HOW TO: 12.1 Bridged Firewall - Part1 (the rest follows)

Hi Guys… just wanted to let everyone know the issues I addressed in my setup, how I got around them, what I found, and I guess what could potentially point to areas that may need to be looked at by the developers of SuSE 12.1 In my setup I actually encountered several pre-existing problems. Although some may be from different areas of the forum, they are all involved here. Hopefully if someone searches for the others by name, they will end up here and find workarounds. Additionally, I have a couple requests for inclusions into future SuSE releases.

First off, as I stated above I built and am using a bridge for some of my security. I will try to be brief, but state steps for clarity, as well as issues I had.

I’m running this bridged firewall in front of IPCop, with admin to the bridge looped back behind and serviced by IPCop transparent proxy firewall. I took the opportunity to post a How To Bridged Firewall, with present, current 12.1 issues I encountered.

  1. Get 2 network cards. YOU CANNOT USE A MOTHERBOARD ETHERNET CARD IN A BRIDGE. They can’t be controlled (motherboard can’t be controlled), and will not work. LOL Trust me! However, you can use the on-board adapter for administration (suggested, so you can keep track of them better, or third card is fine too).

Install a fresh, shiny, new copy of SuSE 12.1. The cards will be recognized and drivers installed for them. only plug in the onboard ethernet adapter. Hopefully your internet will be automatically setup for you. If not, don’t worry.

*** I am using the notorious REAKTEK ‘RTL-8169 Gigabit Ethernet’ that everyone seems to have problems with. I believe the problem is elsewhere… THE r8169 DRIVER IS FINE! I believe the issue may be triggered by these cards, and may be tied to whatever is bypassed with the sysinit-init install. But if you can’t access the internet, after setting your admin card as stated above, simply switch to KNetworkManager and connect for your downloads & patches. Then switch back to Traditional Ifup… it will continue to work perfectly!!!


#> ifconfig      ### to view cards configuration in Traditional ifup
#> nm-tool     ### to view cards configuration in KNetworkManager 

If it is setup and working, update the system with all necessary updates, BUT NOT SuSE FIREWALL 2’s UPDATE. This update enables package control, and will disable all cards when the firewall is disabled! (read file the description in Yast).

*** Requested inclusion in future additions… a way to disable this feature in Firewall & Network settings GUI’s (or at least in network area), so that you may use custom iptables for the bridge. The message displayed when you disable SFW2 is “No network traffic is permitted through these interfaces.”

  1. In Yast… install bridge-utils, sysinit-init (in exchange for removing systemd), & gcc (needed for some printer driver installation support).

  2. Go into Yast > Network Devices > Network Settings

Select your admin card > edit:

Global Options - Traditional Method with ‘ifup’ & Uncheck the Enable IPV6
Hostname/DNS - Insert hostname, Name Server 1 ,
Routing - Default IPv4 Gateway , Enable IP Fowarding
Make sure your admin card is setup as eth2…
General - Activate at boot time & Set MTU 1500 (Ethernet)
Address - /24 hostname,

**** Traditional ifup (which I love, and is necessary for the bridge) seems to be having issues at the moment, and doesn’t like DHCP. So, if possible, give this card an IP address. I speculate this is tied to the systemmd vs. sysinit-init known issue already posted elsewhere on the forum.

  1. As usual the driver for your other gigabit ethernet (bridge) cards are installed. The setup selection in Yast WOULD BE as follows (READ FIRST):

Network Devices > Network Settings

eth0 & eth1
Global Options - Traditional Method with ‘ifup’ & Uncheck the Enable IPV6
Hostname/DNS - Insert hostname
Routing - Enable IP Fowarding
Make sure your admin card is setup as eth2…
General - Activate at boot time & Set MTU 1500 (Ethernet)
Address - no ip for bonding devices

