Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] open only http between nic intern & nic internet?
  • From: Harald Wallus <wallus@xxxxxxxxxxxxxxx>
  • Date: Mon, 16 Sep 2002 09:24:57 +0200
  • Message-id: <200209160924.57048.wallus@xxxxxxxxxxxxxxx>
High Fritz,

I solve your problem in that way, that I configure apache to listen on the
internal interface. Than I use a proxy.pac to redir the request on the
external nic to the internal device.

Greetings
Harald


Am Freitag, 13. September 2002 20:05 schrieb Fritz Berger:
> Is there really no way to relax the anti-spoofing mechanism of
> SuSEfirewall2 in the way, that only http-requests from the internal
> network get to the second networkcard with the connection to the world
> (and back)?
> (Sorry - but I did get absolutely no answer to my question below - so
> maybe this is not easyly done, or not possible?)
> Thanks for any answer! (maybe the answer is: NO)?
>
> Fritz
>
> -------- Urspr&uuml;ngliche Nachricht --------
> Betreff: [suse-security] stop susefirewall2 anti-spoofing for HTTP only?
> Von: "Fritz Berger" <wizard@xxxxxxxxx>
> Datum: Mit, 11.09.2002, 21:52
> An: <suse-security@xxxxxxxx>
>
>
> Hello List!
>
> I'm Sorry to have to ask this question, but I did RTFM for quite a while,
> but I do need your help!
> I have a SuSE 8.0 Prof server with apache & sendmail and internal I am
> forwarding/masquerading some pcs (some windows) (absolutely trusted).
> Everything works fine, BUT:
>
> I tried without success to stop the anti-spoofing-rules of the
> susefirewall2 to let ONLY HTTP (Port 80. do I need more?) from the
> internal network (eth0) to the external nis (eth1).
> I do NOT want all traffic from my internal pcs to my OWN HOMEPAGE to go
> over the proxy of my ISP. (Its sometimes really slow due to an overlaod
> on the proxy of my ISP).
> ...and it is "destroying bandwith" when i go masqueraded to my isp only
> to access the other networkcard on my own server!
> I know it is a security hole, but if it would be only for http it should
> be ok. (And on my suse7.3 server with ipchains it worked fine too.)
> Please - no RTFM: I need a "cooking instruction". I think it is only one
> line inserted into /etc/sysconfig/scripts/SuSEfirewall2-custom, but which
> line and where ???
> AND I think this would be (as a "cooking instruction") something for the
> FAQ for all like me who want to take this risk!
> I am tired to try options and only get the SUSE-FW-NO_ACCESS_INT->FWEXT
> in my firewall logs!
> Thank you in advance!!
>
> Fritz
>
>
> Here is my firewall config:
>
> ----------------
>
> FW_DEV_EXT="eth1"
> FW_DEV_INT="eth0"
> FW_DEV_DMZ=""
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="0/0"
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="http smtp www"
> FW_SERVICES_EXT_UDP=""
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
> FW_SERVICES_INT_IP=""
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
> FW_SERVICE_AUTODETECT="no"
> FW_SERVICE_DNS="no"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
> FW_FORWARD=""
> FW_FORWARD_MASQ=""
> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option
> --log-prefix SuSE-FW"FW_KERNEL_SECURITY="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="no"
> FW_ALLOW_PING_EXT="yes"
> FW_ALLOW_FW_TRACEROUTE="yes"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="no"
> FW_IGNORE_FW_BROADCAST="yes"
> FW_ALLOW_CLASS_ROUTING="no"
> #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

--
Dr. Harald Wallus
netlike-gmbh
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 = 1-90
Email: wallus@xxxxxxxxxxxxxxx
Internet: http://netlike-gmbh.de

< Previous Next >
References