RE: [suse-security] Problems with a simple Firewall2 config

["Knut Erik Hauslo" <KNUTH@xxxxxxxxxxxx>]

There are no services ON THE FIREWALL that need to be accessed (I
allready ran into this problem ;-), they are all on serveres in either
network.

I changed my configuration, just to test. This is how (excerpt) it
looked:
  FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
172.19.0.0/16,0/0,tcp,80"
  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

Test-configuration
  FW_MASQ_NETS="172.19.0.0/16"
  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

It will work with my test-configuration, but then again, any user could
use any service on the external net, and that is not wanted only FTP and
HTTP.

How can I solve this, whitout doing something like this:
  FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535"
  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

???

Cheers
Knut Erik

-----Original Message-----
From: GentooRulez [mailto:paranoiac_user@xxxxxxxxxx] 
Sent: Tuesday, July 15, 2003 2:04 PM
To: suse-security
Subject: Re: [suse-security] Problems with a simple Firewall2 config


I did not check your whole config, but this came up
immediately:

# Which services ON THE FIREWALL should be accessible from either the
internet # (or other untrusted networks), the dmz or internal (trusted
networks)?

FW_SERVICES_EXTERNAL_TCP="80"

Check this out

Michael

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here