Re: [suse-security] Problems with a simple Firewall2 config

["GentooRulez" <paranoiac_user@xxxxxxxxxx>]

>There are no services ON THE FIREWALL that need to be accessed (I
>allready ran into this problem ;-), they are all on serveres in either
>network.

Oops, i misunderstood you.

>I changed my configuration, just to test. This is how (excerpt) it
>looked:
>  FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
>172.19.0.0/16,0/0,tcp,80"
>  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

Looks good so far

>Test-configuration
>  FW_MASQ_NETS="172.19.0.0/16"
>  FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"

This is opening any destination port/protocol(icmp,udp,tcp) for inside
boxes  to get routed through the firewall.

>It will work with my test-configuration, but then again, any user could
>use any service on the external net, and that is not wanted only FTP and
>HTTP.

>How can I solve this, whitout doing something like this:
>  FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
>172.19.0.0/16,0/0,tcp,80 172.19.0.0/16,0/0,tcp,1024:65535"
> FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
>???

Using the firewall-script this ist the right way to limit the services to be
accessed
from the inside.

The other way ist to disable masquaring und routing for the internal network
completely and to setup following:

http://www.squid-cache.org/
http://dansguardian.org/ (cacade, if you want so)

and ftp-proxy from here

http://www.suse.de/en/whitepapers/proxy_suite/

It is, all in all, the better and more secure solution and you can setup
this fully
tranparent to internal network.

Hope that helps.

Yours

Michael


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here