Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] Problems Understanding SuSEfirewall2
  • From: "remote" <remote@xxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 22 May 2003 17:25:37 +0200
  • Message-id: <016d01c32076$65567320$29379386@xxxxxxxxxxxxxxxxxxxxx>
Hi !

I recently asked for help regarding a secure setup for the SuSEfirewall2 on
a router for a small LAN with public IPs. I received the following advice
which I implemented :
>
> FW_AUTOPROTECT_SERVICES="yes"
>
> FW_SERVICES_EXT_TCP=""
>
> FW_SERVICES_EXT_UDP=""
>
> FW_SERVICES_INT_TCP=""
>
> FW_SERVICES_INT_UDP=""
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
>
> FW_SERVICE_AUTODETECT="yes"
>
> FW_SERVICE_DNS="no"
>
> FW_FORWARD="100.120.55.18,100.120.204.51,tcp,7127 \
> 100.120.55.18,100.120.204.56,tcp,7127 \
> 100.120.55.18,100.120.204.58,tcp,7127"
>
> FW_KERNEL_SECURITY="yes"

The problem is, if I do this, every connection out of my LAN into the Net is
down, the firewall blocks everything. The firewall also doubles as a mail
and DNS server for the LAN, so these services have to be reachable.
What I want it to do is to block everything but certain well defined
connections to the internet, like http, pop3, smtp, ftp and ssh. Also, the
outside world has to have access to a webserver on 100.120.55.2. If I
understand it correctly, this would mean FW_FORWARD rules like :

100.120.55.0/6, 0/0,tcp, 80 # For LAN- connection to the internet via http,
other services similarly
and
0/0, 100.120.55.2,tcp,80 # for web server availability

but it doesn´t seem to work. What do I miss ?
My original working but probably insecure setup is as follows :

FW_DEV_EXT="eth1"

FW_DEV_INT="eth0"

FW_DEV_DMZ=""

FW_ROUTE="yes"

FW_MASQUERADE="no"

FW_MASQ_DEV=""

FW_MASQ_NETS=""

FW_PROTECT_FROM_INTERNAL="yes"

FW_AUTOPROTECT_SERVICES="no"

FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995"

FW_SERVICES_EXT_UDP="53"

FW_SERVICES_EXT_IP=""

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"

FW_SERVICES_INT_UDP="53"

FW_SERVICES_INT_IP=""


FW_TRUSTED_NETS=""


FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="no"

FW_SERVICE_DNS="yes"

FW_SERVICE_DHCLIENT="no"

FW_SERVICE_DHCPD="no"

FW_SERVICE_SQUID="no"

FW_SERVICE_SAMBA="no"

FW_FORWARD="100.120.55.0/6,0/0,tcp,80 /

100.120.55.0/6,0/0,tcp,110 /

100.120.55.0/6,0/0,tcp,22 /

100.120.55.0/6,0/0,tcp,25 /

100.120.55.0/6,0/0,udp,53 /

100.120.55.0/6,0/0,tcp,53 /

100.120.55.0/6,0/0,tcp,995 /

0/0,100.120.55.2,tcp,80 /

100.120.204.51,100.120.55.18,tcp,7127 /

100.120.204.56,100.120.55.18,tcp,7127 /

100.120.204.58,100.120.55.18,tcp,7127 "

FW_FORWARD_MASQ=""

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"

FW_LOG_DROP_ALL="no"

FW_LOG_ACCEPT_CRIT="no"

FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="no"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"

FW_ALLOW_PING_DMZ="no"

FW_ALLOW_PING_EXT="yes"

##

# END of rc.firewall

##

# #

#-------------------------------------------------------------------------#

# #

# EXPERT OPTIONS - all others please don't change these! #

# #

#-------------------------------------------------------------------------#

# #



FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"

FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

Any suggestion is appreciated,
Thanks in advance !






< Previous Next >
Follow Ups
References