SuSE 6.4 +firewall??

SuSE 6.4 +firewall??

Post by Sjoerd Venem » Wed, 14 Jun 2000 04:00:00



Hi,

I configured SuSE 6.4 as a firewall using ipchains.
From my internal network it's possible to go to the Internet and I'm also
able to open ports on the firewallmachine (ftp proxy, squid). What seems to
be impossible is to get ipmasqadm working. I want to make several hosts from
my internal network visible to the Internet. I read all the HOWTO's and
tried several suggestions I already got from other newsgroups. Still it
doesn't work. Does anyone know how to get this thing working??

Thnx, Sjoerd

 
 
 

SuSE 6.4 +firewall??

Post by nuk » Wed, 14 Jun 2000 04:00:00


I hate to say it, but RTFM.  The SuSE manual goes into this in
some detail.  Failing that, look
at /etc/rc.config.d/firewall.rc.config
and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by blowfis » Wed, 14 Jun 2000 04:00:00



> I hate to say it, but RTFM.  The SuSE manual goes into this in
> some detail.  Failing that, look
> at /etc/rc.config.d/firewall.rc.config
> and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

> Monte

No, you don't even have to RTFM with SuSE. Just login as
root. (disconnect from any untrusted network first to be on
the safe side.)
Start YaST. Go into system admin - change configuration.
Answer some question. Then save and exit YaST. And you're
done.

Can even set up the firewall to restart on reboot all from
YaST.

sUse fAN.

 
 
 

SuSE 6.4 +firewall??

Post by nuk » Wed, 14 Jun 2000 04:00:00


Yes, but in order to have an idea what you're doing and the
possible ramifications, it is best to RTFM ;)

Seriously though, in yast, you go to system administration -->
Change config file, do an F4(search) for 'FW*', and start
setting the options.  Part of the reason I recommend that you
read the files on your system is that on my box at least, the
descriptions were too big to fit in the few lines alloted, and F2
(description) was deactivated.  Therefore, the only way to fully
understand what I was doing is to read the firewall.rc.config
file.

FWIW, there is an updated version of the firewals package on
SuSE's ftp site under updates

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by Sjoerd Venem » Wed, 14 Jun 2000 04:00:00


Hi,


Quote:> I hate to say it, but RTFM.  The SuSE manual goes into this in
> some detail.  Failing that, look
> at /etc/rc.config.d/firewall.rc.config
> and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

I actually did. That's why I got some of the things working... I think I
need to have the right ipchains rules to get ipmasqadm working right. The
weird thing is that with SuSE 6.2 it was a piece of cake. After that (6.3
+6.4) it's getting more complicated..

Sjoerd

Quote:> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by blowfis » Wed, 14 Jun 2000 04:00:00



> Yes, but in order to have an idea what you're doing and the
> possible ramifications, it is best to RTFM ;)

> Seriously though, in yast, you go to system administration -->
> Change config file, do an F4(search) for 'FW*', and start
> setting the options.  Part of the reason I recommend that you
> read the files on your system is that on my box at least, the
> descriptions were too big to fit in the few lines alloted, and F2
> (description) was deactivated.  Therefore, the only way to fully
> understand what I was doing is to read the firewall.rc.config
> file.

If you read carefully and can comprehend everything from
within YaST. You don;t really need the dscking manuel.
Everything is described quite clearly, and have examples for
you to choose from in most options.

But if you want some real fun. Patch in the LIDS into the
kernel. But be careful. You can tighten everything so much,
even root cannot access anything. ;-)

But seriously. The out of the box firewall tool from SuSE
6.x is not perfect, but quite decent.

Quote:> FWIW, there is an updated version of the firewals package on
> SuSE's ftp site under updates

I believe so.

sUse Fan.

Quote:> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
> The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by Sjoerd Venem » Thu, 15 Jun 2000 04:00:00


Hi,




> > I hate to say it, but RTFM.  The SuSE manual goes into this in
> > some detail.  Failing that, look
> > at /etc/rc.config.d/firewall.rc.config
> > and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

> > Monte

> No, you don't even have to RTFM with SuSE. Just login as
> root. (disconnect from any untrusted network first to be on
> the safe side.)
> Start YaST. Go into system admin - change configuration.
> Answer some question. Then save and exit YaST. And you're
> done.

The problem is that ipchains works without any problems. Ipmasqadm however
doesn't work. I think I need to add some ipchains rules to get the thing
working. I tried several rules (input/output) but still nothing...

Quote:

> Can even set up the firewall to restart on reboot all from
> YaST.

> sUse fAN.

Another SuSE fan
 
 
 

SuSE 6.4 +firewall??

Post by nuk » Thu, 15 Jun 2000 04:00:00


Ok, I'll bite here.  What exactly is ipmasqadm?  I believe I set
my system up o.k. and never fiddled with any such thing, never
even say any reference to it.  If you are talking about
masqerading, I think you just need the START_FW, FW_ROUTE, and I
think it is FW_MASQ(or something like that) on/true/yes .

Monte

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by Sjoerd Venem » Fri, 16 Jun 2000 04:00:00


Hi,

Ipmasqadm is used to portforward incoming traffic to another machine in the
Internal network.
For example a request on port 80 on the firewall is portforwarded to port 80
of a machine with a private ipaddress.

Sjoerd



Quote:> Ok, I'll bite here.  What exactly is ipmasqadm?  I believe I set
> my system up o.k. and never fiddled with any such thing, never
> even say any reference to it.  If you are talking about
> masqerading, I think you just need the START_FW, FW_ROUTE, and I
> think it is FW_MASQ(or something like that) on/true/yes .

> Monte

> * Sent from RemarQ http://www.remarq.com The Internet's Discussion Network
*
> The fastest and easiest way to search and participate in Usenet - Free!

 
 
 

SuSE 6.4 +firewall??

Post by milanu » Fri, 16 Jun 2000 04:00:00


Don't need to bother with it as a separate entity.  If you go back and
read the manual and the examples again, there are specific lines in
firewall.rc.config for forwarding tcp and udp services.  I haven't ever
needed it, but it is there, AFAIK.

Monte



> Hi,

> Ipmasqadm is used to portforward incoming traffic to another machine
in the
> Internal network.
> For example a request on port 80 on the firewall is portforwarded to
port 80
> of a machine with a private ipaddress.

> Sjoerd



> > Ok, I'll bite here.  What exactly is ipmasqadm?  I believe I set
> > my system up o.k. and never fiddled with any such thing, never
> > even say any reference to it.  If you are talking about
> > masqerading, I think you just need the START_FW, FW_ROUTE, and I
> > think it is FW_MASQ(or something like that) on/true/yes .

> > Monte

> > * Sent from RemarQ http://www.remarq.com The Internet's Discussion
Network
> *
> > The fastest and easiest way to search and participate in Usenet -
Free!

--
There are basically three kinds of men.  There
are the ones who learn by reading.  Then there are
the few who learn by observation.  The rest just
have to pee on the electric fence for themselves.

Sent via Deja.com http://www.deja.com/
Before you buy.

 
 
 

SuSE 6.4 +firewall??

Post by Frank Har » Wed, 21 Jun 2000 04:00:00




Quote:>But seriously. The out of the box firewall tool from SuSE
>6.x is not perfect, but quite decent.

Can you be more specific? I like to no what isn't perfect about
SuSEfirewall, because I use it myself. And do you think, say
PMFirewall is a better product?

Quote:>> FWIW, there is an updated version of the firewals package on
>> SuSE's ftp site under updates

Or the newest at http://www.suse.de/~marc


SuSE Linux 2.2.7 at linux-wd on a i586
2:00pm up 85 days, 1:59, 0 users, load average: 0.03, 0.01, 0.00

 
 
 

SuSE 6.4 +firewall??

Post by here,ther » Wed, 21 Jun 2000 04:00:00





> >But seriously. The out of the box firewall tool from SuSE
> >6.x is not perfect, but quite decent.

> Can you be more specific? I like to no what isn't perfect about
> SuSEfirewall, because I use it myself. And do you think, say
> PMFirewall is a better product?

I never use PMFirewall. So, I can't comment on that.

But seriously.  If you depends/relies on a piece of codes to
secure everything, you'll be in for a hugh surprise.

The fact is: If you can code it, somebody can, and will
breaks it.

So, you can only make your network/servers less easy to
break, and hopefully, will make the cracker to give up
because it's taking him/her too much time/efforts to try to
compromise your box.

By playing around with several major distros, I've found
SuSE's out of the box firewalling to be quite decent,
especially if one knows what he/she is doing and activated
the hardening rules as well. I believe it will stop most
casual crackers, but the really determined and knowledgable
ones can, and will be able to crack it.

BTW.  Check out the LIDS project that is developed by a kid
from China and another guy from eastern Europe. Very
interesting shits there, kernel level detection and
response. Search for that at freshmeat.

blowfish.

