Firewall
Setting Up a Firewall with SuSE Linux
1. What is a firewall?
In computer terminology, "firewall" is a term for a computer that is an interface between two computer networks and protects particular areas of a network against attacks and/or unwanted access.
2. Why is a firewall necessary?
Because of expanding network connections of companies, private households, schools and other public institutes and their connection to the global internet, these "local and small" networks (so called LANs, Local Area Networks) have to be protected against attacks and virii over the Internet.
But remember:"The aggressor does not always attack over the Internet!".
A firewall can only protect against attacks when attacks go through the firewall; it won't stop attacks from the same network. Because of that, you must make sure that the firewall is the only computer between the adjacent networks.
3. Prerequisities
In order to set up a SuSE firewall,
you need some knowledge about networks, such as what ports, IP
addresses and services are used.
You should know how to add network cards with YAST and assign IP
addresses.
Of course, you also should have a running Linux system.
*** IMPORTANT ***
You should know what services you want to use and what ports are used by them.
If you do not know that, you can read in /etc/services which port is used by a particular service.
4. Installation
4.1 Setting up two network cards
We assume that you have already installed and configured one network card.
Now we are going to install a second one.
4.1.1 PCI cards
If you own two PCI network cards, the installation should be no problem because the IRQ and the I/O port is automagically recognized and configured.
4.1.2 ISA cards
If you own two ISA cards, the installation will present a small problem. Linux does not automatically look for a second ISA card and so will not find it. We can solve this problem as follows:
Start YAST
--> System administration
--> Kernel- and boot-configuration
--> configure LILO.
Add the following entry
to the append line:
"ether=[IRQ],[IO],[DEVICE]"
Substitute the expressions in brackets according to your system (e.g. "ether=10,0x300,eth1")
If you have more than two ISA network cards in your computer, you have to change the append line as follows:
"ether=[IRQ],[IO],eth1,ether=[IRQ],[IO],eth2" and so on.
Our append line looks like:
"ether=10,0x300,eth1
ether=5,0x320,eth2".
Push "Next" and YAST will
alter the config files.
Re-boot your system in order to allow LILO to make the changes.
( This is the only re-boot in Linux necessary.)
4.2 Configuring the network cards
Start YAST
--> Integrate Hardware
--> Configure network cards.
One network card
should already be configured. This should look like: 
Now press F3 and select eth1. There must not be an entry in "card type". Enter your second network card there.
Press "Next" and YAST will
update the config files for you.
Leave YAST and restart your network by typing
>> /etc/rc.d/network restart
If everything went right, you should be able to read the following lines:
Shutting down network device eth1 done Shutting down network device eth0 done Setting up network device eth0 done Setting up network device eth1 done
If there are lines with "failed", repeat the configuration of the network cards as described in step 4.2, but enter the values of your network card in the line "Module options"
e.g.: irq=[IRQ] io=[IO] Port
Enter the correct IRQ and I/O values for your cards.
When both cards are working, we can continue with step 5.
5. Configuration of the SuSE firewall
5.1. Necessary packages
To be able to configure the firewall,
you first need the following packages installed:
ipchains
firewalls
both from security.
If you have already installed these packages continue on at step 5.2.
Package installation:
Start YAST
--> Start installation
--> Change/create configuration
Go to the menu
"Security software". 
Install the package "firewalls" there.
5.2 Configuration of the firewall with YAST
Start YAST
--> System administration
--> Change configuration file
Look for variables that begin with "FW_" . These are the variables to configure the SuSE firewall.
In the following, we will explain every variable for you.
1. START_FW
Set this variable to "yes"
if you want to start the SuSE firewall.
2. FW_DEV_WORLD
Insert all network interfaces here that are connected to the
"insecure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.
3. FW_DEV_INT
Insert all network interfaces here, that are connected to the
"secure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.
4. FW_DEV_DMZ
Insert all network interfaces here, that are connected to the DMZ
(demilitarised zone)
e.g.: ippp0, eth0, eth1 and so on.
The DMZ is the network that is attached to the firewall. The computers residing in this network shall provide services to the outside (e.g. mail, FTP, news). These computers require an official IP address that is routed through the firewall.
If you set this variable to yes, you also have to set the variable FW_ROUTE to yes and allow the forwarding of the services. ( FW_FORWARD_*)
5. FW_ROUTE
If your firewall has a direct connection to the internet or the
DMZ (without proxy services), set this variable to yes.
Also, the variables FW_MASQUERADE or FW_FORWARD_* must be updated for the services that shall be forwarded.
6.
FW_MASQUERADE, FW_MASQ_NETS and FW_MASQ_DEV
If your firewall is connected directly to the internet and you
want to get into the internet with your clients without using a
proxy, you should set the variable FW_MASQUERADE to yes.
These options translate your internal IP addresses into official ones. So it looks like the queries to the internet were generated by the firewall itself.
To use masquerading, you must set FW_ROUTE to yes.
Enter all computers and/or networks that should be able to use masquerading into FW_NETS.
e.g.: 192.168.10.0/24 192.168.1.1
This line means that the computer 192.168.1.1 and the class C net 192.168.10.x /255.255.255.0 have masqueraded access to the internet.
In FW_DEV you have to enter all
outgoing interfaces that shall be masqueraded.
e.g.: ippp0, eth1
7.
