[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] suse-security list



As far as I know then (as I have the same, only my webserver is on the
Gateway itself (home network)),
the mail from Andreas Mueller could help you out!



FW_FORWARD_MASQ="0/0,10.3.1.34,tcp,5678,80"

meaning indeed : source ip, destination ip, protocol, source port,
destination port

What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP,
otherwise the firewall won't allow clients to connect. And you can get rid
of port 80 on EXT because you use the other port for it.

FW_SERVICES_EXT_TCP="25 53 5678"


as for opening port 80 on the gateway on FW_SERVICES_INT_TCP ... If you run
a webserver on it , you can leave it open else close it as this is an open
port doing nothing ;) (meaning if you want security to be high : close
everything you don't need)

If LAN users connect to your webserver the routing tables on the network
know they don't have to go over the gateway so it will find the webserver
anywayz ...

Hope this helped you out a bit ...

regards

Chris




>You wrote :

Thanks for your prompt answer

a.) The local users enter by default port 80 (transparently) Nevertheless
for
external users this should not be the case. They should give on the explorer
the address http://204.87.34.12:5678    (just an example) . Then the
firewall
should redirect this request on port 5678 on device (206.87.34.1) to
the internal server 10.3.1.34 port 80.

b.) The Webserver accesses the database itself presenting the result in a
webpage obviously.

René


On Thursday 24 October 2002 09:00, you wrote:
> Hi,
>
> When users are connecting to your webserver , do they have to enter the
> portnumber or is it port 80 by default.
>
> I know here in belgium ports under 1024 get blocked with certain providers
> unless you pay for a more expensive "solution"
>
> Plus: Does the webserver access the database itself (localhost) and then
> presents the results in a webpage or do the clients have to have a
> connection to the database themselves ?
>
> regards
>
> Chris
>
> ----- Original Message -----
> From: "René Garizzao" <rgarizzao@xxxxxxxxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Thursday, October 24, 2002 3:54 PM
> Subject: [suse-security] suse-security list
>
>
> Hello Uli,
> I present to you following porblem I haven't closed succesfully:
>
> Configuration:
> ==========
>
> Internal <--->    Firewall (SuSE8.0)    <--->    Internet <---> Client
> Web Server       (int_dev: 10.3.1.10)
> (10.3.1.34)       (ext_dev: x.y.z.a)
>
> Well, certain client shall connect to the internal Web server to make use
> of a data base application. The Client should give the ext_dev ip address
> and the desired port to connect,  i.e.  http://x.y.z.a:5678
> The request should pass through the firewall and be redirected straight to
> the
> webserver 10.3.1.34 .(port 80)
> I tried different configuration examples without success. Have you any
> experience wuthin?
>
> SuSEfirewall Configuration
> ===================
> (This configuration uses port 80 and not the desired high port 5678)
>
> FW_DEV_EXT="eth1"
>
> FW_DEV_INT="eth0"
>
> FW_ROUTE="yes"
>
> FW_MASQUERADE="yes"
>
> FW_MASQ_NETS="10.3.0.0/16"
>
> FW_PROTECT_FROM_INTERNAL="yes"
>
> FW_AUTOPROTECT_SERVICES="yes"
>
> FW_SERVICES_EXT_TCP="25 53 80"
>
> FW_SERVICES_EXT_UDP="53"
>
> FW_SERVICES_INT_TCP="25 53 80"
>
> FW_SERVICES_INT_UDP="53"
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
>
> FW_SERVICE_DNS="yes"
>
> FW_FORWARD="0/0,x.y.z.a,tcp,80  x.y.z.a,10.3.1.34,tcp,80
> 0/0,10.3.1.34/255.255.255.255,tcp,80"
>
> #
> FW_REDIRECT="10.3.0.0/16,0/0,tcp,53,53  10.3.0.0/16,0/0,tcp,25,25
> 10.3.0.0/16,0/0,udp,53,53  10.3.1.34,0/0,tcp,80,80"
> ===========================================================
>
> Thanks in advance for any further help you could provide me.




-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here