log/messages will now quickly fill up with log
- messages about dropped packets when you try to use the not working service.
- Those messages tell you the protocol and port you need to open.
-
- You may also run SuSEfirewall2 in test mode: SuSEfirewall2 test. Then try to
- connect to the service in a way which failed before. It will work because
- SuSEfirewall2 does not actually filter any packets this time. However, it will
- still log all packets it normally would have dropped.
+ iptables -A INPUT -p tcp --dport 7788 -j ACCEPT
- If everything works again don't forget to set the log options back to normal to
- not fill up you log files.
+ ● SLES11, openSUSE <= 11.2
-9. Some web site that offers port scanning claims my system is not protected
- properly as it still responds to ICMP echo requests (ping)
+ On SLES11 SuSEfirewall2_init is called after boot.local, therefore the
+ method for SLES10 doesn't work anymore. It's possible to modify the
+ dependencies of the SuSEfirewall2_setup script to run before drbd
+ though:
- ICMP echo requests are harmless however they are a fundametal means to
- determine whether hosts are still reachable. Blocking them would seriously
- impact the ability to track down network problems. It is therefore not
- considered nice behaviour for an internet citizen to drop pings.
+ ○ Create the directory /etc/insserv/overrides
-10. Can't the evil guys detect whether my host is online if it responds to ICMP
- echo requests?
+ ○ Create a new file /etc/insserv/overrides/SuSEfirewall2_setup
- Yes but they can detect that anyways. The router at your provider behaves
- different depending on whether someone is dialed in or not.
+ ○ Copy the the LSB header (the part between and including the lines "#
+ ## BEGIN INIT INFO" and "### END INIT INFO") from /etc/init.d/
+ SuSEfirewall2_setup to /etc/insserv/overrides/SuSEfirewall2_setup
-11. SuSEfirewall2 drops most packets but it doesn't fully hide the presence of my
- machine. Isn't that a security hole?
+ ○ Replace $ALL with $null and add the following line:
- You machine is never fully invisible, see previous question. The purpose of
- dropping packets is not to hide your machine but to slow down port scans.
+ # X-Start-Before: drbd
-12. The ipsec0 interface I had with kernel 2.4 is gone. How do I assign IPsec
- traffic to a different zone now?
+ ○ run /sbin/insserv
+
+ ● openSUSE >= 11.3
+
+ Configure the open ports for drbd and set
+
+ FW_BOOT_FULL_INIT="yes"
+
+9. My wireless LAN network interface is configured for the external zone.
+ Sometimes I need to connect to trusted networks that offer e.g. printing or
+ file sharing. How can I solve that without opening ports in the external
+ zone?
- Set the variable FW_IPSEC_TRUST to the zone you would have put the ipsec0 into
- before. For example if your IPsec tunnel is set up on the external interface
- but you want to grant the decrypted traffic access to all your services as if
- it was in the internal zone:
-
- FW_IPSEC_TRUST="int"
- FW_SERVICES_EXT_IP="esp"
- FW_SERVICES_EXT_UDP="isakmp"
- FW_PROTECT_FROM_INT="no"
-
-13. Why is SuSEfirewall2 so slow? / Can't you just use iptables-restore?
-
- SuSEfirewall2 is implemented in bourne shell which is not exactly the fastest
- thing on earth especially if it has that much work to do as SuSEfirewall2.
- Administrators still prefer bourne shell scripts because of readability *cough*
- . To be able to use iptables-restore SuSEfirewall2 would need a lot more logic
- than what is be possible with bourne shell as it would need to sort and reorder
- the rules for example. Furthermore interfaces are not static. They can
- arbitrarily appear and disapper with different names so a generic solution
- can't just dump the rules with iptables-store and re-apply them with
- iptables-restore.
+ The Firewall Zone Switcher applet allows desktop users to switch zones with
+ only few mouse clicks. It's included in openSUSE since version 11.2.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.xml new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.xml
--- old/SuSEfirewall2-3.6.231/doc/FAQ.SuSEfirewall2.xml 2010-02-16 16:18:45.000000000 +0100
+++ new/SuSEfirewall2-3.6.238/doc/FAQ.SuSEfirewall2.xml 2010-03-19 15:14:46.000000000 +0100
@@ -7,114 +7,6 @@
<title>SuSEfirewall2 FAQ</title>
</articleinfo>
<qandaset>
- <qandaentry>
-
- <question>
- <para>
- How do I allow access to my application XYZ on my firewall?
