|
|
|
|
33.4 SuSEfirewall2
SuSEfirewall2 is a script that reads the variables set in
/etc/sysconfig/SuSEfirewall2 to generate a set of
iptables rules. It defines three security zones, although only the first
and the second one are considered in the following sample configuration:
- External Zone
-
Given that there is no way to control what is happening on the
external network, the host needs to be protected from it. In most
cases, the external network is the Internet, but it could be another
insecure network, such as a WLAN.
- Internal Zone
-
This refers to the private network, in most cases the LAN. If the
hosts on this network use IP addresses from the private range (see
Section 20.1.2, Netmasks and Routing), enable network
address translation (NAT), so hosts on the internal network can access
the external one.
- Demilitarized Zone (DMZ)
-
While hosts located in this zone can be reached both from the external
and the internal network, they cannot access the internal network
themselves. This setup can be used to put an additional line of
defense in front of the internal network, because the DMZ systems are
isolated from the internal network.
Any kind of network traffic not explicitly allowed by the filtering rule
set is suppressed by iptables. Therefore, each of the interfaces with
incoming traffic must be placed into one of the three zones. For each of
the zones, define the services or protocols allowed. The rule set is only
applied to packets originating from remote hosts. Locally generated
packets are not captured by the firewall.
The configuration can be performed with YaST (see
Section 33.4.1, Configuring the Firewall with YaST). It can also be made manually in
the file /etc/sysconfig/SuSEfirewall2, which is well
commented. Additionally, a number of example scenarios are available in
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES.
33.4.1 Configuring the Firewall with YaST
IMPORTANT: Automatic Firewall Configuration
After the installation, YaST automatically starts a firewall on all
configured interfaces. If a server is configured and activated on the
system, YaST can modify the automatically-generated firewall
configuration with the options or in the server configuration modules. Some server
module dialogs include a button for
activating additional services and ports. The YaST firewall
configuration module can be used to activate, deactivate, or
reconfigure the firewall.
The YaST dialogs for the graphical configuration can be accessed from
the YaST Control Center. Select . The
configuration is divided into seven sections that can be accessed
directly from the tree structure on the left side.
- Start-Up
-
Set the start-up behavior in this dialog. In a default installation,
SuSEfirewall2 is started automatically. You can also start and stop
the firewall here. To implement your new settings in a running
firewall, use .
- Interfaces
-
All known network interfaces are listed here. To remove an interface
from a zone, select the interface, press ,
and choose . To add an interface
to a zone, select the interface, press and
choose any of the available zones. You may also create a special
interface with your own settings by using .
- Allowed Services
-
You need this option to offer services from your system to a zone
from which it is protected. By default, the system is only protected
from external zones. Explicitly allow the services that should be
available to external hosts. After selecting the desired zone in
, activate the
services from the list.
- Masquerading
-
Masquerading hides your internal network from external networks, such
as the Internet, while enabling hosts in the internal network to
access the external network transparently. Requests from the external
network to the internal one are blocked and requests from the
internal network seem to be issued by the masquerading server when
seen externally. If special services of an internal machine need to
be available to the external network, add special redirect rules for
the service.
- Broadcast
-
In this dialog, configure the UDP ports that allow broadcasts. Add
the required port numbers or services to the appropriate zone,
separated by spaces. See also the file
/etc/services.
The logging of broadcasts that are not accepted can be enabled here.
This may be problematic, because Windows hosts use broadcasts to know
about each other and so generate many packets that are not accepted.
- IPsec Support
-
Configure whether the IPsec service should be available to the
external network in this dialog. Configure which packets are trusted
under .
- Logging Level
-
There are two rules for the logging: accepted and not accepted
packets. Packets that are not accepted are DROPPED or REJECTED.
Select from , , or for both of
them.
- Custom Rules
-
Here, set special firewall rules that allow connections, matching
specified citeria such as source network, protocol, destination port,
and source port. Configure such rules for external, internal, and
demilitarized zone.
When completed with the firewall configuration, exit this dialog with
. A zone-oriented summary of your firewall
configuration then opens. In it, check all settings. All services,
ports, and protocols that have been allowed, and all custom rules are
listed in this summary. To modify the configuration, use
. Press to save your
configuration.
33.4.2 Configuring Manually
The following paragraphs provide step-by-step instructions for a
successful configuration. Each configuration item is marked as to
whether it is relevant to firewalling or masquerading. Use port range
(for example, 500:510) whenever appropriate. Aspects
related to the DMZ (demilitarized zone) as mentioned in the
configuration file are not covered here. They are applicable only to a
more complex network infrastructure found in larger organizations
(corporate networks), which require extensive configuration and in-depth
knowledge about the subject.
First, use the YaST module System Services (Runlevel) to enable SuSEfirewall2 in
your runlevel (3 or 5 most likely). It sets the symlinks for the
SuSEfirewall2_* scripts in the /etc/init.d/rc?.d/
directories.
- FW_DEV_EXT (firewall, masquerading)
-
The device linked to the Internet. For a modem connection, enter
ppp0. For an ISDN link, use
ippp0. DSL connections use
dsl0. Specify auto to use the
interface that corresponds to the default route.
- FW_DEV_INT (firewall, masquerading)
-
The device linked to the internal, private network (such as
eth0). Leave this blank if there is no internal
network and the firewall protects only the host on which it runs.
- FW_ROUTE (firewall, masquerading)
-
If you need the masquerading function, set this to
yes. Your internal hosts will not be visible to
the outside, because their private network addresses (e.g.,
192.168.x.x) are ignored by Internet routers.
For a firewall without masquerading, only set this to
yes if you want to allow access to the internal
network. Your internal hosts need to use officially registered IP
addresses in this case. Normally, however, you should
not allow access to your internal network from
the outside.
- FW_MASQUERADE (masquerading)
-
Set this to yes if you need the masquerading
function. This provides a virtually direct connection to the Internet
for the internal hosts. It is more secure to have a proxy server
between the hosts of the internal network and the Internet.
Masquerading is not needed for services a proxy server provides.
- FW_MASQ_NETS (masquerading)
-
Specify the hosts or networks to masquerade, leaving a space between
the individual entries. For example:
FW_MASQ_NETS="192.168.0.0/24 192.168.10.1"
- FW_PROTECT_FROM_INT (firewall)
-
Set this to yes to protect your firewall host from
attacks originating in your internal network. Services are only
available to the internal network if explicitly enabled. Also see
FW_SERVICES_INT_TCP and
FW_SERVICES_INT_UDP.
- FW_SERVICES_EXT_TCP (firewall)
-
Enter the TCP ports that should be made available. Leave this blank
for a normal workstation at home that should not offer any services.
- FW_SERVICES_EXT_UDP (firewall)
-
Leave this blank unless you run a UDP service and want to make it
available to the outside. The services that use UDP include include
DNS servers, IPsec, TFTP, DHCP and others. In that case, enter the
UDP ports to use.
- FW_SERVICES_ACCEPT_EXT (firewall)
-
List services to allow from the Internet. This is a more generic form
of the FW_SERVICES_EXT_TCP and
FW_SERVICES_EXT_UDP settings, and more
specific than FW_TRUSTED_NETS. The notation
is a space-separated list of
net,protocol[,dport][,sport],
for example 0/0,tcp,22.
- FW_SERVICES_INT_TCP (firewall)
-
With this variable, define the services available for the internal
network. The notation is the same as for
FW_SERVICES_EXT_TCP, but the settings are
applied to the internal network. The variable
only needs to be set if FW_PROTECT_FROM_INT
is set to yes.
- FW_SERVICES_INT_UDP (firewall)
-
See FW_SERVICES_INT_TCP.
- FW_SERVICES_ACCEPT_INT (firewall)
-
List services to allow from internal hosts. See
FW_SERVICES_ACCEPT_EXT.
- FW_SERVICES_ACCEPT_RELATED_* (firewall)
-
SuSEfirewall2 now
implements a subtle change regarding packets that are considered
RELATED by netfilter.
For example, to allow finer grained filtering of Samba broadcast
packets, RELATED packets are no longer accepted
unconditionally. The new variables starting with
FW_SERVICES_ACCEPT_RELATED_ have been
introduced to allow restricting RELATED packets
handling to certain networks, protocols and ports.
This means that adding connection tracking modules (conntrack
modules) to FW_LOAD_MODULES does no longer
automatically result in accepting the packets tagged by those
modules. Additionally, you must set variables starting with
FW_SERVICES_ACCEPT_RELATED_ to a suitable
value.
After configuring the firewall, test your setup. The firewall rule sets
are created by entering SuSEfirewall2 start as
root. Then use
telnet, for example, from an external host to see
whether the connection is actually denied. After that, review
/var/log/messages, where you should see something
like this:
Mar 15 13:21:38 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0
OUT= MAC=00:80:c8:94:c3:e7:00:a0:c9:4d:27:56:08:00 SRC=192.168.10.0
DST=192.168.10.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=15330 DF PROTO=TCP
SPT=48091 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
OPT (020405B40402080A061AFEBC0000000001030300)
Other packages to test your firewall setup are nmap or nessus. The
documentation of nmap is found at
/usr/share/doc/packages/nmap and the documentation
of nessus resides in the directory
/usr/share/doc/packages/nessus-core after
installing the respective package.
|
|
|