Setting Up a Firewall with SuSE Linux
1. What is a firewall?
In computer terminology, "firewall" is a term for a computer that is an interface between two computer networks and protects particular areas of a network against attacks and/or unwanted access.
2. Why is a firewall necessary?
Because of expanding network connections of companies, private households, schools and other public institutes and their connection to the global internet, these "local and small" networks (so called LANs, Local Area Networks) have to be protected against attacks and virii over the Internet.
But remember:"The aggressor does not always attack over the Internet!".
A firewall can only protect against attacks when attacks go through the firewall; it won't stop attacks from the same network. Because of that, you must make sure that the firewall is the only computer between the adjacent networks.
In order to set up a SuSE firewall,
you need some knowledge about networks, such as what ports, IP
addresses and services are used.
You should know how to add network cards with YAST and assign IP addresses.
Of course, you also should have a running Linux system.
*** IMPORTANT ***
You should know what services you want to use and what ports are used by them.
If you do not know that, you can read in /etc/services which port is used by a particular service.
4.1 Setting up two network cards
We assume that you have already installed and configured one network card.
Now we are going to install a second one.
4.1.1 PCI cards
If you own two PCI network cards, the installation should be no problem because the IRQ and the I/O port is automagically recognized and configured.
4.1.2 ISA cards
If you own two ISA cards, the installation will present a small problem. Linux does not automatically look for a second ISA card and so will not find it. We can solve this problem as follows:
--> System administration --> Kernel- and boot-configuration --> configure LILO.
Substitute the expressions in brackets according to your system (e.g. "ether=10,0x300,eth1")
If you have more than two ISA network cards in your computer, you have to change the append line as follows:
"ether=[IRQ],[IO],eth1,ether=[IRQ],[IO],eth2" and so on.
Our append line looks like:
Push "Next" and YAST will
alter the config files.
Re-boot your system in order to allow LILO to make the changes.
( This is the only re-boot in Linux necessary.)
4.2 Configuring the network cards
--> Integrate Hardware --> Configure network cards.
Now press F3 and select eth1. There must not be an entry in "card type". Enter your second network card there.
Press "Next" and YAST will
update the config files for you.
Leave YAST and restart your network by typing
>> /etc/rc.d/network restart
If everything went right, you should be able to read the following lines:
Shutting down network device eth1 done Shutting down network device eth0 done Setting up network device eth0 done Setting up network device eth1 done
If there are lines with "failed", repeat the configuration of the network cards as described in step 4.2, but enter the values of your network card in the line "Module options"
e.g.: irq=[IRQ] io=[IO] Port
Enter the correct IRQ and I/O values for your cards.
When both cards are working, we can continue with step 5.
5. Configuration of the SuSE firewall
5.1. Necessary packages
To be able to configure the firewall,
you first need the following packages installed:
both from security.
If you have already installed these packages continue on at step 5.2.
--> Start installation --> Change/create configuration
Install the package "firewalls" there.
5.2 Configuration of the firewall with YAST
--> System administration --> Change configuration file
Look for variables that begin with "FW_" . These are the variables to configure the SuSE firewall.
In the following, we will explain every variable for you.
Set this variable to "yes" if you want to start the SuSE firewall.
Insert all network interfaces here that are connected to the "insecure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.
Insert all network interfaces here, that are connected to the "secure" part of the net.
e.g.: ippp0, eth0, eth1 and so on.
Insert all network interfaces here, that are connected to the DMZ (demilitarised zone)
e.g.: ippp0, eth0, eth1 and so on.
The DMZ is the network that is attached to the firewall. The computers residing in this network shall provide services to the outside (e.g. mail, FTP, news). These computers require an official IP address that is routed through the firewall.
If you set this variable to yes, you also have to set the variable FW_ROUTE to yes and allow the forwarding of the services. ( FW_FORWARD_*)
If your firewall has a direct connection to the internet or the DMZ (without proxy services), set this variable to yes.
