[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] [Genera] Rules for firewall?



Hi all!
I dont know if this is the right list, but here goes.

I am fairly new to firewalling and iptables.
I have a setup as follows:

firewall: red eth0 external interface (adsl, dhcp)
  yellow eth1 dmz interface
  green eth2 internal interface 

On dmz is a combined server running
web/ mysql/  ftp/ caching dns/ time/ outgoing mail and nfs server
I only want web/ftp to be available from red

All other services is for green (and yellow) network

I have several machines on green (So i guess i want NAT there)
One Linux server with NFS
Three linux ones running gnomemeeting amsn and licq
Two windows ones running Netmeeting, MSN, ICQ
All machines run bittorrent, limewire and dc++

I want ssh access to all boxes
I want to be able to run all communicationservices from arbitrary box.
All internal boxes shall use time/ dns/ outgoing mail om the dmz server

The firewall is to be locked down for user login only via ssh.
Anything to be done is sudo'ne 
(note to self, find out how to lock ssh to userlogin only)  
But i want access from red to firewall so i can "jump" to green and yellow if 
needed.

I want as full access as possible from green to red

I have read the SuSEFirewall2 docs in /usr/share/docs/packages/SuSEFirewall2
but i cant figure it out..
What so set, what to add/remove..

Any pointers on where to start learning?
Any pointers on how to set it up?


-- 
         /Rikard

------------------------------------------------------------------------------------
Rikard Johnels          email   : rikjoh@xxxxxxxxx
                        Web     : http://www.rikjoh.com
                        Mob     : +46 735 05 51 01

------------------------ Public PGP fingerprint ----------------------------
< 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78  46 1C EE 56 >

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here