home   articles   archive   forum   masthead  
Published at 5.3.2001
Author: Marcel Alburg
Translator: Tobias Bayer
Languages: de nl
Printer printer-version
Support Us!
 

Firewall

SuSE Logo

 Setting Up a Firewall with SuSE Linux


1. What is a firewall?

In computer terminology, "firewall" is a term for a computer that is an interface between two computer networks and protects particular areas of a network against attacks and/or unwanted access.

2. Why is a firewall necessary?

Because of expanding network connections of companies, private households, schools and other public institutes and their connection to the global internet, these "local and small" networks (so called LANs, Local Area Networks) have to be protected against attacks and virii over the Internet.

But remember:"The aggressor does not always attack over the Internet!".

A firewall can only protect against attacks when attacks go through the firewall; it won't stop attacks from the same network. Because of that, you must make sure that the firewall is the only computer between the adjacent networks.

3. Prerequisities

In order to set up a SuSE firewall, you need some knowledge about networks, such as what ports, IP addresses and services are used.
You should know how to add network cards with YAST and assign IP addresses.

Of course, you also should have a running Linux system.

*** IMPORTANT ***

You should know what services you want to use and what ports are used by them.

If you do not know that, you can read in /etc/services which port is used by a particular service.

4. Installation
4.1 Setting up two network cards

We assume that you have already installed and configured one network card.

Now we are going to install a second one.

4.1.1 PCI cards

If you own two PCI network cards, the installation should be no problem because the IRQ and the I/O port is automagically recognized and configured.

4.1.2 ISA cards

If you own two ISA cards, the installation will present a small problem. Linux does not automatically look for a second ISA card and so will not find it. We can solve this problem as follows:

Start YAST

             --> System administration
               --> Kernel- and boot-configuration
                 --> configure LILO.
            

Add the following entry to the append line:

"ether=[IRQ],[IO],[DEVICE]"

Substitute the expressions in brackets according to your system (e.g. "ether=10,0x300,eth1")

If you have more than two ISA network cards in your computer, you have to change the append line as follows:

"ether=[IRQ],[IO],eth1,ether=[IRQ],[IO],eth2" and so on.

Our append line looks like:
"ether=10,0x300,eth1 ether=5,0x320,eth2".

Push "Next" and YAST will alter the config files.
Re-boot your system in order to allow LILO to make the changes.

( This is the only re-boot in Linux necessary.)

4.2 Configuring the network cards

Start YAST

          --> Integrate Hardware
            -->  Configure network cards.
        

One network card should already be configured. This should look like:

Now press F3 and select eth1. There must not be an entry in "card type". Enter your second network card there.

Press "Next" and YAST will update the config files for you.
Leave YAST and restart your network by typing

            >> /etc/rc.d/network restart
  

If everything went right, you should be able to read the following lines:

  	  Shutting down network device eth1    done
  	  Shutting down network device eth0    done
  	  Setting up network device eth0       done
  	  Setting up network device eth1       done
  	  

If there are lines with "failed", repeat the configuration of the network cards as described in step 4.2, but enter the values of your network card in the line "Module options"

e.g.: irq=[IRQ] io=[IO] Port

Enter the correct IRQ and I/O values for your cards.

When both cards are working, we can continue with step 5.

5.   Configuration of the SuSE firewall
5.1. Necessary packages

To be able to configure the firewall, you first need the following packages installed:
ipchains
firewalls

both from security.

If you have already installed these packages continue on at step 5.2.

Package installation:
Start YAST

          --> Start installation
            --> Change/create configuration
        

Go to the menu "Security software".

Install the package "firewalls" there.

5.2 Configuration of the firewall with YAST

Start YAST

          --> System administration
            --> Change configuration file
        

Look for variables that begin with "FW_" . These are the variables to configure the SuSE firewall.

In the following, we will explain every variable for you.

1. START_FW
Set this variable to "yes" if you want to start the SuSE firewall.

2. FW_DEV_WORLD
Insert all network interfaces here that are connected to the "insecure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.

3. FW_DEV_INT
Insert all network interfaces here, that are connected to the "secure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.

4. FW_DEV_DMZ
Insert all network interfaces here, that are connected to the DMZ (demilitarised zone)
e.g.: ippp0, eth0, eth1 and so on.

The DMZ is the network that is attached to the firewall. The computers residing in this network shall provide services to the outside (e.g. mail, FTP, news). These computers require an official IP address that is routed through the firewall.

If you set this variable to yes, you also have to set the variable FW_ROUTE to yes and allow the forwarding of the services. ( FW_FORWARD_*)

5. FW_ROUTE
If your firewall has a direct connection to the internet or the DMZ (without proxy services), set this variable to yes.

Also, the variables FW_MASQUERADE or FW_FORWARD_* must be updated for the services that shall be forwarded.

6. FW_MASQUERADE, FW_MASQ_NETS and FW_MASQ_DEV
If your firewall is connected directly to the internet and you want to get into the internet with your clients without using a proxy, you should set the variable FW_MASQUERADE to yes.

These options translate your internal IP addresses into official ones. So it looks like the queries to the internet were generated by the firewall itself.

To use masquerading, you must set FW_ROUTE to yes.

Enter all computers and/or networks that should be able to use masquerading into FW_NETS.

e.g.: 192.168.10.0/24 192.168.1.1

This line means that the computer 192.168.1.1 and the class C net 192.168.10.x /255.255.255.0 have masqueraded access to the internet.

