Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] Antwort: [suse-security] SuSE-FW-NO_ACCESS_INT-&gt;FWEXT (last attempt)
  • From: Marcin Gryszczuk <marcing@xxxxxxxxxxxxxxxxx>
  • Date: Thu, 01 Aug 2002 12:11:32 +0200
  • Message-id: <5.1.0.14.2.20020801120308.0214dd28@xxxxxxxxxxxxxxxxx>
Hi

Or the better solution (without keeping your firewall computer fully open for inside word) is:

In firewall2-custom.rc.config add something like this (ex about allowing http, https and proxy to external interface from internal word):

iptables -I INPUT x+0 -i eth0 -p tcp --dport 80 -j input_int
iptables -I INPUT x+1 -i eth0 -p tcp --dport 443 -j input_int
iptables -I INPUT x+2 -i eth0 -p tcp --dport 8080 -j input_int

Where eth0 is an internal interface..
And x - is a rule number before rule responsible for dropping all traffic between internal and external:

92 6321 DROP all -- eth0 any anywhere 255.255.255.255
24 1542 LOG all -- eth0 any anywhere your.ext.ip.address LOG level warning tcp-options ip-options prefix `SuSE-FW-NO_ACCESS_INT->FWEXT '

Best place for such rules in firewall2-custom.rc.config is function called fw_custom_before_denyall().
Please remember of allowing firewall2-custom.rc.config in firewall2.rc.config !
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"


Best regards

Marcin Gryszczuk

At 11:54 01-08-2002 +0200, Mathias Homann wrote:

>
> Hi..
>
> I've got the same, but I think this is an feature ;-)
>
> I have also no solution, but I think it could have someting todo with
> these entries:
>
> FW_PROTECT_FROM_INTERNAL="yes"
>
> Have You tried here an "NO"?
>

I have the very same problem and I have FW_PROTECT_FROM_INTERNAL="no"
so that is no solution...


bye,
MH
--
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und §823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O
201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten
sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!



--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >