Hi
-----Ursprüngliche Nachricht----- Von: Chris FitzGerald [mailto:mersco@pandora.be] Gesendet: Dienstag, 12. November 2002 12:17 An: Suse-Security (E-Mail) Betreff: Re: [suse-security] SuSEfirewall2 configuration
Hi, In answer to 1 When you use FW_SERVICES_DMZ it opens up the ports you wish to allow. not looking if it came from internal or external. You do have to open up the ports on the external and internal services to allow the traffic to come in in the first place .
Ok. I understand. What you let in from any (EXT, INT)interface may should access to the DMZ In my case it doesn't, nor the DMZ can access the services opened in the SERVICES_DMZ So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a conflict in the configuration? Obviously the DMZ rules are never applied because the packages ar dropped before.
Togan wrote: I would say wide open by defining TCP/UDP/IGMP you rare limiting the protocols that are allowed when you add the port number than only the protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT) section it works like this, but when i use this in the TRUSTED_NETS section it won't. I configured the whole INT and DMZ as trusted net (FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is dropped or denied. Hopefully someone knows something about the reasons. Cheers Kurt
Tricky question for me too...
regards
chris
_____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco
This is for real !!! ----- Original Message ----- From: "Kurt Minder"
To: "Suse-Security (E-Mail)" Sent: Tuesday, November 12, 2002 12:02 PM Subject: [suse-security] SuSEfirewall2 configuration Hi folks
I followed the threads about configuring the firewall, but it was not really enlightning me (sorry).
So some questions:
1.) Does the FW_SERVICE_DMZ open only a connection form DEV_EXT to DEV_DMZ ? Because when i want to access the DMZ from internal i have to use the FW_FORWARD statement.
2.) A question to the notation # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
When i leave away protocol and port what is (or should)open then?
I'm using 7.3
Cheers Kurt
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here