Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Problems with a simple Firewall2 config
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Tue, 15 Jul 2003 15:49:07 +0200
  • Message-id: <876E796441495649AB4AE82092A0784A3D8D28@xxxxxxxxxxxxxx>
OK... So in order to accomplish the following - i admit rather exotic
configuration:
- any client on the internal network (172.19.0.0/16) may access HTTP and
FTP Servers on the external net
- any client on the external network (192.168.1.0/24) may access HTTP
server on the internal network

You suggest I combine the SuSEfirewall2 with some other 3rd party
solution? Something like this?
1. SuSEfirewall2: forwarding all requests from external network to my
internal WEB-Server, no masquerading:
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_SERVICE_SQUID="yes"
FW_FORWARD="0/0,172.19.6.10,tcp,80"
FW_TRUSTED_NETS=""
# FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" remove this if using squid?
FW_PROTECT_FROM_INTERNAL="no"
FW_LOG_DROP_CRIT="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"
FW_ALLOW_PING_FW="yes"
FW_IGNORE_FW_BROADCAST="yes"
2. Squid to handle all internal traffice

Oh by the way, the customer mentioned that if possible, only HTTP 1.0
packets are allowed to pass the firewall/proxy.... :-S

Cheers
Knut Erik

-----Original Message-----
From: GentooRulez [mailto:paranoiac_user@xxxxxxxxxx]
Sent: Tuesday, July 15, 2003 2:34 PM
To: suse-security
Subject: Re: [suse-security] Problems with a simple Firewall2 config


>There are no services ON THE FIREWALL that need to be accessed (I
>allready ran into this problem ;-), they are all on serveres in either
>network.

Oops, i misunderstood you.

>I changed my configuration, just to test. This is how (excerpt) it
>looked:
> FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
>172.19.0.0/16,0/0,tcp,80"
> FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

Looks good so far

>Test-configuration
> FW_MASQ_NETS="172.19.0.0/16"
> FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

This is opening any destination port/protocol(icmp,udp,tcp) for inside
boxes to get routed through the firewall.

>It will work with my test-configuration, but then again, any user could

>use any service on the external net, and that is not wanted only FTP
>and HTTP.

>How can I solve this, whitout doing something like this:
> FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
>172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535"
>FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
>???

Using the firewall-script this ist the right way to limit the services
to be accessed from the inside.

The other way ist to disable masquaring und routing for the internal
network completely and to setup following:

http://www.squid-cache.org/
http://dansguardian.org/ (cacade, if you want so)

and ftp-proxy from here

http://www.suse.de/en/whitepapers/proxy_suite/

It is, all in all, the better and more secure solution and you can setup
this fully tranparent to internal network.

Hope that helps.

Yours

Michael

< Previous Next >