SuSE Linux: Versions 6.4 to 7.1
This article refers to an older version of SuSE Linux.
Therefore some of the informations given in this article may
be outdated or the article may contain stale links.
Kernel: Versions since 2.2
SuSEfirewall
package has not undergone any drastic changes from SuSE Linux 6.4 to
SuSE Linux 7.1. Therefore, the following information basically applies to all three versions.
However, since individual options may have been added in the course of time, not all listed parameters may exist in all versions.
The parameter numbers were adopted from the latest version 4.2. Previous versions that do not contain all options may have
different sequence numbers.
firewals
to SuSEfirewall
.
ipchains
must be
loaded, since the entire packet filter code was redesigned starting from kernel 2.4.x and the tool iptables
is now used for configuring packet filters. A firewall script that makes use of iptables
is currently being
developed. However, for the time being we recommend use of SuSE Linux 7.1 with kernel 2.2.18 as firewall.
This procedure enables internal network hosts to access the Internet without any filters.
Attention: Please note that although this procedure is the easiest way to provide all internal hosts with Internet access, it leaves them relatively defenseless. Therefore, never choose this option for productive operations.
Attention 2: From SuSE Linux 7.1 on, you should use personal-firewall
for masquerading instead
of this method (see further below).
For this reason, this section will not (!) draw attention to the fact that /sbin/init.d
was moved to
/etc/init.d
starting from SuSE Linux 7.1, and therefore the paths indicated in this section do not apply.
The package ipchains
(series sec
) must be installed.
Set the parameter START_FW
in /etc/rc.config
to "no"
.
Create the file /sbin/init.d/masquerade
with the following content:
Since browsers often cause cut & paste errors, we recommend that you do this with Lynx
and the following command:
lynx -dump http://sdb.suse.de/sdb/de/html/sm_masq2.html > masqueradeThen delete the text before and after the script.
#! /bin/sh . /etc/rc.config PROG="/sbin/ipchains" WORLD_DEV="ippp0" MODULES="ip_masq_autofw ip_masq_cuseeme ip_masq_ftp ip_masq_irc ip_masq_mfw \ ip_masq_portfw ip_masq_quake ip_masq_raudio ip_masq_user ip_masq_vdolive" LOADED_MODULES=$(lsmod|grep ip_masq|cut -d " " -f1) return=$rc_done if [ ! -x $PROG ] then echo -n "Start masquerading failed- install ipchains" return=$rc_failed echo -e "$return" exit 1 fi case "$1" in start) echo -n "Starting masquerading" echo "1" > /proc/sys/net/ipv4/ip_forward $PROG -F || return=$rc_failed $PROG -A forward -i $WORLD_DEV -j MASQ || return=$rc_failed for i in $MODULES;do insmod $i > /dev/null 2>&1 || return=$rc_failed; done echo -e "$return" ;; stop) echo -n "Shutting down masquerading" $PROG -F || return=$rc_failed test "$IP_FORWARD" = no && echo "0" > /proc/sys/net/ipv4/ip_forward for i in $LOADED_MODULES;do rmmod $i > /dev/null 2>&1 || return=$rc_failed; done echo -e "$return" ;; *) echo "Usage: $0 {start|stop}" exit 1 ;; esac test "$return" = "$rc_done" || exit 1 exit 0
"ippp0"
must be replaced with the device you use for establishing Internet connections.
Of course this procedure also works with an analog connection and ppp0.
Make the file executable: chmod 700 /sbin/init.d/masquerade
.
Set up the corresponding links for automatic start-up in the respective runlevels:
ln -s ../masquerade /sbin/init.d/rc2.d/S99masquerade ln -s ../masquerade /sbin/init.d/rc2.d/K51masquerade ln -s ../masquerade /sbin/init.d/rc3.d/S99masquerade ln -s ../masquerade /sbin/init.d/rc3.d/K51masquerade
The next time the system is booted, LAN hosts can access the Internet if they have entered the masquerading host as default gateway.
Starting from SuSE Linux 7.1, the best solution for simple masquerading is the use of personal-firewall
.
