Re: [suse-security] open only http between nic intern & nic internet?

16 Sep 2002

      High Fritz,

I solve your problem in that way, that I configure apache to listen on the 
internal interface. Than I use a proxy.pac to redir the request on the 
external nic to the internal device.

Greetings
Harald

Am Freitag, 13. September 2002 20:05 schrieb Fritz Berger:
...
Is there really no way to relax the anti-spoofing mechanism of
SuSEfirewall2 in the way, that only http-requests from the internal
network get to the second networkcard with the connection to the world
(and back)?
(Sorry - but I did get absolutely no answer to my question below - so
maybe this is not easyly done, or not possible?)
Thanks for any answer! (maybe  the answer is: NO)?
Fritz
-------- Ursprüngliche Nachricht --------
Betreff: [suse-security] stop susefirewall2 anti-spoofing for HTTP only?
Von: "Fritz Berger" 
Datum: Mit, 11.09.2002, 21:52
An: 
Hello List!
I'm Sorry to have to ask this question, but I did RTFM for quite a while,
but I do need your help!
I have a SuSE 8.0 Prof server with apache & sendmail and internal I am
forwarding/masquerading some pcs (some windows) (absolutely trusted).
Everything works fine, BUT:
I tried without success to stop the anti-spoofing-rules of the
susefirewall2 to let ONLY HTTP (Port 80. do I need more?) from the
internal network (eth0) to the external nis (eth1).
I do NOT want all traffic from my internal pcs to my OWN HOMEPAGE to go
over the proxy of my ISP. (Its sometimes really slow due to an overlaod
on the proxy of my ISP).
...and it is "destroying bandwith" when i go masqueraded to my isp only
to access the other networkcard on my own server!
I know it is a security hole, but if it would be only for http it should
be ok. (And on my suse7.3 server with ipchains it worked fine too.)
Please - no RTFM: I need a "cooking instruction". I think it is only one
line inserted into /etc/sysconfig/scripts/SuSEfirewall2-custom, but which
line and where ???
AND I think this would be (as a "cooking instruction") something for the
FAQ for all like me who want to take this risk!
I am tired to try options and only get the SUSE-FW-NO_ACCESS_INT->FWEXT
in my firewall logs!
Thank you in advance!!
Fritz
Here is my firewall config:
----------------
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="http smtp www"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
-- 
Dr. Harald Wallus
netlike-gmbh 
Am Listholze 78, D-30177 Hannover 
Tel: +49(0)511 90 95 1-23  Fax: +49(0)511 90 95 = 1-90 
Email: wallus@netlike-gmbh.de 
Internet: http://netlike-gmbh.de