[NTLUG:Discuss] Firewall/System configuration
Stephen Davidson
gorky at freenet.carleton.ca
Wed Jun 5 11:04:10 CDT 2002
Greetings.
I should probably mention that this firewall software is actually a script-based wrapper for iptables/ipchains (I get them confused, whichever is the newer one).
Help, please?
-Steve
Stephen Davidson wrote:
> Greetings.
>
> I am trying to configure my workstation to act as a router/gateway
> between my home network and the internet over my v92 modem. Attached is
> my firewall file (for Suse 7.3 version of SuSEfirewall2). The problem is
> that when the firewall is running with this configuration, I can't
> access the internet!
>
> Help, please?
>
> -Steve
>
>
> ------------------------------------------------------------------------
>
> # Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved.
> #
> # Author: Marc Heuse <marc at suse.de>, 2001
> # Please contact me directly if you find bugs.
> #
> # If you have problems getting this tool configures, please read this file
> # carefuly and take also a look into
> # -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
> # -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
> # -> /usr/share/doc/packages/SuSEfirewall2/firewall2.rc.config.EXAMPLE !
> #
> # /etc/rc.config.d/firewall2.rc.config
> #
> # for use with /sbin/SuSEfirewall2 version 1.7 which is for 2.4 kernels!
> #
> # ------------------------------------------------------------------------ #
> # PLEASE NOTE THE FOLLOWING:
> #
> # Just by configuring these settings and using the SuSEfirewall2 you are
> # not secure per se! There is *not* such a thing you install and hence you
> # are safed from all (security) hazards.
> #
> # To ensure your security, you need also:
> #
> # * Secure all services you are offering to untrusted networks (internet)
> # You can do this by using software which has been designed with
> # security in mind (like postfix, apop3d, ssh), setting these up without
> # misconfiguration and praying, that they have got really no holes.
> # SuSEcompartment can help in most circumstances to reduce the risk.
> # * Do not run untrusted software. (philosophical question, can you trust
> # SuSE or any other software distributor?)
> # * Harden your server(s) with the harden_suse package/script
> # * Recompile your kernel with the openwall-linux kernel patch
> # (former secure-linux patch, from Solar Designer) www.openwall.com
> # * Check the security of your server(s) regulary
> # * If you are using this server as a firewall/bastion host to the internet
> # for an internal network, try to run proxy services for everything and
> # disable routing on this machine.
> # * If you run DNS on the firewall: disable untrusted zone transfers and
> # either don't allow access to it from the internet or run it split-brained.
> #
> # Good luck!
> #
> # Yours,
> # SuSE Security Team
> #
> # ------------------------------------------------------------------------
> #
> # Configuration HELP:
> #
> # If you have got any problems configuring this file, take a look at
> # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
> #
> #
> # All types have to set START_FW2 in /etc/rc.config to "yes" ;-)
> #
> # If you are a end-user who is NOT connected to two networks (read: you have
> # got a single user system and are using a dialup to the internet) you just
> # have to configure (all other settings are OK): 2) and maybe 9).
> #
> # If this server is a firewall, which should act like a proxy (no direct
> # routing between both networks), or you are an end-user connected to the
> # internet and to an internal network, you have to setup your proxys and
> # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
> #
> # If this server is a firewall, and should do routing/masquerading between
> # the untrusted and the trusted network, you have to reconfigure (all other
> # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
> # 14), 20)
> #
> # If you want to run a DMZ in either of the above three standard setups, you
> # just have to configure *additionally* 4), 9), 12), 13), 17), 19).
> #
> # If you know what you are doing, you may also change 8), 11), 15), 16)
> # and the expert options 19), 20), 21), 22) and 23) at the far end, but you
> # should NOT.
> #
> # If you use diald or ISDN autodialing, you might want to set 17).
> #
> # To get programs like traceroutes to your firewall to work is a bit tricky,
> # you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
> #
> # Please note that if you use service names, that they exist in /etc/services.
> # There is no service "dns", it's called "domain"; email is called "smtp" etc.
> #
> # *Any* routing between interfaces except masquerading requires to set FW_ROUTE
> # to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
> #
> # If you just want to do masquerading without filtering, ignore this script
> # and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
> # iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
> # echo 1 > /proc/sys/net/ipv4/ip_forward
> # and additionally the following lines to get at least a minimum of security:
> # iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
> # iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
> # ------------------------------------------------------------------------
>
> #
> # 1.)
> # Should the Firewall be started?
> #
> # This setting is done in /etc/rc.config (START_FW2="yes")
>
> #
> # 2.)
> # Which is the interface that points to the internet/untrusted networks?
> #
> # Enter all the network devices here which are untrusted.