This approach, too, is very easy to configure, but provides a measure of protection for the internal network, since
all incoming connections are rejected at the outer device.
In order to be able to use this solution, the personal-firewall
package (series sec
) must be installed.
In new installations, this option is included in the default software selection. When updating from an older SuSE Linux
version, it may be necessary to postinstall this package.
An update can be downloaded from ftp://ftp.suse.com/pub/suse/i386/update/7.1/sec1/personal-firewall.rpm
The configuration requires only one parameter to be modified:
REJECT_ALL_INCOMING_CONNECTIONS
in the file /etc/rc.config.d/security.rc.config
.
Possible values:
no
: all rules are deleted, filters and masquerading are not applied.
yes
: all incoming connections are rejected.
ippp0
if you use ISDN.
masq
: for masquerading internal network traffic; masquerades
everything that arrives at an interface that is not blocked.
Accordingly, for one network adaptor eth0
and ISDN dial-in ippp0
, the entry for
masquerading the entire internal network traffic traversing ippp0 and block all incoming external connections would
look as follows:
Here a short description of the settings in /etc/rc.config.d/firewall.rc.config
.
The following packages must be installed:
firewals
(series sec
) -> Scripts for configuring and starting the firewall.ipchains
(series sec
) -> Tool for activating the rules in the kernel.
Set the parameter START_FW=
in /etc/rc.config
to "yes"
in order for the firewall scripts to be processed when the system is booted.
If your firewall is a dial-in host with dynamic IP addresses, the call /sbin/SuSEfirewall
must be entered in the script /etc/ppp/ip-up
.
test -x /etc/ppp/ip-up.local && /etc/ppp/ip-up.local $*
test -x /etc/ppp/ip-down.local && /etc/ppp/ip-down.local $*
test -x /etc/ppp/ip-up.local && /etc/ppp/ip-up.local $*
test -x /etc/ppp/ip-down.local && /etc/ppp/ip-down.local $*
If you are using SuSE Linux 7.0 or 7.1, the respective entries already exist in /etc/ppp/ip-up
.
Simply set the parameter START_FW
in /etc/rc.config
to yes
.
You can ignore any error messages regarding missing devices that you may receive when you boot the system, since the
actual rules are set later on during dial-up.
All other settings are performed in /etc/rc.config.d/firewall.rc.config
.
Important notes:
The configuration, setup, and maintenance of your firewall is not eligible for installation support.
Be sure to read the documentation in /usr/doc/packages/firewals
for SuSE Linux 6.4,
/usr/share/doc/packages/firewals
for SuSE Linux 7.0, or /usr/share/doc/packages/SuSEfirewall/
for SuSE Linux 7.1, as well as chapters 6.7 and 18 in the manual.
If you only perform these settings and use SuSEfirewall, do not expect your system to be bulletproof!
There is no solution that you can simply install to protect yourself against all kinds of assaults from the Internet.
harden_suse
from the package hardsuse
in order to disable all services immediately
after the installation; then reactivate only the services you really need.
secumod
that is included in the CDs.
tripwire
as well as
the package seccheck
from the CDs.
FW_DEV_WORLD
FW_DEV_WORLD="ippp0"
FW_DEV_INT
FW_DEV_INT="eth0"
FW_DEV_DMZ
FW_ROUTE
to "yes"
and enable forwarding of the offered services with FW_FORWARD_TCP
and FW_FORWARD_UDP
.FW_DEV_INT="eth2"
FW_ROUTE
"yes"
if you want to enable a direct connection
(without proxy services on the firewall) between LAN hosts, the Internet, and/or the DMZ.FW_MASQUERADE
or configure the services to be forwarded with FW_FORWARD_*
.IP_FORWARD
in /etc/rc.config
.
FW_MASQUERADE
, FW_MASQ_NETS
, and FW_MASQ_DEV
FW_MASQUERADE
Set this option to "yes" if internal network hosts
with private IP addresses (e.g.: 192.168.x.x) are to be provided with direct access
to the Internet without proxy services.FW_DEV_INT
, FW_MASQ_NETS
,
FW_MASQ_DEV
, and FW_ROUTE="yes"
must also be set.
