How best to configure the firewall

Trying to harden my system by setting up the firewall. The OpenSuse server runs Apache2, and the Axigen mail server both of which should be accessable from the Internet, and then there is CUPS, and mysql (which should not be accessable to the Internet). Only have one network card and it has had a static IP address on it as well as one assigned dynamically. The reason for this is so other machines on the LAN can get to this machine by the fixed IP address. The dynamic address is set by the U-Verser router and is the static IP address that is out on the Internet.
So, should zone(s) be defined on this machine so that the machine is open on the LAN but closed to everything to the Internet except for those services that should be accessible? If so, how do I set this up?

First,
You should understand that since you are using only one NIC, <all> network traffic to/from this machine (both public and private) are exposed to sniffing, particularly anyone who can gain a presence on the network immediately adjacent to your machine. Therefor, your base design is fundamentally flawed unless you have another firewall either in front (between your machine and the Internet) or behind (between your machine and your LAN. Depending on the features, capabilities and configuration of your U-verse router, it might function as a firewall.

So, as I’ve described…

  • If your machine is behind a firewall (a firewall between your machine and the Internet), then that other firewall would be your primary filter for incoming traffic, blocking all illegitimate inbound traffic. Typically, your SOHO router (in your case your U-verse router) DHCP should likely issue your machine a private IP address and allow inbound traffic only through NAT and port forwarding. Your openSUSE firewall then functions as a “Host firewall” tasked with protecting only the machine itself. Some apps like MySQL can be configured to respond only to other local services on the machine without using a network address usable by remote machines. If you do bind MySQL to a usable network address, then you will need to configure security (open a port, configure remote access credentials, etc) AFAIK no U-verse router supports a DMZ, so your machine would be using private addresses, so other machines in your LAN would access your machine using a local network IP address. Typically, the SUSE FW is setup either as a DMZ or Interior Zone in this network configuration.

  • If your U-verse router has issued your machine a public IP address, then your machine is typically <not> behind a SOHO router (it’s possible to firewall in a bridging setup, but I don’t usually see that by default) then your machine is publicly exposed and so needs to configure the firewall interface as an Exterior Zone. Since you say you have only one NIC configured and I’ve noted it’s a very bad idea to configure both private and public networks on the same NIC, you should configure private network access only through a VPN or remote Desktop and treat all traffic on this interface as “public.”

Note also once you remove either your U-verse DHCP or your static IP address, depending on what you’re left with, you might also be left with hairpin routing issues which some NICs don’t support. So, bottom line to address a good many issues in your setup is to just invest in a second NIC, if you have an available slot the cost might be under $10 depending on what you get and from where.

IMO,
TSU

IMHO you need a firewall between your LAN and the Internet. Which is BTW the normal place for a firewall and it is th place where a firewall got it’s name from… I do not know if your router is capable of that (mine is).

Thank you Tsu2. I will certainly install a second NIC and go from there.

Cool.
And, just to be certain if I wasn’t clear, the 2 NICs permit your machine to connect to <2 different physical networks> so your public network is seen <only> on your public NIC and your private network is seen <only> on your private NIC.

If for instance both NICs are connected to the same physical network you’ll still be running both public and private traffic over the same physical wire with the same vulnerabilities despite configuring FW zones differently for each NIC.

TSU