Hi all,
I am having problems configuring SuSE Firewall.
I have a server configured with 2 NICs (LAN + INTERNET), serving DNS and HTTP (virtual host) on the Internet, and serving DNS and http (default server) on LAN. Virtual host is configured to serve just on Internet, default just on lan. They are not the same.
The problem is I cannot connect to web server (external) from any workstation on LAN, while any internet address can connect to external web server.
The following is logged in /var/log/messages:
Sep 4 12:22:39 servername kernel: martian source ext.ern.al.ip from int.ern.al.ip, on dev eth1
Sep 4 12:22:39 servername kernel: ll header: 00:1a:64:98:b8:b0:00:1e:7a:55:6f:06:08:00
The option FW_KERNEL_SECURITY is set to yes in /etc/sysconfig/SuSEfirewall2.
If I set it to no then I can access external http server from LAN workstations.
My question is: is setting FW_KERNEL_SECURITY option to no a security risk, and if yes, how should I configure the firewall to allow LAN addresses connect to web server (which resides on the internet side). Any other suggestion for securing the server is also welcome.
If any other info is needed please say so…
I am running openSuSE 11 x64 on IBM x3550.
Here comes full /etc/sysconfig/SuSEfirewall2 which doesn’t allow LAN machines access to external http server:
FW_DEV_EXT=“any eth1”
FW_DEV_INT=“eth0”
FW_DEV_DMZ=""
FW_ROUTE=“yes”
FW_MASQUERADE=“no”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“0/0”
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=“no”
FW_SERVICES_EXT_TCP=“80 domain”
FW_SERVICES_EXT_UDP=“domain”
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT=“apache2”
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=“domain”
FW_SERVICES_INT_UDP=“domain”
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=“apache2 apache2-ssl sshd”
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT=“yes”
FW_LOG_DROP_ALL=“no”
FW_LOG_ACCEPT_CRIT=“yes”
FW_LOG_ACCEPT_ALL=“no”
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=“yes”
FW_STOP_KEEP_ROUTING_STATE=“no”
FW_ALLOW_PING_FW=“yes”
FW_ALLOW_PING_DMZ=“no”
FW_ALLOW_PING_EXT=“no”
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT=“no”
FW_ALLOW_FW_BROADCAST_INT=“no”
FW_ALLOW_FW_BROADCAST_DMZ=“no”
FW_IGNORE_FW_BROADCAST_EXT=“no”
FW_IGNORE_FW_BROADCAST_INT=“no”
FW_IGNORE_FW_BROADCAST_DMZ=“no”
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=“yes”
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST=“no”
FW_ZONES=""
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES=“nf_conntrack_netbios_ns”
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""