[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Susefirewall and port



Hi,

I would like to know if my susefirewall config is correct :

 my network schema is
---------------------

INTERNET
 |
 |eth0
FIREWALL eth2----- WEB SERVER (192.168.5.20) (apache proftpd ssl webmin)
 |eth1
 |
INTERNAL NETWORK (192.168.1.x) (it can use http, https, ftp, pop, smtp to internet)


 my susefirewall config is
--------------------------

## Type:	string
# 1.)

# 2.)
FW_DEV_EXT="eth0"

## Type:	string
# 3.)
FW_DEV_INT="eth1"

## Type:	string
# 4.)
FW_DEV_DMZ="eth2"

## Type:	yesno
## Default:	no
# 5.)
FW_ROUTE="yes"

## Type:	yesno
## Default:	no
#6
FW_MASQUERADE="yes"

## Type:	string
FW_MASQ_DEV="$FW_DEV_EXT"

## Type:	string
FW_MASQ_NETS="192.168.1.0/24,0/0,tcp,80 192.168.1.0/24,0/0,tcp,53 192.168.1.0/24,0/0,udp,53
192.168.1.0/24,0/0,tcp,25 192.168.1.0/24,0/0,tcp,110 192.168.1.0/24,0/0,tcp,21
192.168.1.0/24,0/0,tcp,113 192.168.5.0/24 192.168.1.0/24,0/0,tcp,20
192.168.1.0/24,0/0,tcp,1024:65535 192.168.1.0/24,0/0,tcp,443" 

## Type:	yesno
## Default:	yes
# 7.)
FW_PROTECT_FROM_INTERNAL="yes"

## Type:	yesno
## Default:	yes
# 8.)
FW_AUTOPROTECT_SERVICES="yes"

## Type:	string
# 9.)
FW_SERVICES_EXT_TCP=""

## Type:	string
FW_SERVICES_EXT_UDP=""

## Type:	string
FW_SERVICES_EXT_IP=""

## Type:	string
#
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""

## Type:	string
FW_SERVICES_DMZ_IP=""

## Type:	string
#
FW_SERVICES_INT_TCP=""

## Type:	string
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""

## Type:	string
# 10.)
FW_TRUSTED_NETS=""

## Type:	string
# 11.)
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"

## Type:	string
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"

## Type:	yesno
## Default:	yes
# 12.)
FW_SERVICE_AUTODETECT="no"

## Type:	yesno
## Default:	no
FW_SERVICE_DNS="no"

## Type:	yesno
## Default:	no
FW_SERVICE_DHCLIENT="no"

## Type:	yesno
## Default:	no
FW_SERVICE_DHCPD="no"

## Type:	yesno
## Default:	no
FW_SERVICE_SQUID="no"

## Type:	yesno
## Default:	no
FW_SERVICE_SAMBA="no"

## Type:	string
# 13.)
FW_FORWARD="192.168.1.0/24,192.168.5.20/24,tcp,1:65535"

## Type:	string
# 14.)
FW_FORWARD_MASQ="0/0,192.168.5.20,tcp,80 0/0,192.168.5.20,tcp,21 0/0,192.168.5.20,tcp,443
0/0,192.168.5.20,tcp,25 0/0,192.168.5.20,tcp,100"

## Type:	string
# 15.)
FW_REDIRECT="192.168.5.0/24,192.168.1.0/24,tcp,113,113"

## Type:	yesno
## Default:	yes
# 16.)
FW_LOG_DROP_CRIT="no"

## Type:	yesno
## Default:	no
FW_LOG_DROP_ALL="no"

## Type:	yesno
## Default:	yes
FW_LOG_ACCEPT_CRIT="no"

## Type:	yesno
## Default:	no
FW_LOG_ACCEPT_ALL="no"

## Type:	string
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

## Type:	yesno
## Default:	yes
# 17.)
FW_KERNEL_SECURITY="yes"

## Type:	yesno
## Default:	no
# 18.)
FW_STOP_KEEP_ROUTING_STATE="no"

## Type:	yesno
## Default:	yes
# 19.)
FW_ALLOW_PING_FW="no"

## Type:	yesno
## Default:	no
FW_ALLOW_PING_DMZ="no"

## Type:	yesno
## Default:	no
FW_ALLOW_PING_EXT="no"

##
# END of rc.firewall
##

#                                                                         #
#-------------------------------------------------------------------------#
#                                                                         #
# EXPERT OPTIONS - all others please don't change these!                  #
#                                                                         #
#-------------------------------------------------------------------------#
#                                                                         #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_TRACEROUTE="yes"

## Type:	yesno
## Default:	yes
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

## Type:	yesno
## Default:	no
#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no" if not set.
#
FW_ALLOW_FW_BROADCAST="no"