- </para>
- </question>
-
- <answer>
-
- <para>
-
- Usually you need an entry in <varname>FW_SERVICES_EXT_TCP</varname>
- or <varname>FW_SERVICES_EXT_UDP</varname>. The most common problem is
- to determine which port the application uses. Let's say you are
- running an apache web server and want to allow access to it. Execute
- <command>netstat -tunlp</command> and look for httpd. You will
- see a line like this:
-
- <informalexample>
- <screen>tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4497/httpd</screen>
- </informalexample>
-
- The number 80 is the port you are looking for. In this example put it
- into <varname>FW_SERVICES_EXT_TCP</varname> and execute
- <command>SuSEfirewall2</command> again.
-
- </para>
-
- </answer>
- </qandaentry>
-
- <qandaentry>
- <question>
- <para>
- How can I reduce the generated rule set as much as possible?
- </para>
- </question>
- <answer>
- <itemizedlist>
- <listitem>
- <para>
- Set <varname>FW_PROTECT_FROM_INTERNAL</varname> to <literal>"no"</literal>
- </para>
- </listitem>
- <listitem>
- <para>
- Disable Logging
- </para>
- </listitem>
- <listitem>
- <para>
- Set all <varname>FW_ALLOW_*</varname> and
- <varname>FW_SERVICE_*</varname> to no
- </para>
- </listitem>
- <listitem>
- <para>
- Do not use routing or masquerading
- </para>
- </listitem>
- <listitem>
- <para>
- Only enable routing/services you really need and make the statements
- as general as possible to reduce the number of definitions.
- Then you will have got much less rules, but also a lesser security.
- Better spend 50$ on a faster processor and more ram instead of
- using an old 486 as firewall.
- </para>
- </listitem>
- </itemizedlist>
- </answer>
- </qandaentry>
-
- <qandaentry>
- <question>
- <para>
- How can I be sure that the firewall rules are active when I connect
- to the internet?
- </para>
- </question>
- <answer>
- <para>
-
- Make sure that the <literal>SuSEfirewall2</literal> boot scripts are
- enabled and that <filename>/etc/sysconfig/network/config</filename>
- contains <literal>FIREWALL=yes</literal>. Also check that the
- <filename>/etc/sysconfig/network/ifcfg-*</filename> files don't
- contain <literal>FIREWALL="no"</literal>. You can check whether
- packet filtering rules are actually installed with the command
- <command>SuSEfirewall2 status</command>
-
- </para>
- </answer>
- </qandaentry>
-
- <qandaentry>
- <question>
- <para>
- How many interfaces are supported for each zone (EXT/DMZ/INT)?
- </para>
- </question>
- <answer>
- <para>
- Any number you want
- </para>
- </answer>
- </qandaentry>
<qandaentry>
@@ -141,62 +33,6 @@
</qandaentry>
<qandaentry>
- <question>
- <para>
- I have set a web server in my DMZ. How do I configure SuSEfirewall2 to let
- people on the internet access my pages?
- </para>
- </question>
-
- <answer>
-
- <para>
-
- Lets say your web server has got an official
- IP address of 1.1.1.1 which you received from your ISP. You would
- just configure <varname>FW_FORWARD_TCP</varname> like this:
- <informalexample>
- <programlisting>FW_FORWARD="0/0,1.1.1.1,tcp,80"</programlisting>
- </informalexample>
-
- </para>
-
- </answer>
-
- </qandaentry>
-
- <qandaentry>
-
- <question>
- <para>
- What if my Server has a private IP address, how do I enable external access then?
- </para>
- </question>
-
- <answer>
-
- <para>
-
- You can use reverse masquerading. For this you need to set
- <varname>FW_ROUTE</varname> and <varname>FW_MASQUERADE</varname> to
- <literal>"yes"</literal>, and additionally
- <varname>FW_FORWARD_MASQ</varname> for the web servers private IP
- (lets say it is 10.0.0.1):
-
- <informalexample>
- <programlisting>
-FW_ROUTE="yes"
-FW_MASQUERADE="yes"
-FW_FORWARD_MASQ="0/0,10.0.0.1,tcp,80"</programlisting>
- </informalexample>
-
- </para>
-
- </answer>
-
- </qandaentry>
-
- <qandaentry>
<question>
<para>Some service does not work when the firewall is enabled. How do I find out what's wrong?
@@ -345,15 +181,161 @@
<literal>SuSEfirewall2</literal> is implemented in bourne shell which is not exactly the
fastest thing on earth especially if it has that much work to do as
<literal>SuSEfirewall2</literal>. Administrators still prefer bourne shell scripts
- because of readability <emphasis>*cough*</emphasis>. To be able to
- use <command>iptables-restore</command>
- <literal>SuSEfirewall2</literal> would need a lot more logic than
- what is be possible with bourne shell as it would need to sort and
- reorder the rules for example. Furthermore interfaces are not static.
- They can arbitrarily appear and disapper with different names so a
- generic solution can't just dump the rules with
- <command>iptables-store</command> and re-apply them with
- <command>iptables-restore</command>.
+ because of readability <emphasis>*cough*</emphasis>.
+ </para>
+
+ <para>
+ <literal>SuSEfirewall2</literal> already uses a method
+ similar to <literal>iptables-restore</literal> to apply
+ as much filter rules as possible at once.
+ <literal>SuSEfirewall2</literal> doesn't use
+ <literal>iptables-restore</literal> natively to be able to
+ easily fall back to individual <literal>iptables</literal>
+ calls in case of error.
+ </para>
+
+ </answer>
+
+ </qandaentry>
+
+ <qandaentry>
+
+ <question>
+ <para>
+ Enabling drbd blocks the boot process. How to get around that?
+ </para>
+ </question>
+
+ <answer>
+
+ <para>
+
+ During boot process all incoming traffic is blocked
+ unconditionally. The very last boot script then sets up
+ the configured firewall rules. The problem is that drbd
+ blocks the boot process while waiting for incoming
+ connection from other nodes. Therefore configuring the
+ drbd port in <literal>SuSEfirewall2</literal> has no
+ effect.
+
+ </para>
+
+ <itemizedlist>
+
+ <listitem>
+ <para>
+ SLES10
+ </para>
+ <para>
+ Add a manual iptables call to
+ <literal>/etc/init.d/boot.local</literal>:
+ <informalexample>
+ <programlisting>iptables -A INPUT -p tcp --dport 7788 -j ACCEPT</programlisting>
+ </informalexample>
+
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ SLES11, openSUSE <= 11.2
+ </para>
+ <para>
+ On SLES11 SuSEfirewall2_init is called after
+ boot.local, therefore the method for SLES10
+ doesn't work anymore. It's possible to modify the
+ dependencies of the SuSEfirewall2_setup script to run
+ before drbd though:
+ <itemizedlist>
+
+ <listitem>
+ <para>
+ Create the directory
+ <filename>/etc/insserv/overrides</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Create a new file
+ <filename>/etc/insserv/overrides/SuSEfirewall2_setup</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Copy the the LSB header (the part between and
+ including the lines "<literal>### BEGIN INIT
+ INFO</literal>" and "<literal>### END INIT
+ INFO</literal>") from
+ <filename>/etc/init.d/SuSEfirewall2_setup</filename>
+ to
+ <filename>/etc/insserv/overrides/SuSEfirewall2_setup</filename>
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ Replace <literal>$ALL</literal> with
+ <literal>$null</literal> and add the following
+ line:
+ <informalexample>
+ <programlisting># X-Start-Before: drbd</programlisting>
+ </informalexample>
+
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ run <command>/sbin/insserv</command>
+ </para>
+ </listitem>
+
+ </itemizedlist>
+
+ </para>
+ </listitem>
+
+ <listitem>
+ <para>
+ openSUSE >= 11.3
+ </para>
+ <para>
+ Configure the open ports for <literal>drbd</literal> and set
+ <informalexample>
+ <programlisting>FW_BOOT_FULL_INIT="yes"</programlisting>
+ </informalexample>
+
+ </para>
+ </listitem>
+
+ </itemizedlist>
+
+ </answer>
+
+ </qandaentry>
+
+ <qandaentry>
+
+ <question>
+ <para>
+ My wireless LAN network interface is configured for the
+ external zone. Sometimes I need to connect to trusted
+ networks that offer e.g. printing or file sharing. How can
+ I solve that without opening ports in the external zone?
+ </para>
+ </question>
+
+ <answer>
+
+ <para>
+
+ The