I have a Synology NAS in out family network and I don’t want it to call home. As it has a fixed IP (192.168.2.200) in the LAN, I gave it IP’s for DNS and Gateway which point no where (192.168.2.250).
But I could see with Etherape on the PC gateway & firewall server (2 physical network cards) that it had a connection outside and now would like to stop it, using the OpenSuse firewall.
But, the firewall offers under “Custom Rules” only new allowing rules. But I want to disable something.
Is that a bug in GUI of Yast and I have to edit a certain parameter file with an editor ?
> But, the firewall offers under “Custom Rules” only new allowing rules.
> But I want to disable something.
>
> Is that a bug in GUI of Yast and I have to edit a certain parameter file
> with an editor ?
Is your openSUSE machine acting as router, with TWO network cards?
If not, certainly you can not block any other machine with your Linux
machine or anything whatsoever. Only the router can.
If your Linux machine is acting as router, then please clarify the setup.
In that case, you have to tell YaST to firewall the internal network too.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
I use a PC with 2 network cards (1 internal 192.168.4.0/24 , 1 external 192.168.5.0/24 -> ADSL router) as gateway, squid proxy , internal DNS and firewall - all in one:
The firewall’s option Masquerading is on.
Both network cards registered
No services allowed in the external zone
All services allowed in the internal zone
Only 2 custom roles for the external zone: allow 192.168.4.0/24 UDP and allow 192.168.4.0/24 TCP
That’s how I made it run.
Mhhhh, firewall the internal network !? How do I do that ? I fear I don’t fully understand the logic behind that OS 13.1 firewall.
From my understanding I simply need to create rules that define the traffic between zones and not in the zones !?!?
Would really appreciate if someone could help me to understand it a bit better.
On 2014-10-20 14:26, J0Eeoj wrote:
>
> Hello robin_listas,
>
> I use a PC with 2 network cards (1 internal 192.168.4.0/24 , 1 external
> 192.168.5.0/24 -> ADSL router) as gateway, squid proxy , internal DNS
> and firewall - all in one:
>
> The firewall’s option Masquerading is on.
> Both network cards registered
> No services allowed in the external zone
> All services allowed in the internal zone <<====
> Only 2 custom roles for the external zone: allow 192.168.4.0/24 UDP and
> allow 192.168.4.0/24 TCP
>
> That’s how I made it run.
>
> Mhhhh, firewall the internal network !? How do I do that ?
See the “<<===” above. Disallow. Block everything by default, then open
explicitly what you do need. But “masquerading” allows machines to go
through, obviously:
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE=""
## Type: string
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>,<destination network>,<protocol>,port:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# This is also the default if you leave FW_MASQ_NETS empty.
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
# - "0/0,!10.0.0.0/8" unrestricted access to the internet
# with the exception of 10.0.0.8 which will not be
# masqueraded.
#
FW_MASQ_NETS=""
## Type: string
#
# Which computers/networks to exclude from masquerading.
#
# Note that this only affects the POSTROUTING chain of the nat
# table. Ie the forwarding rules installed by FW_MASQ_NETS do not
# include the listed exceptions.
# *** Since you may use FW_NOMASQ_NETS together with IPsec make sure
# that the policy database is loaded even when the tunnel is not up
# yet. Otherwise packets to the listed networks will be forwarded to
# the internet unencrypted! ***
#
# Format: space separated list of
# <source network>,<destination network>,<protocol>,port:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0,10.0.0.0/8" do not masquerade packets from
# anywhere to the 10.0.0.0/8 network
#
FW_NOMASQ_NETS=""
I believe you have to enter your NAS on FW_NOMASQ_NETS.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)