[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Problems Understanding SuSEfirewall2

Hi !

I seem to have a problem with SuSEfirewall2. I administrate a Linux router
(SuSE 8.0) for a small network. This router serves as a gateway to the
Internet as well as a firewall between the Net and my LAN. The LAN`s mail
server is
also located on this machine, while the web server ist on 100.120.55.2.
Every
PC in the LAN has a public IP, so I have to use routing without
masquerading. The firewall is supposed to block all traffic between the
Internet and the
LAN except for the following protocols/ports : pop3, pop3s, http, https,
ftp,
ftps, smtp, ssh, domain. 
I also have to keep the port 7271 open for licensing purposes. Following the
example files I built the Config-file listed below. 
However, I am not really satisfied with its performance. For example, it
should not be possible to establish a ftp- connection from the outside to
one of
my LAN computers, but the firewall doesn´t prevent this at all. Also I want
only certain outside machines to be able to connect to port 7271 on a
certain
computer within the LAN, yet it seems everybody can. What did I do wrong ???


BTW, the IPs in the config-file below were changed, just to be on the safe
side.

Please help !

Thanks in advance,

Jörg

PS : Please reply to JLeicher@xxxxxx, since I have not subscribed to this
mailing list.


Here comes /etc/sysconfig/SuSEfirewall2 :

FW_DEV_EXT="eth1"

FW_DEV_INT="eth0"

FW_DEV_DMZ=""

FW_ROUTE="yes"

FW_MASQUERADE="no"

FW_MASQ_DEV=""

FW_MASQ_NETS=""

FW_PROTECT_FROM_INTERNAL="yes"

FW_AUTOPROTECT_SERVICES="no"

FW_SERVICES_EXT_TCP="20 21 22 25 53 80 110 995"

FW_SERVICES_EXT_UDP="53"

FW_SERVICES_EXT_IP=""

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_INT_TCP="20 21 22 25 53 80 110 995"

FW_SERVICES_INT_UDP="53"

FW_SERVICES_INT_IP=""


FW_TRUSTED_NETS="" 


FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="no"

FW_SERVICE_DNS="yes"

FW_SERVICE_DHCLIENT="no"

FW_SERVICE_DHCPD="no"

FW_SERVICE_SQUID="no"

FW_SERVICE_SAMBA="no"

FW_FORWARD="100.120.55.0/6,0/0,tcp,80 /

100.120.55.0/6,0/0,tcp,110 /

100.120.55.0/6,0/0,tcp,22 /

100.120.55.0/6,0/0,tcp,25 /

100.120.55.0/6,0/0,udp,53 /

100.120.55.0/6,0/0,tcp,53 /

100.120.55.0/6,0/0,tcp,995 / 

0/0,100.120.55.2,tcp,80 /

100.120.204.51,100.120.55.18,tcp,7127 /

100.120.204.56,100.120.55.18,tcp,7127 /

100.120.204.58,100.120.55.18,tcp,7127 "

FW_FORWARD_MASQ=""

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"

FW_LOG_DROP_ALL="no"

FW_LOG_ACCEPT_CRIT="no"

FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="no"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"

FW_ALLOW_PING_DMZ="no"

FW_ALLOW_PING_EXT="yes"

##

# END of rc.firewall

##

# #

#-------------------------------------------------------------------------#

# #

# EXPERT OPTIONS - all others please don't change these! #

# #

#-------------------------------------------------------------------------#

# #



FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"

FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"