Re: [SLE] Firewall zones

On 26/09/06 21:59, Paul Abrahams wrote:
<snip>

Specifically, FW_DEVICE_INT, as the name suggests, specifies a device rather
than a range of IP addresses.

Correct, and certainly if you are configuring a network with only one
subnet in it, you don't need anything more than this.

However, based on your other posts (2 others thus far), I suspect you
will be best served by defining your devices to be in the external zone,


Yes. I realized early on that since the internal zone is in general
unprotected, I couldn't get protection from the outside world by using it.
In fact, it seems that with only one interface (network card), turning off
the firewall is pretty much equivalent to declaring that interface to be
internal.

I see you bypassed where I said the internal zone device can be as
protected as you want it to be: turn on the "protect from int" variable
and see what happens.

and defining your LAN net/mask in the FW_TRUSTED_NETS variable, ie.
FW_TRUSTED_NETS="192.168.0.0/24" (you will have to change this if you
ever change the net on the router).


That is the critical hint. There's no way to do this setting through Yast as
far as I can tell, though there ought to be. I hadn't realized until you
pointed it out that there are a number of firewall-related settings
in /etc/sysconfig and many of these are not manipulable through Yast.

Well, I don't think there is a way to do this in the security/firewall
section, but there sure is a way to do all of this in system/sysconfig
editor. It's under network/firewall, I believe. This definitely points
to what might be regarded as a deficiency in Yast: surely the entire
firewall should be configurable from that security section.

At this point, you should check to
see that your Samba networking is functioning properly (it should be,
and if it is not, verify that the router is not blocking the traffic
before making any further changes on any workstation). If you have any
NFS or CUPS functionality within the LAN, it should also be tested.
Again, if the services are properly configured but do not work, check
the router first.


After diddling FW_TRUSTED_NETS, Samba became available just as you said it
should. A simple way to see what the router is blocking is to turn off the
firewall; anything that's still inaccessible is inaccessible because of the
router.

The FW_TRUSTED_NETS variable also accepts a list of services, which I didn't
provide. Samba worked anyway.

Read the blurb again: the only thing that is required is the network
(either a single IP, or a net/mask). The protocol/port stuff is only
necessary if you want to restrict an IP/IP range to a specific service,
eg: 192.168.1.0/24,tcp,21 means that 192.168.1.* can only connect to the
system via ssh, but 192.168.0.0/24 means 192.168.0.* can connect to any
service (tcp or udp) that the system offers.

<snip>
This is no substitute for proper security in those config files themselves, and
should not be treated as such. <snip>


If the outside connections are not listed in FW_TRUSTED_NETS, I'd think that
the outsiders would be blocked from cupsd on that account.

I say again, this is no substitute for proper security in the config
files -- what are you going to do if your firewalls are hacked? What are
you going to do if an IP you thought to be trusted is spoofed?

<snip>
It appears to me that including an IP address in the FW_TRUSTED-NETS range
effectively moves it from the external zone to the internal zone. Is that correct?
Not at all, eg. you could allow anyone anywhere on the internet to
connect to your IRC server by including this in your trusted-nets:
0/0,tcp,6667 (assuming, of course, that you forward port 6667 on your
router). The big bad world is still in the external zone. However, apart
from "/24" in place of "/255" (ahem :-) ) the following is correct:

assign the network card to the external zone and set FW_TRUSTED_NETS to
192.168.0.1/255. Then machines on the LAN have full access to each other and
machines outside the net have none, other than what is explicitly allowed.



--
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@xxxxxxxx

Relevant Pages

  • Re: HP All-In-One LaserJet 3390 - No IP Address - DHCP
    ... Waiting on DHCP, maybe. ... Or it could be the router configuration has ... Using IP config I can also freely use ipconfig /release ... In a home network, just set the printer to manual config and give it an ...
    (comp.sys.hp.hardware)
  • Re: Configuring DNS for LAN Internet Access
    ... > network now that I have DSL. ... > the DSL router. ... This NIC gets an IP config from the DSL ... Internal network is 200.200.200.0. ...
    (microsoft.public.win2000.dns)
  • Re: DHCP & Static IP Address conflict?
    ... > The network works great. ... > are assigned by the router through DHCP to each computer change from ... > Can I assign a static IP to my main computer and let the router DHCP ... and use the above info for the rest of the config ...
    (microsoft.public.win2000.networking)
  • Re: trouble daisy-chaining router
    ... The wireless part stopped working so I went and bought a netgear router ... I'm wondering what the network config should be on the new router. ...
    (comp.security.firewalls)
  • 2.6.14.git: user-mode-linux/x86_64 does not build
    ... .config is attached later. ... # Loadable module support ... # UML Network Devices ... # CD-ROM/DVD Filesystems ...
    (Linux-Kernel)