OK... So in order to accomplish the following - i admit rather exotic configuration: - any client on the internal network (172.19.0.0/16) may access HTTP and FTP Servers on the external net - any client on the external network (192.168.1.0/24) may access HTTP server on the internal network You suggest I combine the SuSEfirewall2 with some other 3rd party solution? Something like this? 1. SuSEfirewall2: forwarding all requests from external network to my internal WEB-Server, no masquerading: FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_SERVICE_SQUID="yes" FW_FORWARD="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" remove this if using squid? FW_PROTECT_FROM_INTERNAL="no" FW_LOG_DROP_CRIT="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_ALLOW_PING_FW="yes" FW_IGNORE_FW_BROADCAST="yes" 2. Squid to handle all internal traffice Oh by the way, the customer mentioned that if possible, only HTTP 1.0 packets are allowed to pass the firewall/proxy.... :-S Cheers Knut Erik -----Original Message----- From: GentooRulez [mailto:paranoiac_user@freenet.de] Sent: Tuesday, July 15, 2003 2:34 PM To: suse-security Subject: Re: [suse-security] Problems with a simple Firewall2 config
There are no services ON THE FIREWALL that need to be accessed (I allready ran into this problem ;-), they are all on serveres in either network.
Oops, i misunderstood you.
I changed my configuration, just to test. This is how (excerpt) it looked: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
Looks good so far
Test-configuration FW_MASQ_NETS="172.19.0.0/16" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
This is opening any destination port/protocol(icmp,udp,tcp) for inside boxes to get routed through the firewall.
It will work with my test-configuration, but then again, any user could
use any service on the external net, and that is not wanted only FTP and HTTP.
How can I solve this, whitout doing something like this: FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" ???
Using the firewall-script this ist the right way to limit the services to be accessed from the inside. The other way ist to disable masquaring und routing for the internal network completely and to setup following: http://www.squid-cache.org/ http://dansguardian.org/ (cacade, if you want so) and ftp-proxy from here http://www.suse.de/en/whitepapers/proxy_suite/ It is, all in all, the better and more secure solution and you can setup this fully tranparent to internal network. Hope that helps. Yours Michael