Re: [SLE] Firewall zones
- From: Paul Abrahams <abrahams@xxxxxxx>
- Date: Tue, 26 Sep 2006 17:58:18 -0400
On Tuesday 26 September 2006 5:01 pm, Theo v. Werkhoven wrote:
Mon, 25 Sep 2006, by abrahams@xxxxxxx:
I want to configure the SuSE firewall so that communication within my LAN
is uninhibited but communication outside the LAN is fully protected.
Looking at the firewall configuration in Yast, I see that the external
zone is protected but the internal zone is not. However, I don't see how
to specify that the internal zone consists of hosts with addresses
192.168.0.x. This would seem to be a pretty common requirement.
Please be more specific about your setup. Do you have a network-card
with an alias IP address or something?
My network card is assigned its IP address by the router using DHCP.
Incoming traffic is processed using Network Address Translation. I have
several Linux machines with this setup, each cabled to the router.
It appears that the firewall configurator can specify that an interface
is external or internal, but I have only one interface (network card).
It connects to the LAN and to the router; the router in turn talks to the
world. It's a very common setup.
I should have phrased this better. The network card is cabled to the router,
which on its external side is cabled to a broadband modem.
Perhaps, but that doesn't make it the best setup.
Having your LAN systems on the same segment and IP range as the
"firewall" means that there's nothing between the Internet and the
'other' systems, except the router's rules for port-forwarding etc.
The router (a standard D-Link 4-porter) has an internal net address of
192.168.0.1 and assigns the computers on the LAN addresses of the form
192.168.0.x. Seen externally, it has an IP address assigned by Comcast, my
broadband provider, also using DHCP, which Comcast requires.
All the systems on the LAN are supposed to have the same firewall protection,
using SuSE firewall (or in some cases the Windows firewall). So each machine
has two levels of protection: the router, which itself provides pretty good
protection, and the firewall on the individual machine. The main weakness of
the router firewall is that it doesn't filter outgoing packets, only incoming
ones.
If you want to have a better protection I'd look for a "real" router, that
can be configured for multiple LAN IP ranges, or setup the Linux
machine as such.
I'd settle for any degree of protection as long as I can share files with
other machines on the LAN. Sharing could be either with NFS or with Samba.
Thanks for your help.
Paul
--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx
- References:
- [SLE] Firewall zones
- From: Paul Abrahams
- Re: [SLE] Firewall zones
- From: Theo v. Werkhoven
- [SLE] Firewall zones
- Prev by Date: Re: [SLE] Cannot create Folders.
- Next by Date: Re: [SLE] Alternative to "at"?
- Previous by thread: Re: [SLE] Firewall zones
- Next by thread: Re: [SLE] Firewall zones
- Index(es):
Relevant Pages
|
