Mailinglist Archive: opensuse-security (220 mails)

< Previous Next >
Re: [suse-security] Firewall script
  • From: Markus Feilner <lists@xxxxxxxxxxxxxx>
  • Date: Thu, 27 Nov 2003 15:58:52 +0100
  • Message-id: <200311271558.52968.lists@xxxxxxxxxxxxxx>
Am Mittwoch, 26. November 2003 22:27 schrieb Luc MAIGNAN:
> Hi list,
>
> I need to configure a IPTABLES-based Linux router. Has anyone a
> sample script to do this to win some time ???
>
> Any help would be appreciated
>
> Best regards
There are several.

1) Probably the easiest way (but not always the best) ist SuSEfirewall2,
configured via /etc/sysconfig/SuSEfirewall2. This file offers few
possibilities, but might be enough for most cases. A good hint is to
use an external script - see
/etc/sysconfig/scripts/SuSEfirewall2-custom or the following
documentation for details:
-----------------
/usr/share/doc/packages/SuSEfirewall2
/usr/share/doc/packages/SuSEfirewall2/CHANGES
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES
/usr/share/doc/packages/SuSEfirewall2/FAQ
/usr/share/doc/packages/SuSEfirewall2/LICENCE
/usr/share/doc/packages/SuSEfirewall2/README
/usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig
/usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.sysconfig.EXAMPLE
/usr/share/doc/packages/SuSEfirewall2/TODO
/var/adm/fillup-templates/sysconfig.SuSEfirewall2
/var/adm/fillup-templates/sysconfig.personal-firewall
-----------------
My problem with SuSEfirewall2 was:
it seemed impossible to get Masquerading to work with ipsec-VPN.
So i had to turn off the Masquerading in /etc/sysconfig/SuSEfirewall2
and turn it on with my own rules in SuSEfirewall2-custom.

2) ipcop comes as an iso-image, is suited especially for an old machine
bound to spend the rest of its life as a router-firewall, has many
options and is easy to be installed - but it normally deletes the whole
disk at install.

3) I can also recommend shorewall, also because you can easily configure
it with webmin - but beware:
- don't let webmin be running all the time! just login on the machine,
start webmin with the /etc/init.d/webmin start and then log in to port
10000.
- don't ever use webmin without ssl encryption !!!! there were some bugs
last year in the session management and other parts, which could be
fatal, especially without ssl.

4) the best solution is surely: buy a good book about firewalls and
build your own script - there are many good examples online.


I hope i could help you!
--
Mit freundlichen Grüßen
Markus Feilner
--
Linux Solutions, Training, Seminare und Workshops - auch Inhouse
Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg
fon: +49 941 70 65 23 - mobil: +49 170 302 709 2
web: http://feilner-it.net mail: mfeilner@xxxxxxxxxxxxxx


< Previous Next >
Follow Ups
References