[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSEfirewall2 behaves strangely



Hi everybody!

I do not know exactly if I am right at this mailing list with my problem but I don't know where else to go.

I am using a SuSE linux 9.0 box as a DSL-router/gateway for my small LAN at home and have encountered some strange problems with the SuSEfirewall2 v3.1. 

The firewall is loaded automatically at boot-time and almost everything is ok. Routing for the internal machines works fine and all services running on the firewall (vsftpd, smbd, sshd, dhcpd, ...) can be accessed from internal machines but not from the "outside world". A port scan (via Steve Gibson's "ShieldsUp" at http://www.grc.com/) shows, that all ports are stealthed and my firewall does not react to ICMP pings (but it reacts to "ping" from the internal although I specified FW_ALLOW_PING_*="no" !!!). So far, so good, but I am not able to access the internet *from* the firewall!
But that's not all. When I execute 

# SuSEfirewall2 stop
# SuSEfirewall2 start

the behavior is different: Now I can access the internet from the firewall (which I like) but another portscan reveals, that the IDENT-port (tcp-port 113) is now "only" closed (not stealth anymore, which I do not like) and occasionally (not reproduceable) the firewall responds to ICMP pings from the outside. OK, I know, that is *not* a very big security-issue, but it IS strange, isn't it? 

I dont't know if I can trust my firewall if it behaves so strangely. What can I do???

Does anybody know how I can tell the SuSEfirewall2...
... to stealth *all* ports to the internet, including port 113.
... to ignore all ICMP-requests from the outside.
... to allow ICMP-requests from the LAN. 
... to access the internet from my firewall-machine.

Here is my /etc/sysconfig/SuSEfirewall2 - file (without comments):

*********************************************************************
FW_QUICKMODE="no"
FW_DEV_EXT="dsl0 eth1 ppp0"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.1.0/24 192.168.2.1"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ftp ssh 137 138 139 445 901 8000 8001"
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""

FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"

# END of /etc/sysconfig/SuSEfirewall2
# Expert options:

FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""

********************************************************

Thanks for any help you could offer!
Andreas (Berlin, Germany)