Very Computer

Hi,

I configured SuSE 6.4 as a firewall using ipchains.
From my internal network it's possible to go to the Internet and I'm also
able to open ports on the firewallmachine (ftp proxy, squid). What seems to
be impossible is to get ipmasqadm working. I want to make several hosts from
my internal network visible to the Internet. I read all the HOWTO's and
tried several suggestions I already got from other newsgroups. Still it
doesn't work. Does anyone know how to get this thing working??

Thnx, Sjoerd

I hate to say it, but RTFM.  The SuSE manual goes into this in
some detail.  Failing that, look
at /etc/rc.config.d/firewall.rc.config
and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

No, you don't even have to RTFM with SuSE. Just login as
root. (disconnect from any untrusted network first to be on
the safe side.)
Start YaST. Go into system admin - change configuration.
Answer some question. Then save and exit YaST. And you're
done.

Can even set up the firewall to restart on reboot all from
YaST.

sUse fAN.

Yes, but in order to have an idea what you're doing and the
possible ramifications, it is best to RTFM ;)

Seriously though, in yast, you go to system administration -->
Change config file, do an F4(search) for 'FW*', and start
setting the options.  Part of the reason I recommend that you
read the files on your system is that on my box at least, the
descriptions were too big to fit in the few lines alloted, and F2
(description) was deactivated.  Therefore, the only way to fully
understand what I was doing is to read the firewall.rc.config
file.

FWIW, there is an updated version of the firewals package on
SuSE's ftp site under updates

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

Hi,

Quote:> I hate to say it, but RTFM.  The SuSE manual goes into this in
> some detail.  Failing that, look
> at /etc/rc.config.d/firewall.rc.config
> and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

I actually did. That's why I got some of the things working... I think I
need to have the right ipchains rules to get ipmasqadm working right. The
weird thing is that with SuSE 6.2 it was a piece of cake. After that (6.3
+6.4) it's getting more complicated..

Sjoerd

Quote:> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!

If you read carefully and can comprehend everything from
within YaST. You don;t really need the dscking manuel.
Everything is described quite clearly, and have examples for
you to choose from in most options.

But if you want some real fun. Patch in the LIDS into the
kernel. But be careful. You can tighten everything so much,
even root cannot access anything. ;-)

But seriously. The out of the box firewall tool from SuSE
6.x is not perfect, but quite decent.

Quote:> FWIW, there is an updated version of the firewals package on
> SuSE's ftp site under updates

I believe so.

sUse Fan.

Quote:> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!

Hi,

The problem is that ipchains works without any problems. Ipmasqadm however
doesn't work. I think I need to add some ipchains rules to get the thing
working. I tried several rules (input/output) but still nothing...

Quote:

> Can even set up the firewall to restart on reboot all from
> YaST.

> sUse fAN.

Another SuSE fan

Ok, I'll bite here.  What exactly is ipmasqadm?  I believe I set
my system up o.k. and never fiddled with any such thing, never
even say any reference to it.  If you are talking about
masqerading, I think you just need the START_FW, FW_ROUTE, and I
think it is FW_MASQ(or something like that) on/true/yes .

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

Hi,

Ipmasqadm is used to portforward incoming traffic to another machine in the
Internal network.
For example a request on port 80 on the firewall is portforwarded to port 80
of a machine with a private ipaddress.

Sjoerd

Quote:> Ok, I'll bite here.  What exactly is ipmasqadm?  I believe I set
> my system up o.k. and never fiddled with any such thing, never
> even say any reference to it.  If you are talking about
> masqerading, I think you just need the START_FW, FW_ROUTE, and I
> think it is FW_MASQ(or something like that) on/true/yes .

> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!

Don't need to bother with it as a separate entity.  If you go back and
read the manual and the examples again, there are specific lines in
firewall.rc.config for forwarding tcp and udp services.  I haven't ever
needed it, but it is there, AFAIK.

Monte

--
There are basically three kinds of men.  There
are the ones who learn by reading.  Then there are
the few who learn by observation.  The rest just
have to pee on the electric fence for themselves.

Sent via Deja.com http://www.deja.com/
Before you buy.

Quote:>But seriously. The out of the box firewall tool from SuSE
>6.x is not perfect, but quite decent.

Can you be more specific? I like to no what isn't perfect about
SuSEfirewall, because I use it myself. And do you think, say
PMFirewall is a better product?

Quote:>> FWIW, there is an updated version of the firewals package on
>> SuSE's ftp site under updates

Or the newest at http://www.suse.de/~marc

SuSE Linux 2.2.7 at linux-wd on a i586
2:00pm up 85 days, 1:59, 0 users, load average: 0.03, 0.01, 0.00

I never use PMFirewall. So, I can't comment on that.

But seriously.  If you depends/relies on a piece of codes to
secure everything, you'll be in for a hugh surprise.

The fact is: If you can code it, somebody can, and will
breaks it.

So, you can only make your network/servers less easy to
break, and hopefully, will make the cracker to give up
because it's taking him/her too much time/efforts to try to
compromise your box.

By playing around with several major distros, I've found
SuSE's out of the box firewalling to be quite decent,
especially if one knows what he/she is doing and activated
the hardening rules as well. I believe it will stop most
casual crackers, but the really determined and knowledgable
ones can, and will be able to crack it.

BTW.  Check out the LIDS project that is developed by a kid
from China and another guy from eastern Europe. Very
interesting shits there, kernel level detection and
response. Search for that at freshmeat.

blowfish.

The nice thing about LIDS is , root doesn't have the
ultimate power.  So, if you're the owner of a biz, and savy
about computers, you can even give root as much, or as
little power over your network/server, as you see fits,
especially if the root is a hired help. So, in case you have
hired a bad root, you can do a root cannel yourself before
you get the aches and pain associated with a rotten root.
;-)

blowfish.

I've seen the results it produces, and was not over-impressed.

If people want a nice & easy way to set up a firewall, may I recommend
`gfcc'? Nice GUI, lay out your rules the way you want, push one button and
it applies them outright, another button to export as a shell script. Like
it, like it a lot.

Quote:> So, you can only make your network/servers less easy to break, and
> hopefully, will make the cracker to give up because it's taking him/her
> too much time/efforts to try to compromise your box.

Ultimately, this is true. But I wouldn't underestimate the fun you can have
preventing *lots* of people, if you're prepared to start with a DENY-by-
default firewall, and only add what you need.

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

My ipmasqadm is done by a hardware router, with ip packets
filtering and ports forewarding function builtin.

Yes, the ipchains works pretty good.

blowfish

Quote:

> > Can even set up the firewall to restart on reboot all from
> > YaST.

> > sUse fAN.

> Another SuSE fan