Hello First, thanks a lot for all the answers. Unfortunately it does not work yet and sincerely I have no clue anymore why it should not work. Anyway again all the data and the new modified configuration file for the firewall2. I also will print the messages I get in the logfile /var/log/firewall when running the firewall2 in test mode. Kernel 2.4.16 (updated from 2.4.4, Suse 7.2) Firewall2 installed, then firewall1 and personal firewall uninstalled. One question at this point. Do I need personal firewall installed? Or can it be that I have not the correct rights for some files? external card on eth0 - 192.168.0.1/255.255.255.255 internal card on eth1 - 192.168.159.0/24 Firewall2-Configuration file: If you find something wrong could you pls correct the corresponding line.... After this you will find the messages again which I get when trying to connect to the internet (just plain www) FW_DEV_EXT="ppp0" # <-- is that right? Well with eth0 it did not work either..... FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.159.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" # Common: smtp domain FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp domain FW_SERVICES_INT_UDP="" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!! FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_INTERNET="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-custom.rc.config # #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" Well now the messages: One for trying to connect from a machine on the LAN (trusted, local) and one messages for trying to connect from my Linux router to the internet. Mar 28 21:35:12 linux kernel: SuSE-FW-UNALLOWED-ROUTING IN=ppp0 OUT=eth1 SRC=207.46.28.116 DST=192.168.159.11 LEN=40 TOS=0x08 PREC=0x00 TTL=52 ID=10637 DF PROTO=TCP SPT=80 DPT=4022 WINDOW=17400 RES=0x00 ACK URGP=0 Mar 28 21:35:21 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=80.135.123.51 DST=217.89.17.95 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=7443 DF PROTO=TCP SPT=3413 DPT=1214 WINDOW=45680 RES=0x00 SYN URGP=0 OPT (020405AC0103030301010402) Thank you for your help Greeting Thomas --- Robert Klein <RoKlein@roklein.de> wrote:
Hi Peter,
Ps: I am not sure about the external devices. I have one external card which is eth0. But I tried this setting with just eth0 too and it did not work. That is why I did put ppp0 as well.
Your external device is ppp0. You may leave eth0 out.
FW_DEV_EXT="ppp0"
FW_MASQ_NETS="192.168.159.0/24"
as Thorsten Preuss already has noted in another mail. Sorry, I've been asleep here.. He's also right about not needing the IP_FORWARD variable in /etc/rc.config anymore. Sorry for the confusion.. Thanks Thorsten, for setting me right.
NB: Those entries below were _examples_. You have to insert those services you have running _on_ your firewall. Add only those services you want to be accessible from outside *EXT* or from inside *INT* your network. For example, I have some installations using the following entries:
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 "
FW_SERVICES_INT_TCP="ssh"
This means, I want ssh access to the firewall from the outside as well as the inside (entry ssh). Furthermore, this machine is the entry to a VPN (virtual private network), (UDP port 500 for key exchange and IP protocol 50 is used to transport the encrypted packets).
Leave those fields empty, if you don't have any services running on the firewall (I'd recommend at least "ssh" or in FW_SERVICES_INT_TCP --- you might want to do some configuring from another computer in your network. Saves the monitor for the firewall :)
Robert
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain FW_SERVICES_EXT_UDP="ssh http" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp domain FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/