> >> FWIW, there is an updated version of the firewals package on
> >> SuSE's ftp site under updates

> Or the newest at http://www.suse.de/~marc


> SuSE Linux 2.2.7 at linux-wd on a i586
> 2:00pm up 85 days, 1:59, 0 users, load average: 0.03, 0.01, 0.00

 
 
 

SuSE 6.4 +firewall??

Post by here,ther » Wed, 21 Jun 2000 04:00:00





> >But seriously. The out of the box firewall tool from SuSE
> >6.x is not perfect, but quite decent.

> Can you be more specific? I like to no what isn't perfect about
> SuSEfirewall, because I use it myself. And do you think, say
> PMFirewall is a better product?

> >> FWIW, there is an updated version of the firewals package on
> >> SuSE's ftp site under updates

> Or the newest at http://www.suse.de/~marc


> SuSE Linux 2.2.7 at linux-wd on a i586
> 2:00pm up 85 days, 1:59, 0 users, load average: 0.03, 0.01, 0.00

The nice thing about LIDS is , root doesn't have the
ultimate power.  So, if you're the owner of a biz, and savy
about computers, you can even give root as much, or as
little power over your network/server, as you see fits,
especially if the root is a hired help. So, in case you have
hired a bad root, you can do a root cannel yourself before
you get the aches and pain associated with a rotten root.
;-)

blowfish.

 
 
 

SuSE 6.4 +firewall??

Post by Tim Hayn » Thu, 22 Jun 2000 04:00:00



> > Can you be more specific? I like to no what isn't perfect about
> > SuSEfirewall, because I use it myself. And do you think, say PMFirewall
> > is a better product?

> I never use PMFirewall. So, I can't comment on that.

I've seen the results it produces, and was not over-impressed.

If people want a nice & easy way to set up a firewall, may I recommend
`gfcc'? Nice GUI, lay out your rules the way you want, push one button and
it applies them outright, another button to export as a shell script. Like
it, like it a lot.

Quote:> So, you can only make your network/servers less easy to break, and
> hopefully, will make the cracker to give up because it's taking him/her
> too much time/efforts to try to compromise your box.

Ultimately, this is true. But I wouldn't underestimate the fun you can have
preventing *lots* of people, if you're prepared to start with a DENY-by-
default firewall, and only add what you need.

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/

 
 
 

SuSE 6.4 +firewall??

Post by blowfis » Thu, 22 Jun 2000 04:00:00



> Hi,




> > > I hate to say it, but RTFM.  The SuSE manual goes into this in
> > > some detail.  Failing that, look
> > > at /etc/rc.config.d/firewall.rc.config
> > > and /usr/doc/packages/firewals/EXAMPLES.  Worked for me.

> > > Monte

> > No, you don't even have to RTFM with SuSE. Just login as
> > root. (disconnect from any untrusted network first to be on
> > the safe side.)
> > Start YaST. Go into system admin - change configuration.
> > Answer some question. Then save and exit YaST. And you're
> > done.

> The problem is that ipchains works without any problems. Ipmasqadm however
> doesn't work. I think I need to add some ipchains rules to get the thing
> working. I tried several rules (input/output) but still nothing...

My ipmasqadm is done by a hardware router, with ip packets
filtering and ports forewarding function builtin.

Yes, the ipchains works pretty good.

blowfish

- Show quoted text -

Quote:

> > Can even set up the firewall to restart on reboot all from
> > YaST.

> > sUse fAN.

> Another SuSE fan

 
 
 

1. SUSE 6.4 firewall problems

Hello - I have installed suse 6.4 on my server & would like to use the
firewall package from suse to route from my other pc's on the network.
I have tried all the options and nothing seems to be working.
What is the setup for the clients, could my problem be DNS based.

Thanks in advance Ali.  :?)

2. Need Help with me SunPCI card

3. SuSE 6.4 firewall & ntp

4. crypt(1) for AIX 3.1.5 ?

5. SuSE 6.4 firewalling help needed

6. How much paging space do I need?

7. Your SuSE 6.4 firewall

8. Gnome - Keeping tracking of updates

9. Netmeeting works outbound only through firewall under SuSE 6.4 Linux!

10. NFS SuSE 6.0 -> SuSE 6.4 don`t work

11. Suse 6.4.....................QT library

12. How to display an AIX CDE session on a Suse 6.4 box

13. Epsondrivers for suse 6.4