> #
> # Choice: any number of devices, seperated by a space
> # e.g. "eth0", "ippp0 ippp1 eth0:1"
> #
> FW_DEV_EXT="ppp0 ppp1"
>
> #
> # 3.)
> # Which is the interface that points to the internal network?
> #
> # Enter all the network devices here which are trusted.
> # If you are not connected to a trusted network (e.g. you have just a
> # dialup) leave this empty.
> #
> # Choice: leave empty or any number of devices, seperated by a space
> # e.g. "tr0", "eth0 eth1 eth1:1" or ""
> #
> FW_DEV_INT="eth0"
>
> #
> # 4.)
> # Which is the interface that points to the dmz or dialup network?
> #
> # Enter all the network devices here which point to the dmz/dialups.
> # A "dmz" is a special, seperated network, which is only connected to the
> # firewall, and should be reachable from the internet to provide services,
> # e.g. WWW, Mail, etc. and hence are at risk from attacks.
> # See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
> #
> # Special note: You have to configure FW_FORWARD to define the services
> # which should be available to the internet and set FW_ROUTE to yes.
> #
> # Choice: leave empty or any number of devices, seperated by a space
> # e.g. "tr0", "eth0 eth1 eth1:1" or ""
> #
> FW_DEV_DMZ="ppp0 ppp1"
>
> #
> # 5.)
> # Should routing between the internet, dmz and internal network be activated?
> # REQUIRES: FW_DEV_INT or FW_DEV_DMZ
> #
> # You need only set this to yes, if you either want to masquerade internal
> # machines or allow access to the dmz (or internal machines, but this is not
> # a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
> #
> # Setting this option one alone doesn't do anything. Either activate
> # massquerading with FW_MASQUERADE below if you want to masquerade your
> # internal network to the internet, or configure FW_FORWARD to define
> # what is allowed to be forwarded!
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ROUTE="yes"
>
> #
> # 6.)
> # Do you want to masquerade internal networks to the outside?
> # REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
> #
> # "Masquerading" means that all your internal machines which use services on
> # the internet seem to come from your firewall.
> # Please note that it is more secure to communicate via proxies to the
> # internet than masquerading. This option is required for FW_MASQ_NETS and
> # FW_FORWARD_MASQ.
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_MASQUERADE="yes"
> #
> # You must also define on which interface(s) to masquerade on. This is
> # normally your external device(s) to the internet.
> # Most users can leave the default below.
> #
> # e.g. "ippp0" or "$FW_DEV_EXT"
> FW_MASQ_DEV="$FW_DEV_EXT"
> #
> # Which internal computers/networks are allowed to access the internet
> # directly (not via proxys on the firewall)?
> # Only these networks will be allowed access and will be masqueraded!
> #
> # Choice: leave empty or any number of hosts/networks seperated by a space.
> # Every host/network may get a list of allowed services, otherwise everything
> # is allowed. A target network, protocol and service is appended by a comma to
> # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
> # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
> # the 10.0.1.0 network to use www/ftp to the internet.
> # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
> # Set this variable to "0/0" to allow unrestricted access to the internet.
> #
> FW_MASQ_NETS="192.168.0.0/16"
>
> #
> # 7.)
> # Do you want to protect the firewall from the internal network?
> # REQUIRES: FW_DEV_INT
> #
> # If you set this to "yes", internal machines may only access services on
> # the machine you explicitly allow. They will be also affected from the
> # FW_AUTOPROTECT_SERVICES option.
> # If you set this to "no", any user can connect (and attack) any service on
> # the firewall.
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> # "yes" is a good choice
> FW_PROTECT_FROM_INTERNAL="no"
>
> #
> # 8.)
> # Do you want to autoprotect all running network services on the firewall?
> #
> # If set to "yes", all network access to services TCP and UDP on this machine
> # will be prevented (except to those which you explicitly allow, see below:
> # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_AUTOPROTECT_SERVICES="yes"
>
> #
> # 9.)
> # Which services ON THE FIREWALL should be accessible from either the internet
> # (or other untrusted networks), the dmz or internal (trusted networks)?
> # (see no.13 & 14 if you want to route traffic through the firewall) XXX
> #
> # Enter all ports or known portnames below, seperated by a space.
> # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
> # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
> # e.g. if a webserver on the firewall should be accessible from the internet:
> # FW_SERVICES_EXT_TCP="www"
> # e.g. if the firewall should receive syslog messages from the dmz:
> # FW_SERVICES_DMZ_UDP="syslog"
> # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
> # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
> #
> # Choice: leave empty or any number of ports, known portnames (from
> # /etc/services) and port ranges seperated by a space. Port ranges are
> # written like this: allow port 1 to 10 -> "1:10"
> # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
> # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
> #
> # Common: smtp domain
> FW_SERVICES_EXT_TCP="domain"
> # Common: domain
> FW_SERVICES_EXT_UDP="domain" # Common: domain
> # For VPN/Routing which END at the firewall!!
> FW_SERVICES_EXT_IP=""
> #
> # Common: smtp domain
> FW_SERVICES_DMZ_TCP="1:65535"
> # Common: domain
> FW_SERVICES_DMZ_UDP="1:65535"
> # For VPN/Routing which END at the firewall!!
> FW_SERVICES_DMZ_IP=""
> #
> # Common: ssh smtp domain
> FW_SERVICES_INT_TCP="1:65535"
> # Common: domain syslog
> FW_SERVICES_INT_UDP="1:65535"
> # For VPN/Routing which END at the firewall!!
> FW_SERVICES_INT_IP=""
>
> #
> # 10.)
> # Which services should be accessible from trusted hosts/nets?
> #
> # Define trusted hosts/networks (doesnt matter if they are internal or
> # external) and the TCP and/or UDP services they are allowed to use.
> #
> # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
> # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
> # Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp"
> # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
> #
> FW_TRUSTED_NETS=""
>
> #
> # 11.)
> # How is access allowed to high (unpriviliged [above 1023]) ports?
> #
> # You may either allow everyone from anyport access to your highports ("yes"),
> # disallow anyone ("no"), anyone who comes from a defined port (portnumber or
> # known portname) [note that this is easy to circumvent!], or just your
> # defined nameservers ("DNS").
> # Note that if you want to use normal (active) ftp, you have to set the TCP
> # option to ftp-data. If you use passive ftp, you don't need that.
> # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
> # from a firewall using this script (well, you can if you include range
> # 600:1023 in FW_SERVICES_EXT_UDP ...).
> #
> # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
> # if not set
> #
> # Common: "ftp-data", better is "yes" to be sure that everything else works :-(
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
> # Common: "DNS" or "domain ntp", better is "yes" to be sure ...
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
>
> #
> # 12.)
> # Are you running some of the services below?
> # They need special attention - otherwise they wont work!
> #
> # Set services you are running to "yes", all others to "no", defaults to "no"
> #
> FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
> #
> # If you are running bind/named set to yes. Remember that you have to open
> # port 53 (or "domain") as udp/tcp to allow incoming queries.
> # Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
> FW_SERVICE_DNS="no"
> #
> # if you use dhclient to get an ip address you have to set this to "yes" !
> FW_SERVICE_DHCLIENT="yes"
> #
> # set to "yes" if this server is a DHCP server
> FW_SERVICE_DHCPD="no"
> #
> # set to "yes" if this server is running squid. You still have to open the
> # tcp port 3128 to allow remote access to the squid proxy service.
> FW_SERVICE_SQUID="no"
> #
> # set to "yes" if this server is running a samba server. You still have to open
> # the tcp port 139 to allow remote access to SAMBA.
> FW_SERVICE_SAMBA="no"
>
> #
> # 13.)
> # Which services accessed from the internet should be allowed to the
> # dmz (or internal network - if it is not masqueraded)?
> # REQUIRES: FW_ROUTE
> #
> # With this option you may allow access to e.g. your mailserver. The
> # machines must have valid, non-private, IP addresses which were assigned to
> # you by your ISP. This opens a direct link to your network, so only use
> # this option for access to your dmz!!!!
> #
> # Choice: leave empty (good choice!) or use the following explained syntax
> # of forwarding rules, seperated each by a space.
> # A forwarding rule consists of 1) source IP/net and 2) destination IP
> # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
> # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
> # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
> #
> FW_FORWARD="" # Beware to use this!
>
> #
> # 14.)
> # Which services accessed from the internet should be allowed to masqueraded
> # servers (on the internal network or dmz)?
> # REQUIRES: FW_ROUTE
> #
> # With this option you may allow access to e.g. your mailserver. The
> # machines must be in a masqueraded segment and may not have public IP addesses!
> # Hint: if FW_DEV_MASQ is set to the external interface you have to set
> # FW_FORWARD from internal to DMZ for the service as well to allow access
> # from internal!
> #
> # Please note that this should *not* be used for security reasons! You are
> # opening a hole to your precious internal network. If e.g. the webserver there
> # is compromised - your full internal network is compromised!!
> #
> # Choice: leave empty (good choice!) or use the following explained syntax
> # of forward masquerade rules, seperated each by a space.
> # A forward masquerade rule consists of 1) source IP/net, 2) destination IP
> # (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
> # seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
> # Optional is a port after the destination port, to redirect the request to
> # a different destination port on the destination IP, e.g.
