SuSefirewall2 is not working

FW_DEV_EXT=“eth0”
FW_DEV_INT=“eth1”
FW_DEV_DMZ=""
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_DEV=“zone:ext”
FW_MASQ_NETS=“172.16.0.0/24,0/0,icmp 172.16.0.0/24,0/0,tcp,22”
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT=“yes”
FW_SERVICES_EXT_TCP=“111:142 144:388 1:24 26:109 3261:3305 3307:5800 390:630 5802:5900 5902:65535 632:635 637:872 874:992 994 996:3259”
FW_SERVICES_EXT_UDP=“domain ipsec-nat-t isakmp”
FW_SERVICES_EXT_IP=“esp”
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=“domain”
FW_SERVICES_INT_UDP=“domain”
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=“bind sshd”
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=“0/0,tcp 0/0,udp”
FW_SERVICES_ACCEPT_INT=“0/0,tcp 0/0,udp”
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=“172.16.0.0/24 192.168.0.0/24,icmp 192.168.0.0/24,tcp,22”
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT=“no”
FW_LOG_DROP_ALL=“no”
FW_LOG_ACCEPT_CRIT=“no”
FW_LOG_ACCEPT_ALL=“no”
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=“yes”
FW_STOP_KEEP_ROUTING_STATE=“no”
FW_ALLOW_PING_FW=“yes”
FW_ALLOW_PING_DMZ=“no”
FW_ALLOW_PING_EXT=“no”

Type: yesno

Default: yes

Allow ICMP sourcequench from your ISP?

If set to yes, the firewall will notice when connection is choking, however

this opens yourself to a denial of service attack. Choose your poison.

Defaults to “yes” if not set

FW_ALLOW_FW_SOURCEQUENCH=""

Type: string(yes,no)

Allow IP Broadcasts?

Whether the firewall allows broadcasts packets.

Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.

If you want to drop broadcasts however ignore the annoying log entries, set

FW_IGNORE_FW_BROADCAST_* to yes.

Note that if you allow specifc ports here it just means that broadcast

packets for that port are not dropped. You still need to set

FW_SERVICES_*_UDP to actually allow regular unicast packets to

reach the applications.

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” allow broadcast packets on port 631 and 137

to enter the machine but drop any other broadcasts

- “yes” do not install any extra drop rules for

broadcast packets. They’ll be treated just as unicast

packets in this case.

- “no” drop all broadcast packets before other filtering

rules

defaults to “no” if not set

FW_ALLOW_FW_BROADCAST_EXT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_INT=“no”

Type: string

see comments for FW_ALLOW_FW_BROADCAST_EXT

FW_ALLOW_FW_BROADCAST_DMZ=“no”

Type: string(yes,no)

Suppress logging of dropped broadcast packets. Useful if you don’t allow

broadcasts on a LAN interface.

This setting only affects packets that are not allowed according

to FW_ALLOW_FW_BROADCAST_*

Format: either

- “yes” or “no”

- list of udp destination ports

Examples: - “631 137” silently drop broadcast packets on port 631 and 137

- “yes” do not log dropped broadcast packets

- “no” log all dropped broadcast packets

defaults to “no” if not set

FW_IGNORE_FW_BROADCAST_EXT=“yes”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_INT=“yes”

Type: string

see comments for FW_IGNORE_FW_BROADCAST_EXT

FW_IGNORE_FW_BROADCAST_DMZ=“yes”

Type: list(yes,no,int,ext,dmz,)

Default: no

Specifies whether routing between interfaces of the same zone should be allowed

Requires: FW_ROUTE=“yes”

Set this to allow routing between interfaces in the same zone,

e.g. between all internet interfaces, or all internal network

interfaces.

Caution: Keep in mind that “yes” affects all zones. ie even if you

need inter-zone routing only in the internal zone setting this

parameter to “yes” would allow routing between all external

interfaces as well. It’s better to use

FW_ALLOW_CLASS_ROUTING=“int” in this case.

Choice: “yes”, “no”, or space separate list of zone names

Defaults to “no” if not set

FW_ALLOW_CLASS_ROUTING=""

Type: string

Do you want to load customary rules from a file?

This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!

READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom

#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

Type: yesno

Default: no

Do you want to REJECT packets instead of DROPing?

DROPing (which is the default) will make portscans and attacks much

slower, as no replies to the packets will be sent. REJECTing means, that

for every illegal packet, a connection reject packet is sent to the

sender.

Choice: “yes” or “no”, if not set defaults to “no”

Defaults to “no” if not set

You may override this value on a per zone basis by using a zone

specific variable, e.g. FW_REJECT_DMZ=“yes”

FW_REJECT=""

Type: yesno

Default: no

see FW_REJECT for description

default config file setting is “yes” assuming that slowing down

portscans is not strictly required in the internal zone even if

you protect yourself from the internal zone

FW_REJECT_INT=“yes”

Type: string

Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)

for more information about HTB see http://www.lartc.org

If your download collapses while you have a parallel upload,

this parameter might be an option for you. It manages your

upload stream and reserves bandwidth for special packets like

TCP ACK packets or interactive SSH.

It’s a list of devices and maximum bandwidth in kbit.

For example, the german TDSL account, provides 128kbit/s upstream

and 768kbit/s downstream. We can only tune the upstream.

Example:

If you want to tune a 128kbit/s upstream DSL device like german TDSL set

the following values:

FW_HTB_TUNE_DEV=“dsl0,125”

where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream

you might wonder why 125kbit/s and not 128kbit/s. Well practically you’ll

get a better performance if you keep the value a few percent under your

real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in

it’s own buffers because queing is done by us now.

So for a 256kbit upstream

FW_HTB_TUNE_DEV=“dsl0,250”

might be a better value than “dsl0,256”. There is no perfect value for a

special kind of modem. The perfect value depends on what kind of traffic you

have on your line but 5% under your maximum upstream might be a good start.

Everthing else is special fine tuning.

If you want to know more about the technical background,

ADSL Bandwidth Management HOWTO

is a good start

FW_HTB_TUNE_DEV=""

Type: list(no,drop,reject)

Default: drop

What to do with IPv6 Packets?

On older kernels ip6tables was not stateful so it’s not possible to implement

the same features as for IPv4 on such machines. For these there are three

choices:

- no: do not set any IPv6 rules at all. Your Host will allow any IPv6

traffic unless you setup your own rules.

- drop: drop all IPv6 packets.

- reject: reject all IPv6 packets. This is the default if stateful matching is

not available.

Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6

Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.

Leave empty to automatically detect whether your kernel supports stateful matching.

FW_IPv6=""

Type: yesno

Default: yes

Reject outgoing IPv6 Packets?

Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option

does only make sense with FW_IPv6 != no

Defaults to “yes” if not set

FW_IPv6_REJECT_OUTGOING=""

Type: list(yes,no,int,ext,dmz,)

Default: no

Trust level of IPsec packets.

You do not need to change this if you do not intend to run

services that should only be available trough an IPsec tunnel.

The value specifies how much IPsec packets are trusted. ‘int’, ‘ext’ or ‘dmz’

are the respective zones. ‘yes’ is the same as 'int. ‘no’ means that IPsec

packets belong to the same zone as the interface they arrive on.

Note: you still need to explicitely allow IPsec traffic.

Example:

FW_IPSEC_TRUST=“int”

FW_SERVICES_EXT_IP=“esp”

FW_SERVICES_EXT_UDP=“isakmp”

FW_PROTECT_FROM_INT=“no”

Defaults to “no” if not set

FW_IPSEC_TRUST=“no”

Type: string

Default:

Define additional firewall zones

The built-in zones INT, EXT and DMZ must not be listed here. Names

of additional zones must only contain lowercase ascii characters.

To define rules for the additional zone, take the approriate

variable for a built-in zone and substitute INT/EXT/DMZ with the

name of the additional zone.

Example:

FW_ZONES=“wlan”

FW_DEV_wlan=“wlan0”

FW_SERVICES_wlan_TCP=“80”

FW_ALLOW_FW_BROADCAST_wlan=“yes”

FW_ZONES=""

Type: string(no,auto)

Default:

Set default firewall zone

Format: ‘auto’, ‘no’ or name of zone.

When set to ‘no’ no firewall rules will be installed for unknown

or unconfigured interfaces. That means traffic on such interfaces

hits the default drop rules.

When left empty or when set to ‘auto’ the zone that has the

interface string ‘any’ configured is used for all unconfigured

interfaces (see FW_DEV_EXT). If no ‘any’ string was found the

external zone is used.

When a default zone is defined a catch all rule redirects traffic

from interfaces that were not present at the time SuSEfirewall2

was run to the default zone. Normally SuSEfirewall2 needs to be

run if new interfaces appear to avoid such unknown interfaces.

Default to ‘auto’ if not set

FW_ZONE_DEFAULT=""

Type: list(yes,no,auto,)

Default:

Whether to use iptables-batch

iptables-batch commits all rules in an almost atomic way similar

to iptables-restore. This avoids excessive iptables calls and race

conditions.

Choice:

- yes: use iptables-batch if available and warn if it isn’t

- no: don’t use iptables-batch

- auto: use iptables-batch if available, silently fall back to

iptables if it isn’t

Defaults to “auto” if not set

FW_USE_IPTABLES_BATCH=""

Type: string

Default:

Which additional kernel modules to load at startup

Example:

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

See also FW_SERVICES_ACCEPT_RELATED_EXT

FW_LOAD_MODULES=“nf_conntrack_netbios_ns”

Type: string

Default:

Bridge interfaces without IP address

Traffic on bridge interfaces like the one used by xen appears to

enter and leave on the same interface. Add such interfaces here in

order to install special permitting rules for them.

Format: list of interface names separated by space

Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead

Example:

FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”

FW_FORWARD_ALWAYS_INOUT_DEV=""

Type: string

Default:

Whether traffic that is only bridged but not routed should be

allowed. Such packets appear to pass though the forward chain so

normally they would be dropped.

Note: it is not possible to configure SuSEfirewall2 as bridging

firewall. This option merely controls whether SuSEfirewall2 should

try to not interfere with bridges.

Choice:

- yes: always install a rule to allow bridge traffic

- no: don’t install a rule to allow bridge traffic

- auto: install rule only if there are bridge interfaces

Defaults to “auto” if not set

FW_FORWARD_ALLOW_BRIDGING=""

Type: yesno

Default: yes

Write status information to /var/run/SuSEfirewall2/status for use

by e.g. graphical user interfaces. Can safely be disabled on

servers.

Defaults to “yes” if not set

FW_WRITE_STATUS=""

Type: yesno

Default: yes

Allow dynamic configuration overrides in

/var/run/SuSEfirewall2/override for use by e.g. graphical user

interfaces. Can safely be disabled on servers.

Defaults to “yes” if not set

FW_RUNTIME_OVERRIDE=""

Type: yesno

Default: yes

Install NOTRACK target for interface lo in the raw table. Doing so

speeds up packet processing on the loopback interface. This breaks

certain firewall setups that need to e.g. redirect outgoing

packets via custom rules on the local machine.

Defaults to “yes” if not set

FW_LO_NOTRACK=""

Type: yesno

Default: no

Specifies whether /etc/init.d/SuSEfirewall2_init should install the

full rule set already. Default is to just install minimum rules

that block incoming traffic. Set to “yes” if you user services

such as drbd that require open ports during boot already.

Defaults to “no” if not set

FW_BOOT_FULL_INIT=""
[/QUOTE]

here is my configuration file, i am also running child proxy on this server which is 172.16.0.1. i this firewall work as no host is allowed to go out unless 172.16.0.1, even if i stop firewall still hosts can access internet, what is my error up thier?

plz tnx in advance,

PLEASE, please, put computer text between CODE tags (Posting in Code Tags - A Guide) to keep it managable and readable.

Also telling AT LEAST which openSUSE level you use spares you and us an axtra round of questioning.

On 2011-04-04 16:36, samhela wrote:

> here is my configuration file, i am also running child proxy on this
> server which is 172.16.0.1. i this firewall work as no host is allowed to
> go out unless 172.16.0.1, even if i stop firewall still hosts can access
> internet, what is my error up thier?

SuSEfirewall does not block outgoing connections at all.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)