However, it worked perfectly by simply creating the following file…

Right click to make a new txt document and name it ‘ifcfg-br0’ and also save in ‘/etc/sysconfig/network’ Here is my sample:

ifcfg-br0


STARTMODE='auto'
BOOTPROTO='none'
BRIDGE='yes'
BRIDGE_PORTS='eth0 eth1'

Also in ‘/etc/sysconfig/network’ and look at ‘ifcfg-eth0’ and ‘ifcfg-eth1’ and make sure they look like this:

ifcfg-eth0


BOOTPROTO='none'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR=''
MTU=''
NAME='RTL-8169 Gigabit Ethernet'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'

ifcfg-eth1


BOOTPROTO='none'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR=''
MTU=''
NAME='RTL-8169 Gigabit Ethernet'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'

ifcfg-eth2


BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR='192.168.1.100/24'
MTU='1500'
NAME='3c905C-TX/TX-M [Tornado]'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'
USERCONTROL='no'

Now, at the terminal enter:

$> service network restart

Take another look at your cards now:

$> ifconfig
#> brctl show

bridge name bridge id STP enabled interfaces
br0 8000.0030843e5aa2   no          eth0
                                                   eth1

reboot system

  1. Copy the script and save as ‘firewall’. Right click to get the properties, and make sure root owns the file (which it should), and check the box to make the file executable. Then place a copy in /etc/init.d/ so that it looks like ‘/etc/init.d.d/firewall’

Once you run it with the terminal by typing ‘/etc/init.d/firewall’ and hitting [enter],
you can watch the terminal for feedback, and also find out whether it has worked by
displaying your current iptables rules with:


# iptables -F
# /etc/init.d/firewall
#> iptables -L -v

[Code starts below with the ‘#!/bin/bash’ down to the boxed footer labeled
‘End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy’]


#!/bin/bash
##########################################################################
#          SuSE 12.1 Bridged IPTables NetFiltering Made Easy             #
#                                 ~                                      #
#              This starts the Bridge Portion of the code                #
##########################################################################

# Save as a txt file named 'firewall' 

# Add the bridge, associate the ethernet cards, and activate the bridge
# I actually left these commands here, even though you don't need them
# with SuSE 10.3. Although you can tweek the bridge with the 'STP'
# commands included in this section.

#ifconfig br0 down
#brctl addbr br0
#brctl addif br0 eth0
#brctl addif br0 eth1
#ifconfig br0 up

# This will set the host up as a pure bridge, it will not have an IP 
# address for itself, so it can not be remotely accessed (or hacked) 
# via TCP/IP. If an ip address is used you will need to comment out 
# the last line above and use the one below instead.

#ifconfig br0 192.168.1.X netmask 255.255.255.0 up



# The corresponding command to take an interface out of the bridge is:
#brctl delif br0 ethX


############################
# Test your Bridge Filter as-is before changing anything between here 
# and where it is labeled End of Bridge header. The values added to 
# each command line are good, and there may be a need to uncomment all 
# of them, changing the first one below from off to on, if you are 
# unable to connect to you ISP with the basic setup supplied above. 
# Test the basic first, but remember there will be a 30 second delay 
# before it starts passing packets the first time it is connected.
# OPTIONAL, NON-Basic Bridge Rules:
################################

# Spanning Tree Protocol - STP
# If you are running multiple or redundant bridges, then you need to 
# enable the Spanning Tree Protocol (STP) to handle multiple hops and 
# avoid cyclic routes. The code autodetects the speed of the link and 
# other parameters, so these usually don't need to be changed.

#brctl stp br0 on
#brctl stp br0 off

# Aging Time - Part of STP
# The Aging Time is the number of seconds a MAC address will be kept in 
# the forwarding database after having received a packet from this MAC 
# address. The entries in the forwarding database are periodically timed 
# out to ensure they won't stay around forever. Normally there should be 
# no need to modify this parameter, but it can be changed with (time is 
# in seconds). Setting ageing time to zero makes all entries permanent.

