Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Firewall allowed services question

  1. #1

    Default Firewall allowed services question

    I have read a lot about the SuSE firewall, but I have a lingering question.

    I have one ethernet card and it is assigned as "external zone". I have one service allowed for the external zone: SSH.

    My question is...if I only have SSH allowed why does my webrowser still access the internet?

    Is all internet browsing allowed by the firewall by default? Are there other services that the firewall allows that are not listed in Yast?

    If I wanted to configure the firewall to disable all internet access...or even all network access of any kind...how would I do this?

    Thanks,
    Brian
    OS: Linux 2.6.27.29-0.1-default x86_64
    System: openSUSE 11.1 (x86_64)
    KDE: 4.1.3 (KDE 4.1.3) "release 4.10.4"

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,803

    Default Re: Firewall allowed services question

    The firewall does not normal block outgoing traffic (like your browser connecting to a http server on the Internet). It does block incoming conection requests (like someone on the Internet trying to SSH to your system, which you just allowed as you said).
    Henk van Velden

  3. #3

    Default Re: Firewall allowed services question

    Quote Originally Posted by traderbam View Post
    If I wanted to configure the firewall to disable all internet access...or even all network access of any kind...how would I do this?
    I would do this with a special hardware firewall (will be installed at /dev/ethernet/cable).



    (scnr)

  4. #4

    Default Re: Firewall allowed services question

    That'll do it.
    OS: Linux 2.6.27.29-0.1-default x86_64
    System: openSUSE 11.1 (x86_64)
    KDE: 4.1.3 (KDE 4.1.3) "release 4.10.4"

  5. #5

    Default Re: Firewall allowed services question

    Quote Originally Posted by hcvv View Post
    The firewall does not normal block outgoing traffic (like your browser connecting to a http server on the Internet). It does block incoming conection requests (like someone on the Internet trying to SSH to your system, which you just allowed as you said).
    Ok. To selectively block outgoing traffic I suppose I would have to do something fancy with iptables.
    OS: Linux 2.6.27.29-0.1-default x86_64
    System: openSUSE 11.1 (x86_64)
    KDE: 4.1.3 (KDE 4.1.3) "release 4.10.4"

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,803

    Default Re: Firewall allowed services question

    I hope you understand that The openSUSE Firewall is using iptables. YaST > Security > Firewall is GUI to a file where a configuration is stored. That configuration is used on every boot to generate iptables.

    As I see it the Firewall is there to block/allow traffic from outside to enter your system. The outside can be split up in External, Internal and Demilitarised Zones when you have more then one NIC. So I doubt if there is a place in YaST > Security > Firewall to accomodate what you want. But as I never tried do do this, I may be wrong.

    You could look at /etc/sysconfig/SuSEfirewall2. It contains some documentation and refers to other files (also with documentation) on your system.

    As you appently want to allow SSH from outside the solution provided by Akoellh might not be what you are looking for, But you could deinstall browsers, ntp, .. all sorts of client software. Pfff! When you do not need a DE on the system (I do not know what you are intending to do with it), you could start making it a text only, will remove a lot of TCP/IP clients.

    HTH
    Henk van Velden

  7. #7
    Join Date
    Jul 2008
    Location
    in front of the keyboard
    Posts
    90

    Default Re: Firewall allowed services question

    I dont get it. If you do not want any network just stop the network. You can temporary do that (until reboot) with :
    rcnetwork stop
    This will stop any network activity until reboot.
    If you want to always disable networking of any kind go to yast System Services and deselect network in your curent runlevels. That is all you need to do.

  8. #8

    Default Re: Firewall allowed services question

    Ok. I could shut down services.
    My question was about my trying to understanding the firewall behaviour. I thought I had observed that local Samba will not work unless the firewall allows it to access the network. IOW the firewall blocks both inbound and outbound applications/services sometimes. This observation led me to assume the firewall blocks anything in either direction unless it is listed as "allowed".

    My assumption isn't right. Not the first time!

    So I am now wondering what the boundaries of the firewall are with regard to limiting outgoing stuff.

    The background is that I am experimenting with SSH across the Atlantic to a SuSE PC on my brother's LAN. He runs Windows machines on the same LAN and he is sort of paranoid about virus' and such and is a little weary of my experiments with linux. He had also heard that linux is an open route to trojans because it doesn't use anti-virus and firewalls. I happen to think his fears are misplaced, but as an easy gesture I thought I'd apply the SuSE firewall to block any possibility of an app. browsing his LAN.

    This is why I wanted to know what local applications the firewall allows by default.
    OS: Linux 2.6.27.29-0.1-default x86_64
    System: openSUSE 11.1 (x86_64)
    KDE: 4.1.3 (KDE 4.1.3) "release 4.10.4"

  9. #9

    Default Re: Firewall allowed services question

    By "firewall" I mean the firewall GUI in Yast2.
    OS: Linux 2.6.27.29-0.1-default x86_64
    System: openSUSE 11.1 (x86_64)
    KDE: 4.1.3 (KDE 4.1.3) "release 4.10.4"

  10. #10

    Default Re: Firewall allowed services question

    As for the boundaries well,

    open all => block all

    So pretty wide....

    But tbh you seem to be tackling this wrong
    Code:
    Linux	| shared lan <->Windows
    
    *Surely this is better*
    
    Linux	  No shared lan	|Windows
    As for doing that on Windows wouldn't have a clue but on linux as mentioned the firewall is just a front end to iptables and you have a wealth of tools. From matching by port/ip/uid/state etc etc...

    As for your brothers concern i would be asking for proof. But to me you're asking how do I secure the gate from the outside the answer is you cant. What if *hypothetical* you're owned which if I was your brother I would be more concerned with, as you have a ssh server running. What stops them bringing the wall down, and then lets say you get some rules on the network... The new questions become how do I stop mac spoofing, ip changing etc.etc.. on the windows firewall/network.

    As for you brothers unfounded fears there is more problems with trojans etc and MS software due to the many people running there OS with elevated rights due to the inconvenience of having an admin account separate. Where as with linux this is practically a God spoken rule.

    I would ask him how does he guarantee that a file isn't executed on his systems as on Linux this involves several tricks, then I would ask how to automate an install of an app on a linux system, with root rights. When he discovers this isn't quite as easy as spoken maybe the argument will have to change.

    As for adding rules etc iptables -l will show all the rules, and some basic understanding of them will help but for one offs whilst experimenting you can add them to the chains, but they won't last a reboot. To make them last a reboot will involve using the custom bit of the firewall, read the conf file in SuseFirewall it is well documented. But this in my eyes is the wrong way to do this, shut the gate from the inside if your brother is concerned(And I suspect this will be easier with iptables than anything like an off the shelf firewall for MS.) But should you go this way you'll become quite intimate with all the networking protocols, a fair few few use dynamic ports for outgoing, you and netstat will become best of friends.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •