Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
  • From: Eric Swenson <eric@xxxxxxxxxxx>
  • Date: Fri, 27 Jul 2001 11:47:16 -0700 (PDT)
  • Message-id: <200107271847.LAA29481@xxxxxxxxxxxxxxx>
None of the examples configuring SuSEfirewall appear to really address
my configuration, which leads me to believe:

a) I'm doing something stupid, or
b) the examples should be updated to include a similar config.

I'm running SuSE 7.2 on a machine with a single ethernet interface to
my LAN where I have a DSL Router (Cayman 3220-H) providing access to
the internet. I wish to protect this machine from internet-based
attacks while allowing inbound http and smtp access.

However, I also want machines on the LAN to have greater access
(i.e. access to Samba services, telnet, ftp, etc.).

What I've done is configured one interface (the external, untrusted
interface -- name my ethernet LAN eth0). And I've allowed http, smtp,
and domain access using

FW_SERVICES_EXTERNAL_TCP="www smtp domain"

And, in order to allow local machines on my LAN to access other
services, I've explictly listed those machines and services under


My LAN is configured with a netmask of (which
corresponds to the number of static IP addresses allocated to me by my
DSL provider). Assuming I want all machines on the LAN to have the
same access to the Linux server, and that my net's address is
aaa.bbb.ccc.ddd, should I use:

FW_SERVICES_TRUSTED_ACL=aaa.bbb.ccc.ddd/29,tcp,xxx etc.

or list each host,prototol,port explictly, or should I list
aaa.bbb.ccc.ddd/29 under FW_TRUSTED_NETS?

What is the "right" way to consider all the machines on the LAN as
trusted but also have my external DSL gateway/router on that same LAN?
And should I treat the ip address that corresponds to the Router
specially, since it appears to be directly accessible from the
internet and lies within my LAN address range?

Thanks much. -- Eric

< Previous Next >
This Thread
  • No further messages