#brctl setageing br0 20


# Forwarding Delay Time - Part of STP
# Forwarding Delay time is the time spent in each of the Listening and 
# Learning states before the Forwarding state is entered. This delay is 
# so that when a new bridge comes onto a busy network it looks at some 
# traffic before participating. Default is 30 seconds - set to 0 here

#brctl setfd br0 0


# Hello Time - Part of STP
# Periodically, a hello packet is sent out by the Root Bridge and the 
# Designated Bridges. Hello packets are used to communicate information 
# about the topology throughout the entire Bridged Local Area Network.

#brctl sethello br0 2



# Max Age - Part of STP
# If a another bridge in the spanning tree does not send out a hello 
# packet for a long period of time, it is assumed to be dead. This 
# timeout is set with:

#brctl maxage  br0 20


# Path Costs - Part of STP
# Each interface in a bridge could have a different speed and this value 
# is used when deciding which link to use. Faster interfaces should have 
# lower costs.

#brctl setpathcost br0 eth0 3


##########################################################################
#        End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy        #
#                   This starts the IPTable code                         #
##########################################################################

################################
# Load all required EBTables modules
#

#
# Needed to initially load modules
#
#depmod

#
# Adds some iptables targets like LOG, REJECT
#
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_multiport

#
# Support for connection tracking of FTP and IRC.
#
# IPTABLES_BIN="/usr/sbin/iptables"
#/proc/net/stat/nf_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

################################

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets 
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection 
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians


################################

# flush all chains
/usr/sbin/iptables -F
/usr/sbin/iptables -X

################################


# The 2.6 standard kernel contains an iptables match module called physdev which has to be used to match the bridge's 
# physical in and out ports. Its basic usage is simple (see the iptables man page for more details):


#############################################
#          Begin actual iptables            #
#############################################
# 1
# Set default policies

/usr/sbin/iptables --policy INPUT DROP
/usr/sbin/iptables --policy OUTPUT DROP
/usr/sbin/iptables --policy FORWARD DROP


############################
# 2
# Block obvious spoofs

#/usr/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP


############################
# 3
# Allow unlimited traffic on the loopback interface

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT


############################
# 4
# Create a LOGDROP chain to log and drop packets

/usr/sbin/iptables -N LOGDROP
/usr/sbin/iptables -A LOGDROP -j LOG --log-level warning --log-prefix '==HACKERS== '
/usr/sbin/iptables -A LOGDROP -j DROP


############################
# Additional logging tools #
# (and Blocking if needed) #
############################
#
# log everything which comes in from the WLan. remember, we're paranoid :)
# if you want to look ath the traffic coming in or going out
#
# Log IN from internet to network - just uncomment and view /var/log/ipt_ob/observing
#     ##

#/usr/sbin/iptables -t filter -A FORWARD -i br0 -o br0 -m physdev --physdev-is-bridged --physdev-in eth0\
# --physdev-out eth1 -j LOG --log-level warning --log-prefix '==OBSERVING== '

# Log OUT from network to internet - just uncomment and view /var/log/ipt_ob/observing
#

#/usr/sbin/iptables -t filter -A FORWARD -o br0 -i br0 -m physdev --physdev-is-bridged --physdev-in eth1\
# --physdev-out eth0 -j LOG --log-level warning --log-prefix '==OBSERVING== '

#####
# If you have observed some traffic and you didn't like what you've seen, you can prevent
# the communication from occurring, reducing the damage, until you are able to address
# the compromised machine.
#
# Additional - you will probably like this!
# drop anything from this incoming IP (or going out to them too) because I dislike this person  :P
#
# Uncomment both lines below to drop all communication, in and out, to that source
# with, of course, the ip address with which you need to prevent communication.

# IN-coming packets from an unrecognized source = potential compromise
# And to be prepared to stop the communication after listeneing some with a more specific target, 
# I've also included a listen feature here too:
#
#iptables -t filter -A FORWARD --in-interface eth0 --out-interface eth1 -s 66.235.133.3 -j LOG --log-level warning --log-prefix '==OBSERVING== '
#iptables -A FORWARD --in-interface eth0 --out-interface eth1 -s 66.235.133.3 -j LOGDROP


# OUT-going packets from a box on the network to an unrecognized source = potential compromise
#
#iptables -t filter -A FORWARD --in-interface eth1 --out-interface eth0 -d 66.235.133.3 -j LOG --log-level warning --log-prefix '==OBSERVING== '
#iptables -A FORWARD --in-interface eth1 --out-interface eth0 -d 66.235.133.3 -j LOGDROP


#
#####

############################
# 5 & 6
# Previously initiated and accepted exchanges bypass rule checking
# Allow unlimited outbound traffic

/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT




############################
# 7
# If you need to allow packets from any outside source to reach a certain port,
# uncomment and edit to your port destination.
#
#/usr/sbin/iptables -A FORWARD -p udp --dport 5060 -i br0 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT  #sip phone


############################
# 8
# Forward established connections that originate inside from lan - bypassing rules check

/usr/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -m eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT


############################
# 9
################ ~ It is this particular line that allows you to surf the web ~ #################

/usr/sbin/iptables -t filter -A FORWARD -i br0 -o br0 -m physdev --physdev-is-bridged --physdev-in eth1 --physdev-out eth0 -j ACCEPT


############################
# 10
# Allow VOIP phone registaration and incoming initialization - from specific ip range
# (much safer that just open)

/usr/sbin/iptables -A INPUT -p udp --dport 80 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT


############################
# 11
# Note: you technically don't need 11 & 12 because once initialization occurs on port 80
# (in number 10.) the rest of the packets should be considered 'ESTABLISHED,RELATED' but 
# just to insure you don't miss any incoming phone calls, I chose to leave it for now.
#
# Allow VOIP phone communication - from specific ip range
# (much safer that just open)

/usr/sbin/iptables -A INPUT -p udp --dport 5060 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT


############################
# 12
# Allow VOIP phone conversations - from specific ip range
# and a port-range (much safer that just open)
#
/usr/sbin/iptables -I INPUT -p udp --dport 16384:65535 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT


############################
# 13
# drop invalid packets
#
/usr/sbin/iptables -I FORWARD -m state --state INVALID -j LOGDROP


############################
# 14
# Drop and log all other connections from the net

/usr/sbin/iptables -A FORWARD -p tcp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP 
/usr/sbin/iptables -A FORWARD -p udp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP 
/usr/sbin/iptables -A FORWARD -p icmp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP 
/usr/sbin/iptables -A FORWARD -p igmp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP 


############################
# 15
# Drop and log all other traffic - fail-safe - drop everything!
#
/usr/sbin/iptables -A INPUT -j LOGDROP

##########################################################################
#              This ends the IPTable portion of the code                 #
#                                 ~                                      #
#        End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy        #
##########################################################################
  1. Ok, before we get carried away, we need to change a few system settings, in order to allow the script
    to run properly (when you aren’t manually initiating it). Thanks to SuSE, we have at our disposal ‘YaST’,
    and ‘System Services’ = ‘Runlevel’:

YaST - If you are used to a different flavor of Linux, you’re really going to appreciate this!

click YaST > System Services (Runlevel)

You can (and should) toggle between Simple and Expert Modes:

We need to click to highlight ‘firewall’ and switch to Expert Mode. Here we will start ‘firewall’ and
set runlevels 2, 3, & 5… then toggle back to ‘Simple Mode’ and enable it.

You should follow the same principle and Disable ‘SSH’ ( and leave no path for hacker entry)

Note: if you see ‘Acpid’ Errors in the ‘Messages’ log (because you have an older processor, and Acpid wasn’t
installed automatically during the SuSE OS installation), and had to install the rpm, ‘acpid-******.i586.rpm’
then you need to also

‘Enable Acpid’ here as well.

