Results 1 to 3 of 3

Thread: SuSefirewall2 is not working

  1. #1

    Default SuSefirewall2 is not working

    FW_DEV_EXT="eth0"
    FW_DEV_INT="eth1"
    FW_DEV_DMZ=""
    FW_ROUTE="yes"
    FW_MASQUERADE="yes"
    FW_MASQ_DEV="zone:ext"
    FW_MASQ_NETS="172.16.0.0/24,0/0,icmp 172.16.0.0/24,0/0,tcp,22"
    FW_NOMASQ_NETS=""
    FW_PROTECT_FROM_INT="yes"
    FW_SERVICES_EXT_TCP="111:142 144:388 1:24 26:109 3261:3305 3307:5800 390:630 5802:5900 5902:65535 632:635 637:872 874:992 994 996:3259"
    FW_SERVICES_EXT_UDP="domain ipsec-nat-t isakmp"
    FW_SERVICES_EXT_IP="esp"
    FW_SERVICES_EXT_RPC=""
    FW_SERVICES_DMZ_TCP=""
    FW_SERVICES_DMZ_UDP=""
    FW_SERVICES_DMZ_IP=""
    FW_SERVICES_DMZ_RPC=""
    FW_CONFIGURATIONS_DMZ=""
    FW_SERVICES_INT_TCP="domain"
    FW_SERVICES_INT_UDP="domain"
    FW_SERVICES_INT_IP=""
    FW_SERVICES_INT_RPC=""
    FW_CONFIGURATIONS_INT="bind sshd"
    FW_SERVICES_DROP_EXT=""
    FW_SERVICES_DROP_DMZ=""
    FW_SERVICES_DROP_INT=""
    FW_SERVICES_REJECT_EXT=""
    FW_SERVICES_REJECT_DMZ=""
    FW_SERVICES_REJECT_INT=""
    FW_SERVICES_ACCEPT_EXT="0/0,tcp 0/0,udp"
    FW_SERVICES_ACCEPT_INT="0/0,tcp 0/0,udp"
    FW_SERVICES_ACCEPT_RELATED_EXT=""
    FW_SERVICES_ACCEPT_RELATED_DMZ=""
    FW_SERVICES_ACCEPT_RELATED_INT=""
    FW_TRUSTED_NETS="172.16.0.0/24 192.168.0.0/24,icmp 192.168.0.0/24,tcp,22"
    FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
    FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
    FW_FORWARD=""
    FW_FORWARD_REJECT=""
    FW_FORWARD_DROP=""
    FW_FORWARD_MASQ=""
    FW_REDIRECT=""
    FW_LOG_DROP_CRIT="no"
    FW_LOG_DROP_ALL="no"
    FW_LOG_ACCEPT_CRIT="no"
    FW_LOG_ACCEPT_ALL="no"
    FW_LOG_LIMIT=""
    FW_LOG=""
    FW_KERNEL_SECURITY="yes"
    FW_STOP_KEEP_ROUTING_STATE="no"
    FW_ALLOW_PING_FW="yes"
    FW_ALLOW_PING_DMZ="no"
    FW_ALLOW_PING_EXT="no"

    ## Type: yesno
    ## Default: yes
    #
    # Allow ICMP sourcequench from your ISP?
    #
    # If set to yes, the firewall will notice when connection is choking, however
    # this opens yourself to a denial of service attack. Choose your poison.
    #
    # Defaults to "yes" if not set
    #
    FW_ALLOW_FW_SOURCEQUENCH=""

    ## Type: string(yes,no)
    #
    # Allow IP Broadcasts?
    #
    # Whether the firewall allows broadcasts packets.
    # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
    #
    # If you want to drop broadcasts however ignore the annoying log entries, set
    # FW_IGNORE_FW_BROADCAST_* to yes.
    #
    # Note that if you allow specifc ports here it just means that broadcast
    # packets for that port are not dropped. You still need to set
    # FW_SERVICES_*_UDP to actually allow regular unicast packets to
    # reach the applications.
    #
    # Format: either
    # - "yes" or "no"
    # - list of udp destination ports
    #
    # Examples: - "631 137" allow broadcast packets on port 631 and 137
    # to enter the machine but drop any other broadcasts
    # - "yes" do not install any extra drop rules for
    # broadcast packets. They'll be treated just as unicast
    # packets in this case.
    # - "no" drop all broadcast packets before other filtering
    # rules
    #
    # defaults to "no" if not set
    #
    FW_ALLOW_FW_BROADCAST_EXT="no"

    ## Type: string
    #
    # see comments for FW_ALLOW_FW_BROADCAST_EXT
    FW_ALLOW_FW_BROADCAST_INT="no"

    ## Type: string
    #
    # see comments for FW_ALLOW_FW_BROADCAST_EXT
    FW_ALLOW_FW_BROADCAST_DMZ="no"

    ## Type: string(yes,no)
    #
    # Suppress logging of dropped broadcast packets. Useful if you don't allow
    # broadcasts on a LAN interface.
    #
    # This setting only affects packets that are not allowed according
    # to FW_ALLOW_FW_BROADCAST_*
    #
    # Format: either
    # - "yes" or "no"
    # - list of udp destination ports
    #
    # Examples: - "631 137" silently drop broadcast packets on port 631 and 137
    # - "yes" do not log dropped broadcast packets
    # - "no" log all dropped broadcast packets
    #
    #
    # defaults to "no" if not set
    FW_IGNORE_FW_BROADCAST_EXT="yes"

    ## Type: string
    #
    # see comments for FW_IGNORE_FW_BROADCAST_EXT
    FW_IGNORE_FW_BROADCAST_INT="yes"

    ## Type: string
    #
    # see comments for FW_IGNORE_FW_BROADCAST_EXT
    FW_IGNORE_FW_BROADCAST_DMZ="yes"

    ## Type: list(yes,no,int,ext,dmz,)
    ## Default: no
    #
    # Specifies whether routing between interfaces of the same zone should be allowed
    # Requires: FW_ROUTE="yes"
    #
    # Set this to allow routing between interfaces in the same zone,
    # e.g. between all internet interfaces, or all internal network
    # interfaces.
    #
    # Caution: Keep in mind that "yes" affects all zones. ie even if you
    # need inter-zone routing only in the internal zone setting this
    # parameter to "yes" would allow routing between all external
    # interfaces as well. It's better to use
    # FW_ALLOW_CLASS_ROUTING="int" in this case.
    #
    # Choice: "yes", "no", or space separate list of zone names
    #
    # Defaults to "no" if not set
    #
    FW_ALLOW_CLASS_ROUTING=""

    ## Type: string
    #
    # Do you want to load customary rules from a file?
    #
    # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
    # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
    #
    #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    FW_CUSTOMRULES=""

    ## Type: yesno
    ## Default: no
    #
    # Do you want to REJECT packets instead of DROPing?
    #
    # DROPing (which is the default) will make portscans and attacks much
    # slower, as no replies to the packets will be sent. REJECTing means, that
    # for every illegal packet, a connection reject packet is sent to the
    # sender.
    #
    # Choice: "yes" or "no", if not set defaults to "no"
    #
    # Defaults to "no" if not set
    #
    # You may override this value on a per zone basis by using a zone
    # specific variable, e.g. FW_REJECT_DMZ="yes"
    #
    FW_REJECT=""

    ## Type: yesno
    ## Default: no
    #
    # see FW_REJECT for description
    #
    # default config file setting is "yes" assuming that slowing down
    # portscans is not strictly required in the internal zone even if
    # you protect yourself from the internal zone
    #
    FW_REJECT_INT="yes"

    ## Type: string
    #
    # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
    # for more information about HTB see http://www.lartc.org
    #
    # If your download collapses while you have a parallel upload,
    # this parameter might be an option for you. It manages your
    # upload stream and reserves bandwidth for special packets like
    # TCP ACK packets or interactive SSH.
    # It's a list of devices and maximum bandwidth in kbit.
    # For example, the german TDSL account, provides 128kbit/s upstream
    # and 768kbit/s downstream. We can only tune the upstream.
    #
    # Example:
    # If you want to tune a 128kbit/s upstream DSL device like german TDSL set
    # the following values:
    # FW_HTB_TUNE_DEV="dsl0,125"
    # where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
    #
    # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
    # get a better performance if you keep the value a few percent under your
    # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
    # it's own buffers because queing is done by us now.
    # So for a 256kbit upstream
    # FW_HTB_TUNE_DEV="dsl0,250"
    # might be a better value than "dsl0,256". There is no perfect value for a
    # special kind of modem. The perfect value depends on what kind of traffic you
    # have on your line but 5% under your maximum upstream might be a good start.
    # Everthing else is special fine tuning.
    # If you want to know more about the technical background,
    # ADSL Bandwidth Management HOWTO
    # is a good start
    #
    FW_HTB_TUNE_DEV=""

    ## Type: list(no,drop,reject)
    ## Default: drop
    #
    # What to do with IPv6 Packets?
    #
    # On older kernels ip6tables was not stateful so it's not possible to implement
    # the same features as for IPv4 on such machines. For these there are three
    # choices:
    #
    # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
    # traffic unless you setup your own rules.
    #
    # - drop: drop all IPv6 packets.
    #
    # - reject: reject all IPv6 packets. This is the default if stateful matching is
    # not available.
    #
    # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
    # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
    #
    # Leave empty to automatically detect whether your kernel supports stateful matching.
    #
    FW_IPv6=""

    ## Type: yesno
    ## Default: yes
    #
    # Reject outgoing IPv6 Packets?
    #
    # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
    # does only make sense with FW_IPv6 != no
    #
    # Defaults to "yes" if not set
    #
    FW_IPv6_REJECT_OUTGOING=""

    ## Type: list(yes,no,int,ext,dmz,)
    ## Default: no
    #
    # Trust level of IPsec packets.
    #
    # You do not need to change this if you do not intend to run
    # services that should only be available trough an IPsec tunnel.
    #
    # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
    # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
    # packets belong to the same zone as the interface they arrive on.
    #
    # Note: you still need to explicitely allow IPsec traffic.
    # Example:
    # FW_IPSEC_TRUST="int"
    # FW_SERVICES_EXT_IP="esp"
    # FW_SERVICES_EXT_UDP="isakmp"
    # FW_PROTECT_FROM_INT="no"
    #
    # Defaults to "no" if not set
    #
    FW_IPSEC_TRUST="no"

    ## Type: string
    ## Default:
    #
    # Define additional firewall zones
    #
    # The built-in zones INT, EXT and DMZ must not be listed here. Names
    # of additional zones must only contain lowercase ascii characters.
    # To define rules for the additional zone, take the approriate
    # variable for a built-in zone and substitute INT/EXT/DMZ with the
    # name of the additional zone.
    #
    # Example:
    # FW_ZONES="wlan"
    # FW_DEV_wlan="wlan0"
    # FW_SERVICES_wlan_TCP="80"
    # FW_ALLOW_FW_BROADCAST_wlan="yes"
    #
    FW_ZONES=""

    ## Type: string(no,auto)
    ## Default:
    #
    # Set default firewall zone
    #
    # Format: 'auto', 'no' or name of zone.
    #
    # When set to 'no' no firewall rules will be installed for unknown
    # or unconfigured interfaces. That means traffic on such interfaces
    # hits the default drop rules.
    #
    # When left empty or when set to 'auto' the zone that has the
    # interface string 'any' configured is used for all unconfigured
    # interfaces (see FW_DEV_EXT). If no 'any' string was found the
    # external zone is used.
    #
    # When a default zone is defined a catch all rule redirects traffic
    # from interfaces that were not present at the time SuSEfirewall2
    # was run to the default zone. Normally SuSEfirewall2 needs to be
    # run if new interfaces appear to avoid such unknown interfaces.
    #
    # Default to 'auto' if not set
    #
    FW_ZONE_DEFAULT=""

    ## Type: list(yes,no,auto,)
    ## Default:
    #
    # Whether to use iptables-batch
    #
    # iptables-batch commits all rules in an almost atomic way similar
    # to iptables-restore. This avoids excessive iptables calls and race
    # conditions.
    #
    # Choice:
    # - yes: use iptables-batch if available and warn if it isn't
    # - no: don't use iptables-batch
    # - auto: use iptables-batch if available, silently fall back to
    # iptables if it isn't
    #
    # Defaults to "auto" if not set
    #
    FW_USE_IPTABLES_BATCH=""

    ## Type: string
    ## Default:
    #
    # Which additional kernel modules to load at startup
    #
    # Example:
    # FW_LOAD_MODULES="nf_conntrack_netbios_ns"
    #
    # See also FW_SERVICES_ACCEPT_RELATED_EXT
    #
    FW_LOAD_MODULES="nf_conntrack_netbios_ns"

    ## Type: string
    ## Default:
    #
    # Bridge interfaces without IP address
    #
    # Traffic on bridge interfaces like the one used by xen appears to
    # enter and leave on the same interface. Add such interfaces here in
    # order to install special permitting rules for them.
    #
    # Format: list of interface names separated by space
    #
    # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead
    #
    # Example:
    # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
    #
    FW_FORWARD_ALWAYS_INOUT_DEV=""

    ## Type: string
    ## Default:
    #
    # Whether traffic that is only bridged but not routed should be
    # allowed. Such packets appear to pass though the forward chain so
    # normally they would be dropped.
    #
    # Note: it is not possible to configure SuSEfirewall2 as bridging
    # firewall. This option merely controls whether SuSEfirewall2 should
    # try to not interfere with bridges.
    #
    # Choice:
    # - yes: always install a rule to allow bridge traffic
    # - no: don't install a rule to allow bridge traffic
    # - auto: install rule only if there are bridge interfaces
    #
    # Defaults to "auto" if not set
    #
    FW_FORWARD_ALLOW_BRIDGING=""

    ## Type: yesno
    ## Default: yes
    #
    # Write status information to /var/run/SuSEfirewall2/status for use
    # by e.g. graphical user interfaces. Can safely be disabled on
    # servers.
    #
    # Defaults to "yes" if not set
    #
    FW_WRITE_STATUS=""

    ## Type: yesno
    ## Default: yes
    #
    # Allow dynamic configuration overrides in
    # /var/run/SuSEfirewall2/override for use by e.g. graphical user
    # interfaces. Can safely be disabled on servers.
    #
    # Defaults to "yes" if not set
    #
    FW_RUNTIME_OVERRIDE=""

    ## Type: yesno
    ## Default: yes
    #
    # Install NOTRACK target for interface lo in the raw table. Doing so
    # speeds up packet processing on the loopback interface. This breaks
    # certain firewall setups that need to e.g. redirect outgoing
    # packets via custom rules on the local machine.
    #
    # Defaults to "yes" if not set
    #
    FW_LO_NOTRACK=""

    ## Type: yesno
    ## Default: no
    #
    # Specifies whether /etc/init.d/SuSEfirewall2_init should install the
    # full rule set already. Default is to just install minimum rules
    # that block incoming traffic. Set to "yes" if you user services
    # such as drbd that require open ports during boot already.
    #
    # Defaults to "no" if not set
    #
    FW_BOOT_FULL_INIT=""
    [/QUOTE]

    here is my configuration file, i am also running child proxy on this server which is 172.16.0.1. i this firewall work as no host is allowed to go out unless 172.16.0.1, even if i stop firewall still hosts can access internet, what is my error up thier?


    plz tnx in advance,

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,732

    Default Re: SuSefirewall2 is not working

    PLEASE, please, put computer text between CODE tags (Posting in Code Tags - A Guide) to keep it managable and readable.

    Also telling AT LEAST which openSUSE level you use spares you and us an axtra round of questioning.
    Henk van Velden

  3. #3
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: SuSefirewall2 is not working

    On 2011-04-04 16:36, samhela wrote:

    > here is my configuration file, i am also running child proxy on this
    > server which is 172.16.0.1. i this firewall work as no host is allowed to
    > go out unless 172.16.0.1, even if i stop firewall still hosts can access
    > internet, what is my error up thier?


    SuSEfirewall does not block outgoing connections at all.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •