Mailinglist Archive: opensuse-security (195 mails)

< Previous Next >
Re[2]: [suse-security] firewall
  • From: Stefan Schmitz <s.schmitz@xxxxxx>
  • Date: Sun, 12 Mar 2000 11:41:14 +0100
  • Message-id: <7486.000312@xxxxxx>
> als wrote:
>>
>> i installed Suse 6.3 with firewall 1.4. I want to permit the following
>> access through the firewall: www, domain, ftp, smtp and ssh. Then i
>> made some adjustments in "rc.firewall" like :
>> FW_ROUTE="yes"
>> FW_TCP_SERVICES_EXTERNAL="smtp www domain ftp"
>> FW_UDP_SERVICES_EXTERNAL="domain smtp ftp"
>>
>> After starting of firewall i have full access from internal network to
>> internet but there isn't any access from Internet and no mail....
>> Could someone tell me what should i do?

> I don't know if you've got this sorted yet, but...

> If you're using fetchmail or netscape or something similar to get the mail, you
> need to open up tcp port 110 (pop3 in /etc/services). The smtp port is only
> used for sending mail (unless you are having your mail sent directly to you by
> your ISP using sendmail, but if you're a home user I doubt that). What do you
> mean by 'but there isn't any access from Internet'?

> Hope that helps,
> Chris

hi,

my fine working settings in /etc/rc.config.d/firewall.rc.config to get
defined access from internal network over ippp0 interface to the
internet and from outside (internet) onto my system are:

FW_DEV_WORL="ippp0"
FW_DEV_INT="eth0 eth0:0 eth0:1"
.
.
.
FW_ROUTE="yes"
FW_MASQUERADING="yes"
FW_MASQ_NETS="[internal-net-ip]"
FW_MASQ_DEV="$FW_DEV_WORLD"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_GLOBAL_SERVICES="yes"
FW_SERVICES_EXTERAL_TCP="25" # smtp
FW_SERVICES_EXTERAL_UDP="" # none
.
.
.
FW_SERVICES_INTERNAL_TCP="25 53 80 110 137:139 443 3128" # smtp dns www pop3
# netbios(ns,dgm,ssn)
# ssl proxy (squid)
FW_SERVICES_INTERNAL_UDP="53 137:139" # dns netbios(ns,dgm,ssn)
.
.
.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT_"no"
FW_SERVICE_DHCPD="yes"
.
.
.
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive"

there is no necessity for opening the external ports www domain ftp,
smtp and ssh, except you're running a web-server like apache on
your system.

greetings
s.schmitz

--------------------------------------------------
e-mail : s.schmitz@xxxxxx phone: +49-2803-93424
homepage: ---------------- fax : +49-2803-93426
--------------------------------------------------
"Das Leben ist das, was sich ereignet, während
wir mit anderen Dingen beschäftigt sind."
(John Lennon)
--------------------------------------------------



< Previous Next >
References