Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] firewall help..
  • From: Maarten J H van den Berg <maarten@xxxxxxx>
  • Date: Tue, 2 Mar 2004 22:48:50 +0100
  • Message-id: <200403022248.50307.maarten@xxxxxxx>
Hi Eric,
Please reply to the list, not to me directly. I read the list. There is no
need to take this off-list.

On Tuesday 02 March 2004 18:21, you wrote:
> Maarten,
>
> To answer:
> -if you mean allow routing between the networks, yes
> -the ip's I used in the note are examples

OK

> -I did use SuSe firewall2, but my dept. wanted to use iptables instead

Does your dept. realize that SuSEfirewall is just a convenient (and complex)
"wrapper" for iptables ?

> :(

Indeed. Building filters from scratch is difficult. I tend to avoid it when
possible, i.e. use some framework that more or less suits your needs.

> -from anywhere means the internet also. I haven't gotten to the part

Whoa! I don't plan to reeducate your dept. but you really shouldn't be doing
that, not even considering it. What is the goal here ? If it is offering
access to remote offices / staff users then read up on deploying a VPN. If
the goal is offering access to anybody, read up on using other means (http /
ftp / whatever). Just my opinion of course, but my bet is you'll find that
most anybody here will agree with me on this...

I have not looked at your script in detail yet, but it seems to me you maybe
had better rethink your strategy. You cannot "fix" things afterwards with
firewallrules, you need to get it right and logical from the start. For
instance, you need to draft policies. If you are not completely clear on
what you have to do then I would suggest you are not well advised to build
your own filter from scratch.

> where you
> actually start blocking things yet. This is the initial setup.

That approach won't work. That would be akin to checking a door for leakage
when it's open. In other words, if you do use that approach you get
connectivity, but not security.

Maarten


> -----Original Message-----
> From: maarten van den Berg [mailto:maarten@xxxxxxx]
> Sent: Tuesday, March 02, 2004 11:52 AM
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] firewall help..
>
> On Tuesday 02 March 2004 17:05, Gilmore, Eric wrote:
> > Can anyone give me a clue? The basics are:
> > 1 machine: SuSE 8.2
> > 3 nics
> > 2 internal networks (examples):
> > $INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2
>
> Does LAN1 trust LAN2 and vice versa ?
>
> > 3 good ip's (examples):
> > eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3
> >
> > 2 spoofed ip's:
> > $INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3
>
> If by spoofed you mean reserved,internal adresses: be aware that you're
> outside the allowed range (192.168.0.0/16) (See RFC 1918)
>
> > works:
> > -connecting from the internet/external LAN to all machines via (ssh,
> > FTP,
> > HTTP)
> > not:
> > -connecting between $INTLAN1 & $INTLAN2
>
> If full and mutual trust is expected / wanted:
> set FW_ALLOW_CLASS_ROUTING="yes"
> Hm... reading on I notice you don't use the Suse firewall filter. Why
> not ?
>
> > -samba connections from anywhere
>
> Explain. From ANYwhere implies "from internet". Surely you CAN not want
> that. If you mean from LAN1 <-> LAN2 then either the above class routing
> will fix it
> (when you use AD + properly configured DNS servers) or you may need to
> specify the exact share by IPnumber (net use * \\192....\C
> If both are not options you will need to find a way to relay the Netbios
>
> broadcast(s) over the firewall. Dunno offhand how to do that (and
> wouldn't
> want to either).
>
> > -afp (apple) connections from anywhere
>
> See samba, the services are fairly similar.
>
> Maarten
>
> --
> Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO
> CARRIER


< Previous Next >