Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
RE: [suse-security] Problems with a simple Firewall2 config
  • From: "Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>
  • Date: Tue, 15 Jul 2003 14:13:17 +0200
  • Message-id: <876E796441495649AB4AE82092A0784A3D8D22@xxxxxxxxxxxxxx>
There are no services ON THE FIREWALL that need to be accessed (I
allready ran into this problem ;-), they are all on serveres in either
network.

I changed my configuration, just to test. This is how (excerpt) it
looked:
FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
172.19.0.0/16,0/0,tcp,80"
FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

Test-configuration
FW_MASQ_NETS="172.19.0.0/16"
FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

It will work with my test-configuration, but then again, any user could
use any service on the external net, and that is not wanted only FTP and
HTTP.

How can I solve this, whitout doing something like this:
FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535"
FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

???

Cheers
Knut Erik

-----Original Message-----
From: GentooRulez [mailto:paranoiac_user@xxxxxxxxxx]
Sent: Tuesday, July 15, 2003 2:04 PM
To: suse-security
Subject: Re: [suse-security] Problems with a simple Firewall2 config


I did not check your whole config, but this came up
immediately:

# Which services ON THE FIREWALL should be accessible from either the
internet # (or other untrusted networks), the dmz or internal (trusted
networks)?

FW_SERVICES_EXTERNAL_TCP="80"

Check this out

Michael

< Previous Next >