Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] SuSE Firewall
  • From: Andrew McGill <andrew@xxxxxxxxxxx>
  • Date: Wed, 31 Jan 2001 22:58:36 +0200 (SAST)
  • Message-id: <Pine.LNX.4.21.0101312240550.30412-100000@xxxxxxxxxxxxxxxxx>
On Jan 30 at 11:46, my computer said Alexander Kühn said:

> Hi all,
> I have a little LAN with a SuSE 6.4 Server as gateway, within my LAN I
> have a NT box with IIS, I want to be able to access the the httpd on the
> NT box from the internet by specifying some port on my gateway. I have
> firewals-2.1-5 installed and all clients in my LAN have unlimited access
> to the internet and to the gateway. I tried configuring the redirection,
> but seems to me like this only works when the NT box has an public IP,
> but it has not not, an will never have. So is it possible to do it with
> the firewall or do I have to fiddle with ipchains ?
> Thanks & regards,
> Nagilum.

One way to do this is to use squid as an HTTP `accellerator'. I set this
up today (much to my suprise). Squid sits on the firewall and looks like
a web server to the world on port 80. If you install it and search the
config file for 'accel' in squid.conf you should get it more or less set
up.

There are a few gotchas though. The squid23 package that comes with SuSE
7 (yep, I know you said 6.4) has a security bug when used as an
accellerator. It is impossible to stop it from being abused by the world
to bypass porn-blocking proxies, while simultaneously allowing access to
your `accellerated' host. You will need to get squid 2.4. (And if you
compile from source, you may end up without dnsserver processes if you
don't ./configure with --disable-internal-dns )

Another security gotcha is that your happy server will tell the world it's
private ip address. When a url such as http://172.16.3.2/directory is
requested, it may send a message like Location:
http://172.16.3.2/directory/ -- which is a bit of a let-down (IIS 3 does
this) (yep, that's what they were using).

I have a sneaky suspicion that I would have been out of there by 2pm if I
had used ipportfw ... if that network card had been working ... if I was
smarter ...

&:-)

--
[1]+ Stopped fdformat /dev/hda


< Previous Next >
This Thread
  • No further messages