## Type:	yesno
## Default:	yes
#
FW_IGNORE_FW_BROADCAST="yes"

## Type:	yesno
## Default:	no
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?

#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany.  All rights reserved.
#
# Author: Marc Heuse <marc@xxxxxxx>, 2002
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and take also a look into
#  -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
#  -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
#  -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE !
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.1 which is for 2.4 kernels!
#
# ------------------------------------------------------------------------     #
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall2 you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
#   * Secure all services you are offering to untrusted networks (internet)
#     You can do this by using software which has been designed with
#     security in mind (like postfix, apop3d, ssh), setting these up without
#     misconfiguration and praying, that they have got really no holes.
#     SuSEcompartment can help in most circumstances to reduce the risk.
#   * Do not run untrusted software. (philosophical question, can you trust
#     SuSE or any other software distributor?)
#   * Harden your server(s) with the harden_suse package/script
#   * Recompile your kernel with the openwall-linux kernel patch
#     (former secure-linux patch, from Solar Designer) www.openwall.com
#   * Check the security of your server(s) regulary
#   * If you are using this server as a firewall/bastion host to the internet
#     for an internal network, try to run proxy services for everything and
#     disable routing on this machine.
#   * If you run DNS on the firewall: disable untrusted zone transfers and
#     either don't allow access to it from the internet or run it split-brained.
#
# Good luck!
#
# Yours,
#	SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
#
# All types have to set enable SuSEfirewall2 in the runlevel editor
#
# If you are a end-user who is NOT connected to two networks (read: you have
# got a single user system and are using a dialup to the internet) you just
# have to configure (all other settings are OK): 2) and maybe 9).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
# 14), 20)
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to configure *additionally* 4), 9), 12), 13), 17), 19).
#
# If you know what you are doing, you may also change 8), 11), 15), 16)
# and the expert options 19), 20), 21), 22) and 23) at the far end, but you
# should NOT.
#
# If you use diald or ISDN autodialing, you might want to set 17).
#
# To get programs like traceroutes to your firewall to work is a bit tricky,
# you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
#
# Please note that if you use service names, that they exist in /etc/services.
# There is no service "dns", it's called "domain"; email is called "smtp" etc.
#
# *Any* routing between interfaces except masquerading requires to set FW_ROUTE
# to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
#
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
#   iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
#   echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of security:
#   iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
#   iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------

## Path:	Network/Firewall/SuSEfirewall2
## Description:	SuSEfirewall2 configuration
## Type:	yesno
## Default:	no
#
# 1.)
# Should the Firewall run in quickmode?
#
# "Quickmode" means that only the interfaces pointing to external networks
# are secured, and no other. all interfaces not in the list of FW_DEV_EXT
# are allowed full network access! Additionally, masquerading is
# automatically activated for FW_MASQ_DEV devices. and last but not least:
# all incoming connection via external interfaces are REJECTED.
# You will only need to configure 2.) and FW_MASQ_DEV in 6.)
# Optionally, you may add entries to section 9a.)
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_QUICKMODE="no"

## Type:	string
# 9a.)
# External services in QUICKMODE.
# This is only used for QUICKMODE (see 1.)!
# (The settings here are similar to section 9.)
# Which services ON THE FIREWALL should be accessible from either the 
# internet (or other untrusted networks), i.e. the external interface(s)
# $FW_DEV_EXT
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_QUICK_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_QUICK_UDP.
# e.g. if a secure shell daemon on the firewall should be accessible from
# the internet: 
# FW_SERVICES_QUICK_TCP="ssh"
# e.g. if the firewall should receive isakmp (IPsec) internet:
# FW_SERVICES_QUICK_UDP="isakmp"
# For IP protocols (like IPsec) you need to set
# FW_SERVICES_QUICK_IP="50"
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# QUICKMODE: TCP services open to external networks (InterNet)
# (Common: ssh smtp)
FW_SERVICES_QUICK_TCP=""

## Type:	string
# QUICKMODE: UDP services open to external networks (InterNet)
# (Common: isakmp)
FW_SERVICES_QUICK_UDP=""

## Type:	string
# QUICKMODE: IP protocols unconditionally open to external networks (InterNet)
# (For VPN firewall that is VPN gateway: 50)
FW_SERVICES_QUICK_IP=""

## Type:	string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type:	yesno
## Default:	no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_REJECT="no"

## Type:	string
#
# 27.)
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="ppp0,125"
# where ppp0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
#   FW_HTB_TUNE_DEV="ppp0,250"
# might be a better value than "ppp0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

 




	

	
		
Yahoo! Mail: votre e-mail personnel et gratuit qui vous suit partout ! 
Créez votre adresse à http://mail.yahoo.fr

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here