> # "4.0.0.0/8,1.1.1.1,tcp,80,81"
> #
> FW_FORWARD_MASQ="" # Beware to use this!
>
> #
> # 15.)
> # Which accesses to services should be redirected to a localport on the
> # firewall machine?
> #
> # This can be used to force all internal users to surf via your squid proxy,
> # or transparently redirect incoming webtraffic to a secure webserver.
> #
> # Choice: leave empty or use the following explained syntax of redirecting
> # rules, seperated by a space.
> # A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
> # 3) protocol (tcp or udp) 3) original destination port and 4) local port to
> # redirect the traffic to, seperated by a colon. e.g.:
> # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
> #
> FW_REDIRECT=""
>
> #
> # 16.)
> # Which logging level should be enforced?
> # You can define to log packets which were accepted or denied.
> # You can also the set log level, the critical stuff or everything.
> # Note that logging *_ALL is only for debugging purpose ...
> #
> # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
> # FW_LOG_*_ALL defaults to "no"
> #
> FW_LOG_DROP_CRIT="yes"
> #
> FW_LOG_DROP_ALL="no"
> #
> FW_LOG_ACCEPT_CRIT="yes"
> #
> FW_LOG_ACCEPT_ALL="no"
> #
> # only change/activate this if you know what you are doing!
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
>
> #
> # 17.)
> # Do you want to enable additional kernel TCP/IP security features?
> # If set to yes, some obscure kernel options are set.
> # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
> # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
> # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
> # rp_filter, routing flush)
> # Tip: Set this to "no" until you have verified that you have got a
> # configuration which works for you. Then set this to "yes" and keep it
> # if everything still works. (It should!) ;-)
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_KERNEL_SECURITY="yes"
>
> #
> # 18.)
> # Keep the routing set on, if the firewall rules are unloaded?
> # REQUIRES: FW_ROUTE
> #
> # If you are using diald, or automatic dialing via ISDN, if packets need
> # to be sent to the internet, you need to turn this on. The script will then
> # not turn off routing and masquerading when stopped.
> # You *might* also need this if you have got a DMZ.
> # Please note that this is *insecure*! If you unload the rules, but are still
> # connected, you might your internal network open to attacks!
> # The better solution is to remove "/sbin/SuSEfirewall2 stop" or
> # "/sbin/init.d/firewall stop" from the ip-down script!
> #
> #
> # Choices "yes" or "no", defaults to "no"
> #
> FW_STOP_KEEP_ROUTING_STATE="no"
>
> #
> # 19.)
> # Allow (or don't) ICMP echo pings on either the firewall or the dmz from
> # the internet? The internet option is for allowing the DMZ and the internal
> # network to ping the internet.
> # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET
> #
> # Choice: "yes" or "no", defaults to "no" if not set
> #
> FW_ALLOW_PING_FW="yes"
> #
> FW_ALLOW_PING_DMZ="no"
> #
> FW_ALLOW_PING_EXT="no"
>
> ##
> # END of rc.firewall
> ##
>
> # #
> #-------------------------------------------------------------------------#
> # #
> # EXPERT OPTIONS - all others please don't change these! #
> # #
> #-------------------------------------------------------------------------#
> # #
>
> #
> # 20.)
> # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
> # This is used for traceroutes to your firewall (or traceroute like tools).
> #
> # Please note that the unix traceroute only works if you say "yes" to
> # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
> # additionally "yes" to FW_ALLOW_PING_FW
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_FW_TRACEROUTE="yes"
>
> #
> # 21.)
> # Allow ICMP sourcequench from your ISP?
> #
> # If set to yes, the firewall will notice when connection is choking, however
> # this opens yourself to a denial of service attack. Choose your poison.
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_ALLOW_FW_SOURCEQUENCH="yes"
>
> #
> # 22.)
> # Allow/Ignore IP Broadcasts?
> #
> # If set to yes, the firewall will not filter broadcasts by default.
> # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
> # option is used.
> # If you do not want to allow them however ignore the annoying log entries,
> # set FW_IGNORE_FW_BROADCAST to yes.
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_FW_BROADCAST="no"
> #
> FW_IGNORE_FW_BROADCAST="yes"
>
> #
> # 23.)
> # Allow same class routing per default?
> # REQUIRES: FW_ROUTE
> #
> # Do you want to allow routing between interfaces of the same class
> # (e.g. between all internet interfaces, or all internal network interfaces)
> # be default (so without the need setting up FW_FORWARD definitions)?
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_CLASS_ROUTING="no"
>
> #
> # 25.)
> # Do you want to load customary rules from a file?
> #
> # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
> # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-custom.rc.config
> #
> #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
>
More information about the Discuss
mailing list