Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
[suse-security] open only http between nic intern & nic internet?
  • From: "Fritz Berger" <wizard@xxxxxxxxx>
  • Date: Fri, 13 Sep 2002 20:05:54 +0200 (CEST)
  • Message-id: <61535.195.34.133.62.1031940354.squirrel@xxxxxxxxxxxxx>
Is there really no way to relax the anti-spoofing mechanism of
SuSEfirewall2 in the way, that only http-requests from the internal
network get to the second networkcard with the connection to the world
(and back)?
(Sorry - but I did get absolutely no answer to my question below - so
maybe this is not easyly done, or not possible?)
Thanks for any answer! (maybe the answer is: NO)?

Fritz

-------- Urspr&uuml;ngliche Nachricht --------
Betreff: [suse-security] stop susefirewall2 anti-spoofing for HTTP only?
Von: "Fritz Berger" <wizard@xxxxxxxxx>
Datum: Mit, 11.09.2002, 21:52
An: <suse-security@xxxxxxxx>


Hello List!

I'm Sorry to have to ask this question, but I did RTFM for quite a while,
but I do need your help!
I have a SuSE 8.0 Prof server with apache & sendmail and internal I am
forwarding/masquerading some pcs (some windows) (absolutely trusted).
Everything works fine, BUT:

I tried without success to stop the anti-spoofing-rules of the
susefirewall2 to let ONLY HTTP (Port 80. do I need more?) from the
internal network (eth0) to the external nis (eth1).
I do NOT want all traffic from my internal pcs to my OWN HOMEPAGE to go
over the proxy of my ISP. (Its sometimes really slow due to an overlaod
on the proxy of my ISP).
...and it is "destroying bandwith" when i go masqueraded to my isp only
to access the other networkcard on my own server!
I know it is a security hole, but if it would be only for http it should
be ok. (And on my suse7.3 server with ipchains it worked fine too.)
Please - no RTFM: I need a "cooking instruction". I think it is only one
line inserted into /etc/sysconfig/scripts/SuSEfirewall2-custom, but which
line and where ???
AND I think this would be (as a "cooking instruction") something for the
FAQ for all like me who want to take this risk!
I am tired to try options and only get the SUSE-FW-NO_ACCESS_INT->FWEXT
in my firewall logs!
Thank you in advance!!

Fritz


Here is my firewall config:

----------------

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="http smtp www"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"






--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here




< Previous Next >
Follow Ups