In FW_DEV you have to enter all outgoing interfaces that shall be masqueraded.
e.g.: ippp0, eth1

7. FW_PROTECT_FROM_INTERNAL
If you set this variable to yes, computers from the internal net can only access explicitly allowed services that are declared in FW_*_SERVICES_INTERNAL.

If you set this option to no, all services that are running on your firewall are accessible to the internal net.

8. FW_AUTOPROTECT_GLOBAL_SERVICES
This option saves services (TCP and UDP) that wait on all network addresses of the firewall (not only the especially defined ones) for a connection. This option can be deactivated for single services with FW_*_SERVICES_*.

9. FW_SERVICES_*
Here you should enter all services that are used by the corresponding networks.

Example:
If you want to make only ports 80 and 25 accessible to the outside (internet) but 80 25 137-139 and 10000 to the inside you have to do the following:

FW_SERVICES_EXTERNAL_TCP= 80 25
FW_SERVICES_INTERNAL_TCP= 80 25 137:13910000

You can also make services accessible that can be resolved by the file /etc/services.
e.g.:

FW_SERVICES_EXTERNAL_TCP= www smtp
FW_SERVICES_INTERNAL_TCP= www smtp 137:139 10000

Port ranges can be seperated by colon. e.g. the ports 1 to 1024 are defined: 1:1024

10. FW_TRUSTED_NETS and FW_SERVICES_TRUSTED
Here you enter the computers/networks from the Internet that shall have access to certain services.

e.g.: FW_TRUSTED_NETS = 10.128.71.55 10.128.7.0/16

This means that the computer 10.128.71.55 and the network 10.128.7.0 in the subnet 255.255.0.0 have access to the accessible services.

The services that shall be accessible are added to FW_SERVICES_TRUSTED. The ports are entered equally to 9.

11. FW_ALLOW_INCOMING_HIGHPORTS_*
This variable defines the behaviour at access to unprivileged ports (over 1023).

Possible options:
Everybody = yes; nobody = no

or enter names that can be resolved by /etc/services.

You should set FW_ALLOW_INCOMING_HIGHPORTS_UDP to dns, if requests from nameservers can be answered.
You should set FW_ALLOW_INCOMING_HIGHPORTS_TCP to ftp-data to use ftp in passive mode.

12. FW_SERVICE_*
Set the corresponding services to yes if you want to provide that services on the firewall.

If you set a service to yes, remember to add the corresponding port in FW_SERVICES_*.
e.g.: for DNS port 53 must be added to FW_SERVICES_*.

13. FW_FORWARD
Here you set if the internal net may be accessed from the internet or the DMZ.

e.g.: FW_FORWARD = 10.128.7.4,192.168.10.1,25

This means that all requests to port 25 from 10.128.7.4 are forwarded to port 25 of 192.168.10.1.

You also can forward requests from whole nets on a port to an internal computer.
e.g.: FW_FORWARD = 10.128.7.0/24,192.168.10.1,25

14. FW_FORWARD_MASQ_*
Here you can define what computers/networks from the outside may access masqueraded computers in the internal network.

15. FW_STOP_KEEP_ROUTING_STATE
If you have a temporary Internet connection set this variable to yes.

By doing this, routing is not disabled when unloading the rules so that a new automatic dial-in can be performed.

The variables FW_LOG, FW_KERNEL_SECURITY, FW_ALLOW_PING, FW_ALLOW_FW_TRACEROUTE, FW_MASQ_MODULES, FW_CUSTOMRULES should only be changed if you know what you are doing.

5.3 A configuration example

/etc/rc.config.d/firewall.rc.config
    FW_START=yes
    FW_DEV_WORLD=eth0
    FW_DEV_INT=eth1
    FW_DEV_DMZ
    FW_ROUTE=yes
    FW_MASQUERADE=yes
    FW_MASQ_NETS=192.168.10.0/24
    FW_MASQ_DEV=eth0
    FW_PROTECT_FROM_INTERNAL=yes
    FW_AUTOPROTECT_GLOBAL_SERVICES=yes
    FW_SERVICES_EXTERNAL_TCP=www smtp 137:139 3128
    FW_SERVICES_EXTERNAL_UDP=domain
    FW_SERVICES_DMZ_TCP
    FW_SERVICES_DMZ_UDP
    FW_SERVICES_INTERNAL_TCP=www smtp 137:139 3128 10000 3000
    FW_SERVICES_INTERNAL_UDP=domain
    FW_TRUSTED_NETS
    FW_SERVICES_TRUSED_TCP
    FW_SERVICES_TRUSED_UDP
    FW_ALLOW_INCOMING_HIGHPORTS_TCP=yes
    FW_ALLOW_INCOMING_HIGHPORTS_UDP=yes
    FW_SERVICE_DNS=yes
    FW_SERVICE_DHCP_CLIENT=no
    FW_SERVICE_SAMBA=no
    FW_FORWARD_TCP
    FW_FORWARD_UDP
    FW_FORWARD_MASQ_TCP
    FW_FORWARD_MASQ_UDP
    FW_REDIRECT_TCP
    FW_REDIRECT_UDP
    FW_LOG_DENY_CRIT=yes
    FW_LOG_DENY_ALL=no
    FW_LOG_ACCEPT_CRIT=yes
    FW_LOG_ACCEPT_ALL=no
    FW-KERNEL_SECURITY=yes
    FW_STOP_KEEP_ROUTING_STATE=no
    FW_ALLOW_PING_FW=yes
    FW_ALLOW_PING_DMZ=no
  





Talkback Area




Enter Own Comment