FW_PROTECT_FROM_INTERNAL
If you set this variable to yes,
computers from the internal net can only access explicitly
allowed services that are declared in FW_*_SERVICES_INTERNAL.
If you set this option to no, all services that are running on your firewall are accessible to the internal net.
8.
FW_AUTOPROTECT_GLOBAL_SERVICES
This option saves services (TCP and UDP) that wait on all network
addresses of the firewall (not only the especially defined ones)
for a connection. This option can be deactivated for single
services with FW_*_SERVICES_*.
9.
FW_SERVICES_*
Here you should enter all services that are used by the
corresponding networks.
Example:
If you want to make only ports 80 and 25 accessible to the
outside (internet) but 80 25 137-139 and 10000 to the inside you
have to do the following:
FW_SERVICES_EXTERNAL_TCP= 80 25
FW_SERVICES_INTERNAL_TCP= 80 25
137:13910000
You can also make services accessible
that can be resolved by the file /etc/services.
e.g.:
FW_SERVICES_EXTERNAL_TCP= www smtp
FW_SERVICES_INTERNAL_TCP= www smtp 137:139
10000
Port ranges can be seperated by colon. e.g. the ports 1 to 1024 are defined: 1:1024
10.
FW_TRUSTED_NETS and FW_SERVICES_TRUSTED
Here you enter the computers/networks from the Internet that
shall have access to certain services.
e.g.: FW_TRUSTED_NETS = 10.128.71.55 10.128.7.0/16
This means that the computer 10.128.71.55 and the network 10.128.7.0 in the subnet 255.255.0.0 have access to the accessible services.
The services that shall be accessible are added to FW_SERVICES_TRUSTED. The ports are entered equally to 9.
11.
FW_ALLOW_INCOMING_HIGHPORTS_*
This variable defines the behaviour at access to unprivileged
ports (over 1023).
Possible options:
Everybody = yes; nobody = no
or enter names that can be resolved by /etc/services.
You should set
FW_ALLOW_INCOMING_HIGHPORTS_UDP to dns, if requests from
nameservers can be answered.
You should set FW_ALLOW_INCOMING_HIGHPORTS_TCP to ftp-data to use
ftp in passive mode.
12.
FW_SERVICE_*
Set the corresponding services to yes
if you want to provide that services on the firewall.
If you set a service to yes,
remember to add the corresponding port in FW_SERVICES_*.
e.g.: for DNS port 53 must be added to FW_SERVICES_*.
13. FW_FORWARD
Here you set if the internal net may be accessed from the
internet or the DMZ.
e.g.: FW_FORWARD = 10.128.7.4,192.168.10.1,25
This means that all requests to port 25 from 10.128.7.4 are forwarded to port 25 of 192.168.10.1.
You also can forward requests from
whole nets on a port to an internal computer.
e.g.: FW_FORWARD = 10.128.7.0/24,192.168.10.1,25
14.
FW_FORWARD_MASQ_*
Here you can define what computers/networks from the outside may
access masqueraded computers in the internal network.
15.
FW_STOP_KEEP_ROUTING_STATE
If you have a temporary Internet connection set this variable to yes.
By doing this, routing is not disabled when unloading the rules so that a new automatic dial-in can be performed.
The variables FW_LOG, FW_KERNEL_SECURITY, FW_ALLOW_PING, FW_ALLOW_FW_TRACEROUTE, FW_MASQ_MODULES, FW_CUSTOMRULES should only be changed if you know what you are doing.
5.3 A configuration example
| /etc/rc.config.d/firewall.rc.config |
FW_START=yes
FW_DEV_WORLD=eth0
FW_DEV_INT=eth1
FW_DEV_DMZ
FW_ROUTE=yes
FW_MASQUERADE=yes
FW_MASQ_NETS=192.168.10.0/24
FW_MASQ_DEV=eth0
FW_PROTECT_FROM_INTERNAL=yes
FW_AUTOPROTECT_GLOBAL_SERVICES=yes
FW_SERVICES_EXTERNAL_TCP=www smtp 137:139 3128
FW_SERVICES_EXTERNAL_UDP=domain
FW_SERVICES_DMZ_TCP
FW_SERVICES_DMZ_UDP
FW_SERVICES_INTERNAL_TCP=www smtp 137:139 3128 10000 3000
FW_SERVICES_INTERNAL_UDP=domain
FW_TRUSTED_NETS
FW_SERVICES_TRUSED_TCP
FW_SERVICES_TRUSED_UDP
FW_ALLOW_INCOMING_HIGHPORTS_TCP=yes
FW_ALLOW_INCOMING_HIGHPORTS_UDP=yes
FW_SERVICE_DNS=yes
FW_SERVICE_DHCP_CLIENT=no
FW_SERVICE_SAMBA=no
FW_FORWARD_TCP
FW_FORWARD_UDP
FW_FORWARD_MASQ_TCP
FW_FORWARD_MASQ_UDP
FW_REDIRECT_TCP
FW_REDIRECT_UDP
FW_LOG_DENY_CRIT=yes
FW_LOG_DENY_ALL=no
FW_LOG_ACCEPT_CRIT=yes
FW_LOG_ACCEPT_ALL=no
FW-KERNEL_SECURITY=yes
FW_STOP_KEEP_ROUTING_STATE=no
FW_ALLOW_PING_FW=yes
FW_ALLOW_PING_DMZ=no
|
Talkback Area
Enter Own Comment