Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Problems Understanding SuSEfirewall2
Ok,

1st I explain my setup a bit with some general stuff then I review your
original config (which purpose I know do understand).

Hth

BB, Arjen

List: I deemed it more purposefull in this case to quote the whole message


On Thursday 22 May 2003 17:25, you wrote:
> Hi !
>
> I recently asked for help regarding a secure setup for the SuSEfirewall2 on
> a router for a small LAN with public IPs. I received the following advice
>
> which I implemented :
> > FW_AUTOPROTECT_SERVICES="yes"
> >
> > FW_SERVICES_EXT_TCP=""
> >
> > FW_SERVICES_EXT_UDP=""
> >
> > FW_SERVICES_INT_TCP=""
> >
> > FW_SERVICES_INT_UDP=""
> >
> > FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> >
> > FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
> >
> > FW_SERVICE_AUTODETECT="yes"
> >
> > FW_SERVICE_DNS="no"
> >
> > FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \
> > 100.120.55.18,100.120.204.56,tcp,7127 \
> > 100.120.55.18,100.120.204.58,tcp,7127"
> >
> > FW_KERNEL_SECURITY="yes"
>
> The problem is, if I do this, every connection out of my LAN into the Net
> is down, the firewall blocks everything. The firewall also doubles as a
> mail and DNS server for the LAN, so these services have to be reachable.

Ok, well these can both be the same error :)
Was FW_ROUTE="yes" also there ( I don't remember)

And when the fw is DNS server it also needs

FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"

Because if there is no DNS internet access will fail

Remember, these are all for allowing services to be provided by software
running _on_ the firewall, not for allowing access to services on servers
somewhere in the internet

> What I want it to do is to block everything but certain well defined
> connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the
> outside world has to have access to a webserver on 100.120.55.2. If I
> understand it correctly, this would mean FW_FORWARD rules like :

In case those services are not provided by the fw and you want to dissallow
all other traffic to the internet but the one you mention you do indeed need
such an elaborate setup and set FW_ROUTE="no".

> 100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via
??? Are you sure you have /6 not /8? (which is already humoungous to put
behind a simple SuSE (linux)firewall.) That needs dedicated iron (more like
platinum) if you would have that many devices

> http, other services similarly
> and
> 0/0, 100.120.55.2,tcp,80 # for web server availability
>
> but it doesnt seem to work. What do I miss ?
> My original working but probably insecure setup is as follows :
>
> FW_DEV_EXT="eth1"
>
> FW_DEV_INT="eth0"
>
> FW_DEV_DMZ=""
>
> FW_ROUTE="yes"
Set this to no
afiak SuSE fw impicitely allows traffic from internal to external with this
setting

So this was your problem

> FW_MASQUERADE="no"
>
> FW_MASQ_DEV=""
>
> FW_MASQ_NETS=""
>
> FW_PROTECT_FROM_INTERNAL="yes"
>
> FW_AUTOPROTECT_SERVICES="no"
>
> FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995"
This means that the whole world is allowed to access your firewall on these
ports! Don't set this! Leave empty!

FW_SERVICES_EXT_UDP="53"
Same here, or are you actually providing domain services for the internet (me
does not think so

>
> FW_SERVICES_EXT_IP=""
>
> FW_SERVICES_DMZ_TCP=""
>
> FW_SERVICES_DMZ_UDP=""
>
> FW_SERVICES_DMZ_IP=""
>
> FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"

only 53, if I understood you right this is the only service that the fw
actually provides itself
>
> FW_SERVICES_INT_UDP="53"
>
> FW_SERVICES_INT_IP=""
>
>
> FW_TRUSTED_NETS=""
>
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
Set to now and tell users to use passive ftp
Tell that to ie too, or be smart and install a proxy and let users use that


> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Set to no


FW_SERVICE_AUTODETECT="no"
set to yes, this does not open up any ports, just make fw more efficient.
> FW_SERVICE_DNS="yes"
>
> FW_SERVICE_DHCLIENT="no"
>
> FW_SERVICE_DHCPD="no"
>
> FW_SERVICE_SQUID="no"
>
> FW_SERVICE_SAMBA="no"
>
> FW_FORWARD="100.120.55.0/6,0/0,tcp,80 /
>
> 100.120.55.0/6,0/0,tcp,110 /
>
> 100.120.55.0/6,0/0,tcp,22 /
>
> 100.120.55.0/6,0/0,tcp,25 /
>
> 100.120.55.0/6,0/0,udp,53 /
>
> 100.120.55.0/6,0/0,tcp,53 /
>
> 100.120.55.0/6,0/0,tcp,995 /
>
> 0/0,100.120.55.2,tcp,80 /
>
> 100.120.204.51,100.120.55.18,tcp,7127 /
>
> 100.120.204.56,100.120.55.18,tcp,7127 /
>
> 100.120.204.58,100.120.55.18,tcp,7127 "
>
> FW_FORWARD_MASQ=""
>
> FW_REDIRECT=""
>
> FW_LOG_DROP_CRIT="yes"
>
> FW_LOG_DROP_ALL="no"
>
> FW_LOG_ACCEPT_CRIT="no"
>
> FW_LOG_ACCEPT_ALL="no"
>
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
> SuSE-FW"
>
> FW_KERNEL_SECURITY="no"
Set to yes (when fw works)

> FW_STOP_KEEP_ROUTING_STATE="no"
>
> FW_ALLOW_PING_FW="yes"
>
> FW_ALLOW_PING_DMZ="no"
>
> FW_ALLOW_PING_EXT="yes"
>
> ##
>
> # END of rc.firewall
>
> ##
>
> # #
>
> #-------------------------------------------------------------------------#
>
> # #
>
> # EXPERT OPTIONS - all others please don't change these! #
>
> # #
>
> #-------------------------------------------------------------------------#
>
> # #
>
>
>
> FW_ALLOW_FW_TRACEROUTE="yes"
>
> FW_ALLOW_FW_SOURCEQUENCH="yes"
>
> FW_ALLOW_FW_BROADCAST="no"
>
> FW_IGNORE_FW_BROADCAST="yes"
>
> FW_ALLOW_CLASS_ROUTING="no"
>
> #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
>
> Any suggestion is appreciated,
> Thanks in advance !

< Previous Next >