FW_MASQ_NETS
Here you should enter all hosts/networks
that are to be provided with access to the Internet by means of masquerading.FW_MASQ_NETS="192.168.1.1 192.168.2.0/24"
for the host 192.168.1.1 and the class C network 192.168.2.x.
FW_MASQ_DEV
Here you should indicate the outgoing interface at which masquerading is to be performed.FW_MASQ_DEV="$FW_DEV_WORLD"
FW_PROTECT_FROM_INTERNAL
"yes"
, internal network hosts can only access
explicitly released firewall services (FW_*_SERVICES_INTERNAL
)."no"
, all internal network users
can connect to the firewall and attack it.FW_DEV_INT
must also be set.
FW_AUTOPROTECT_GLOBAL_SERVICES
0.0.0.0:23
is protected, but 10.0.0.01:53
is not.FW_*_SERVICES_*
.
FW_SERVICES_*
FW_PROTECT_FROM_INTERNAL="no"
"123 524"
for the ports 123 and 524.
"3200:3299"
for all ports from 3200 to 3299.
/etc/services
, e.g. "smtp telnet"
.
FW_TRUSTED_NETS
and FW_SERVICES_TRUSTED_*
.FW_TRUSTED_HOSTS
: Trusted Internet hosts/networks that are to be granted
access to specific internal services.FW_TRUSTED_HOSTS="192.168.1.1 192.168.2.0/24"
for the host 192.168.1.1 and the class C network 192.168.2.x .
FW_SERVICES_TRUSTED_*
specify the firewall services these hosts/networks are to be granted access to.FW_ALLOW_INCOMING_HIGHPORTS_*
"yes"
allows all, "no"
allows none to access these ports, or:
/etc/services
.FW_ALLOW_INCOMING_HIGHPORTS_UDP
should contain "dns"
so that your
name servers specified in /etc/resolv.conf
can respond to requests.
"ftp-data"
must be
entered in FW_ALLOW_INCOMING_HIGHPORTS_TCP
. FW_SERVICE_*
yes
if you offer/need the respective service on the firewall.
FW_SERVICE_DNS
to yes
if you operate a name server
on the firewall.domain
) for the respective network
from which requests may be submitted in FW_SERVICES_*_*
.
FW_SERVICE_DHCLIENT
to yes
if you need to use
the DHCP client on the firewall.
FW_SERVICE_DHCPD
to yes
if you operate a DHCP server on the firewall.
FW_SERVICE_SAMBA
to yes
if you use Samba on this computer (server or client).
If the machine is to run as a Samba server, you also need to enter port 139 in the respective variables
FW_SERVICES_*_TCP
. However, we strongly advise not to operate any Samba servers on the
firewall machine.
FW_FORWARD_*
"12.12.12.0/24,13.13.13.13,25"
forwards accesses from the external
network 12.12.12.0/24 to port 25 of the internal host 13.13.13.13.
FW_LOG_*
FW_KERNEL_SECURITY
FW_STOP_KEEP_ROUTING_STATE
yes
.FW_ROUTE=yes
must be set.
FW_ALLOW_PING_*
"yes"
or "no"
.
The following options should be left with their default settings unless you are absolutely sure of what you are doing:
FW_FORWARD_MASQ_*
FW_FORWARD_MASQ_TCP="0/0,1.2.3.4,80"
FW_REDIRECT_*
192.168.0.0/24,0/0,80,3128
redirects all outgoing web requests from
the internal network 192.168.0.0/24 to port 3128 of Squid on the firewall.
FW_ALLOW_FW_TRACEROUTE
FW_UDP_ALLOW_INCOMING_HIGHPORTS
to be set.
FW_ALLOW_FW_PING="yes"
FW_MASQ_MODULES
FW_ROUTE
and FW_MASQUERADE
must also be set.
FW_CUSTOMRULES
/etc/rc.config.d/firewall-custom.rc.config
.SuSEfirewall
.