Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
[suse-security] stop susefirewall2 anti-spoofing for HTTP only?
  • From: "Fritz Berger" <wizard@xxxxxxxxx>
  • Date: Wed, 11 Sep 2002 21:52:13 +0200 (CEST)
  • Message-id: <33224.192.168.14.1.1031773933.squirrel@xxxxxxxxxxxxx>

Hello List!

I'm Sorry to have to ask this question, but I did RTFM for quite a while,
but I do need your help!
I have a SuSE 8.0 Prof server with apache & sendmail and internal I am
forwarding/masquerading some pcs (some windows) (absolutely trusted).
Everything works fine, BUT:

I tried without success to stop the anti-spoofing-rules of the
susefirewall2 to let ONLY HTTP (Port 80. do I need more?) from the
internal network (eth0) to the external nis (eth1).
I do NOT want all traffic from my internal pcs to my OWN HOMEPAGE to go
over the proxy of my ISP. (Its sometimes really slow due to an overlaod on
the proxy of my ISP).
...and it is "destroying bandwith" when i go masqueraded to my isp only to
access the other networkcard on my own server!
I know it is a security hole, but if it would be only for http it should
be ok. (And on my suse7.3 server with ipchains it worked fine too.)
Please - no RTFM: I need a "cooking instruction". I think it is only one
line inserted into /etc/sysconfig/scripts/SuSEfirewall2-custom, but which
line and where ???
AND I think this would be (as a "cooking instruction") something for the
FAQ for all like me who want to take this risk!
I am tired to try options and only get the SUSE-FW-NO_ACCESS_INT->FWEXT in
my firewall logs!
Thank you in advance!!

Fritz


Here is my firewall config:

----------------

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="http smtp www"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"






< Previous Next >
This Thread
  • No further messages