  1. If you need to tweek you iptable rules, you can do so and reload them without having to reboot your box:

$> /etc/init.d/firewall [enter]
$> /etc/init.d/boot.local reload [enter]

$> iptables -L -v  [enter]

****** No traffic gets through (except ARP and STP)

Your kernel might have ethernet filtering (ebtables, bridge-nf, arptables) enabled, and traffic gets filtered.
The easiest way to disable this is to go to /proc/sys/net/bridge. Check if the bridge-nf-* entries in there are
set to 1; in that case, set them to zero and try again.


 # cd /proc/sys/net/bridge
 # ls
 bridge-nf-call-arptables  bridge-nf-call-iptables
 bridge-nf-call-ip6tables  bridge-nf-filter-vlan-tagged
 # for f in bridge-nf-*; do echo 0 > $f; done
  1. Now, this is cool. Install syslog-ng & uninstall rsyslog in Yast. Let’s setup a cron job to rotate the firewall log so it doesn’t present a problem
    some day in the future.

You could do it by vi with (since no tab has been created yet)

$> crontab -e

Press [insert] key then copy and paste all 6 lines (from below). Press [esc] key, then type ‘:wq’ [enter].

Let’s set a crontab that has this line in it, set to run every 4 hours. The cron line is defined like
this… 30=mins, 3=hour, *=day, *=month, *=year, then the process, followed by the file to process.


59 3 * * * /usr/sbin/logrotate
59 7 * * * /usr/sbin/logrotate
59 12 * * * /usr/sbin/logrotate
59 16 * * * /usr/sbin/logrotate
59 19 * * * /usr/sbin/logrotate
59 23 * * * /usr/sbin/logrotate

Alternatively, you could go to ‘/var/spool/cron/’ and create a text file named ‘root’…

And copy them into ‘/var/spool/cron/root’:

  1. Copy the code below and put it in /etc/logrotate.d/syslog at the top. We want to rotate our log
    files when they reach 1 meg in size. The code:

 /var/log/ipt/firewall_ipt {
    rotate 365
    missingok
    nomail
    notifempty
    copytruncate
    noolddir
    create 640 root root
    dateext
    maxage 365
    prerotate
    size=1M
    endscript
    postrotate
        /etc/init.d/syslog reload
    endscript
 }

 /var/log/ipt/firewall {
    rotate 365
    missingok
    nomail
    notifempty
    copytruncate
    noolddir
    create 640 root root
    dateext
    maxage 365
    prerotate
    size=1M
    endscript
    postrotate
        /etc/init.d/syslog reload
    endscript
 }

 /var/log/firewall {
    rotate 365
    missingok
    nomail
    notifempty
    copytruncate
    noolddir
    create 640 root root
    dateext
    maxage 365
    prerotate
    size=1M
    endscript
    postrotate
        /etc/init.d/syslog reload
    endscript
 }

 /var/log/firewall_swf2 {
    rotate 365
    missingok
    nomail
    notifempty
    copytruncate
    noolddir
    create 640 root root
    dateext
    maxage 365
    prerotate
    size=1M
    endscript
    postrotate
        /etc/init.d/syslog reload
    endscript
 }

# And limiting 'observing' to 50 1M files, which beyond that will 
# be deleted, in the event you forget to turn it off!

 /var/log/ipt_ob/observing {
    rotate 50
    missingok
    nomail
    notifempty
    copytruncate
    noolddir
    create 640 root root
    dateext
    prerotate
    size=1M
    endscript
    postrotate
        /etc/init.d/syslog reload
    endscript
 }

########################### above at top of file

Now, go ito /var/log and make a folder named ‘ipt’ and ‘ipt_ob’ …at the prompt /etc/init.d/syslog reload [enter]


#> /etc/init.d/firewall reload

#> /etc/init.d/syslog reload
  1. Go to /etc/syslog-ng/syslog-ng.conf (3.3.1-7.6.2 in Yast) and change the following:

First, lets redefine the filter. The bridge and iptables already define the ‘in’ and ‘out’
for us, and we want to occassionally use straight logging to observe packets transversing,
an immediate way to determine a compromised network or system, so we want to match ‘HACKERS’,
for normal protection, and also match ‘OBSERVING’ for inspecting packets destinations.

++++++++++++++++++++++++++++++++++++++

Comment out:

	#file ("/proc/kmsg" program_override("kernel"));

Find ‘DEFINITIONS’ at the top (adding 3 definitions and commenting out the original):


#
# Filter definitions
#

#filter f_iptables   { facility(kern) and match("IN=") and match("OUT="); };
# Filter definitions SFW2
#
#filter f_iptables   { facility(kern) and message("IN=") and message("OUT="); };
#filter f_iptables   { level(warn) and facility(kern) and message("IN=") and message("OUT=")and message("HACKERS"); };
filter f_iptables_sfw2   { level(warn) and facility(kern) and message("SFW2"); };
filter f_iptables_ipt   { level(warn) and facility(kern) and message("HACKERS"); };
filter f_iptables_ob   { level(warn) and facility(kern) and message("OBSERVING"); };

Then continue down to this filter definition, commenting out the top line ‘f_messages’, and adding the 2nd one,
to prevent the logs from ending up in the default ‘messages’ file:


#filter f_messages   { not facility(news, mail) and not filter(f_iptables); };
filter f_messages   { not facility(news, mail) and not filter(f_iptables) and not filter(f_iptables_ob); };

Now find this ‘SOURCE’ line (second from bottom):


#
# Firewall (iptables) messages in one file:
#
destination firewall { file("/var/log/firewall" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables); destination(firewall); };

And change it to look like this (adding 2 sources and commenting out the original):


#
# Firewall (iptables) messages in one file:
#

destination firewall_ipt { file("/var/log/ipt/firewall_ipt" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_ipt); destination(firewall_ipt); };

destination observing { file("/var/log/ipt_ob/observing" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_ob); destination(observing); };

destination firewall_swf2 { file("/var/firewall_swf2" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_sfw2); destination(firewall_swf2); };

#destination firewall { file("/var/firewall" suppress(30)); };
#log { source(src); source(chroots); filter(f_iptables); destination(firewall); };

#
# Warnings (except iptables) in one file:
#
destination warn { file("/var/log/warn" suppress(30) fsync(yes)); };
log { source(src); source(chroots); filter(f_warn); destination(warn); };

#
# All messages except iptables and the facilities news and mail:
#
destination messages { file("/var/log/messages" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_messages); destination(messages); };

++++++++++++++++++++++++++++++++++++++

  1. SuSe 12.1 Host files:

/etc/hosts.deny


# /etc/hosts.deny
# See 'man tcpd' and 'man 5 hosts_access' as well as /etc/hosts.allow
# for a detailed description.

#http-rman : ALL EXCEPT LOCAL

ALL: ALL

/etc/hosts.allow


# /etc/hosts.allow
# See 'man tcpd' and 'man 5 hosts_access' for a detailed description
# of /etc/hosts.allow and /etc/hosts.deny.

ALL: 127.0.0.1 0.0.0.0 xxxxxxxx.site xxxxxxxxx localhost   #<-- copied from your '/etc/hosts' file

And finally, since were not using an IP address, risk of being hacked is gone at the bridge level… and the opportunity to even try to hack the second firewall proxy server has been reduced to a very low number, such as .001%. Your final machine’s software firewall should make you virtually untouchable! (you can pretty much just copy and paste everything here)

Very Best Regards to All of You !

Cheers!

One last addition… you must use a cross-over cable out of the bridge firewall to you proxy server.

(should be WAN in eth0, out of eth1 via cross-over cable, to your proxy server…or router)

Cheers!

On 2012-01-31 18:06, surgie2 wrote:
> Hi Guys… just wanted to let everyone know the issues I addressed in my
> setup, how I got around them, what I found, and I guess what could

Thanks, but do you know that there is a specific forum here for howto
submissions?


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)