Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Am I about to give up on SuSE Firewall script??
  • From: "Omppu" <Omppu@xxxxxxxxxxxx>
  • Date: Wed, 16 Jan 2002 18:47:44 +0200
  • Message-id: <001501c19ead$85d368c0$c9d341c1@xxxxxxxxxxxx>
Hello,

after resolving this and that problem i yet still have problems with
configuring
the firewall script
this is my scenario and what i have tried,

i have the following setup

Internet
| S0
--------------
| internet |
| cisco router |
--------------
| F0 195.165.91.1 mask 255.255.255.240
|
|
|
---------- ----------
| HUB |----------------| server | 195.165.91.3
---------- ----------
|
mask255.255.255.240
|
|
| 195.165.91.2 netmask 255.255.255.240
GW 195.165.91.1
--------------
| SuSE 7.3 |
| |----------------| 195.165.91.129
| | netmask
255.255.255.192
--------------
| 195.165.91.193 netmask 255.255.255.192
|

and the following /etc/rc.config.d/firewall2.rc.config configuration

FW_DEV_EXT="eth0"
FW_DEV_INT="eth2"
FW_DEV_DMZ="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="22"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="193.64.53.192/26"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD="0/0,195.165.91.140,tcp,12345 0/0,195.165.91.140,tcp,1234
0/0,195.165.91.140,tcp,1433 0/0,195.165.91.140,tcp,5800
0/0,195.165.91.140,tcp,5801 0/0,195.165.91.140,tcp,5900
0/0,195.165.91.140,tcp,5901"
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

(is it really so that FW_FORWARD="" all the input has to be in one line so
that it works?, when i tried to add the input as a new line it just did not
read my settings!)

and this is what im trying to achienve

Internet -> Firewall allow (SSH)
internet -> internal network deny
Internet -> DMZ allow 195.165.91.140
ports 1234, 12345, 5800, 5801, 5900,5901

DMZ -> Firewall allow (SSH)
DMZ -> Internal network deny
DMZ -> Internet allow (all internet port
1999)

Internal network -> Firewall allow (SSH)
Internal network -> Internet allow (all internet ports
80, 22, 443, 8080 and 195.165.91.3 all ports)
Internal network -> DMZ allow (195.165.91.140 all
ports, 195.165.140 port 21, 22, 80)



what do i have to do to get this to work,
ive lost time and im late on project delivery,
if i will not be able to figure this out im going to have to ignore the SuSE
firewall scripts and just use plain IPTABLES which wouldnt be nice,

all help would be greatly appreciated,

regards
O.


< Previous Next >
This Thread