Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
RE: [suse-security] firewall help..
  • From: "Gilmore, Eric" <egilmore@xxxxxxxxxxxxxxx>
  • Date: Tue, 2 Mar 2004 17:34:04 -0500
  • Message-id: <F79E26BFE28DBF438188F34397CD0FED07D8849A@xxxxxxxxxxxxxxxxx>
Sorry about that --> off list <--

Well I totally understand what you're saying about "ease of setup". But
I believe the reasons I was given for using iptables instead of
SuSEfirewall went something like, "it's quicker to re-establish
connectivity if the firewall machine burns down..." and "we want to
standardize across all our systems...yada, yada". Even though I had a
working instance of SuSEfirewall2 in place doing exactly what I needed
it to do. <sigh>

And yes I do understand the security implications of doing it this way
(Open then close) this was to be more of a test instance where access
from the internet would only be given to certain machines, not sub-nets,
not lans, machines. There will be approx. 3-4 attaching to it from the
internet via FTP, ssh, AFP & SAMBA.



-----Original Message-----
From: Maarten J H van den Berg [mailto:maarten@xxxxxxx]
Sent: Tuesday, March 02, 2004 4:49 PM
To: suse-security@xxxxxxxx
Subject: Re: [suse-security] firewall help..


Hi Eric,
Please reply to the list, not to me directly. I read the list. There is
no
need to take this off-list.

On Tuesday 02 March 2004 18:21, you wrote:
> Maarten,
>
> To answer:
> -if you mean allow routing between the networks, yes
> -the ip's I used in the note are examples

OK

> -I did use SuSe firewall2, but my dept. wanted to use iptables instead

Does your dept. realize that SuSEfirewall is just a convenient (and
complex)
"wrapper" for iptables ?

> :(

Indeed. Building filters from scratch is difficult. I tend to avoid it
when
possible, i.e. use some framework that more or less suits your needs.

> -from anywhere means the internet also. I haven't gotten to the part

Whoa! I don't plan to reeducate your dept. but you really shouldn't be
doing
that, not even considering it. What is the goal here ? If it is
offering
access to remote offices / staff users then read up on deploying a VPN.
If
the goal is offering access to anybody, read up on using other means
(http /
ftp / whatever). Just my opinion of course, but my bet is you'll find
that
most anybody here will agree with me on this...

I have not looked at your script in detail yet, but it seems to me you
maybe
had better rethink your strategy. You cannot "fix" things afterwards
with
firewallrules, you need to get it right and logical from the start. For
instance, you need to draft policies. If you are not completely clear
on
what you have to do then I would suggest you are not well advised to
build
your own filter from scratch.

> where you
> actually start blocking things yet. This is the initial setup.

That approach won't work. That would be akin to checking a door for
leakage
when it's open. In other words, if you do use that approach you get
connectivity, but not security.

Maarten


> -----Original Message-----
> From: maarten van den Berg [mailto:maarten@xxxxxxx]
> Sent: Tuesday, March 02, 2004 11:52 AM
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] firewall help..
>
> On Tuesday 02 March 2004 17:05, Gilmore, Eric wrote:
> > Can anyone give me a clue? The basics are:
> > 1 machine: SuSE 8.2
> > 3 nics
> > 2 internal networks (examples):
> > $INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2
>
> Does LAN1 trust LAN2 and vice versa ?
>
> > 3 good ip's (examples):
> > eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3
> >
> > 2 spoofed ip's:
> > $INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3
>
> If by spoofed you mean reserved,internal adresses: be aware that
> you're outside the allowed range (192.168.0.0/16) (See RFC 1918)
>
> > works:
> > -connecting from the internet/external LAN to all machines via (ssh,

> > FTP,
> > HTTP)
> > not:
> > -connecting between $INTLAN1 & $INTLAN2
>
> If full and mutual trust is expected / wanted:
> set FW_ALLOW_CLASS_ROUTING="yes"
> Hm... reading on I notice you don't use the Suse firewall filter. Why

> not ?
>
> > -samba connections from anywhere
>
> Explain. From ANYwhere implies "from internet". Surely you CAN not
> want that. If you mean from LAN1 <-> LAN2 then either the above class
> routing will fix it (when you use AD + properly configured DNS
> servers) or you may need to specify the exact share by IPnumber (net
> use * \\192....\C If both are not options you will need to find a way
> to relay the Netbios
>
> broadcast(s) over the firewall. Dunno offhand how to do that (and
> wouldn't want to either).
>
> > -afp (apple) connections from anywhere
>
> See samba, the services are fairly similar.
>
> Maarten
>
> --
> Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO
> CARRIER


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here


< Previous Next >