Also, the variables FW_MASQUERADE or FW_FORWARD_* must be updated for the services that shall be forwarded.
FW_MASQUERADE, FW_MASQ_NETS and FW_MASQ_DEV
If your firewall is connected directly to the internet and you want to get into the internet with your clients without using a proxy, you should set the variable FW_MASQUERADE to yes.
These options translate your internal IP addresses into official ones. So it looks like the queries to the internet were generated by the firewall itself.
To use masquerading, you must set FW_ROUTE to yes.
Enter all computers and/or networks that should be able to use masquerading into FW_NETS.
e.g.: 192.168.10.0/24 192.168.1.1
This line means that the computer 192.168.1.1 and the class C net 192.168.10.x /255.255.255.0 have masqueraded access to the internet.
In FW_DEV you have to enter all
outgoing interfaces that shall be masqueraded.
e.g.: ippp0, eth1
If you set this variable to yes, computers from the internal net can only access explicitly allowed services that are declared in FW_*_SERVICES_INTERNAL.
If you set this option to no, all services that are running on your firewall are accessible to the internal net.
This option saves services (TCP and UDP) that wait on all network addresses of the firewall (not only the especially defined ones) for a connection. This option can be deactivated for single services with FW_*_SERVICES_*.
Here you should enter all services that are used by the corresponding networks.
If you want to make only ports 80 and 25 accessible to the outside (internet) but 80 25 137-139 and 10000 to the inside you have to do the following:
FW_SERVICES_EXTERNAL_TCP= 80 25
FW_SERVICES_INTERNAL_TCP= 80 25 137:13910000
You can also make services accessible
that can be resolved by the file /etc/services.
FW_SERVICES_EXTERNAL_TCP= www smtp
FW_SERVICES_INTERNAL_TCP= www smtp 137:139 10000
Port ranges can be seperated by colon. e.g. the ports 1 to 1024 are defined: 1:1024
FW_TRUSTED_NETS and FW_SERVICES_TRUSTED
Here you enter the computers/networks from the Internet that shall have access to certain services.
e.g.: FW_TRUSTED_NETS = 10.128.71.55 10.128.7.0/16
This means that the computer 10.128.71.55 and the network 10.128.7.0 in the subnet 255.255.0.0 have access to the accessible services.
The services that shall be accessible are added to FW_SERVICES_TRUSTED. The ports are entered equally to 9.
This variable defines the behaviour at access to unprivileged ports (over 1023).
Everybody = yes; nobody = no
or enter names that can be resolved by /etc/services.
You should set
FW_ALLOW_INCOMING_HIGHPORTS_UDP to dns, if requests from
nameservers can be answered.
You should set FW_ALLOW_INCOMING_HIGHPORTS_TCP to ftp-data to use ftp in passive mode.
Set the corresponding services to yes if you want to provide that services on the firewall.
If you set a service to yes,
remember to add the corresponding port in FW_SERVICES_*.
e.g.: for DNS port 53 must be added to FW_SERVICES_*.
Here you set if the internal net may be accessed from the internet or the DMZ.
e.g.: FW_FORWARD = 10.128.7.4,192.168.10.1,25
This means that all requests to port 25 from 10.128.7.4 are forwarded to port 25 of 192.168.10.1.
You also can forward requests from
whole nets on a port to an internal computer.
e.g.: FW_FORWARD = 10.128.7.0/24,192.168.10.1,25
Here you can define what computers/networks from the outside may access masqueraded computers in the internal network.
If you have a temporary Internet connection set this variable to yes.
By doing this, routing is not disabled when unloading the rules so that a new automatic dial-in can be performed.
The variables FW_LOG, FW_KERNEL_SECURITY, FW_ALLOW_PING, FW_ALLOW_FW_TRACEROUTE, FW_MASQ_MODULES, FW_CUSTOMRULES should only be changed if you know what you are doing.
5.3 A configuration example
FW_START=yes FW_DEV_WORLD=eth0 FW_DEV_INT=eth1 FW_DEV_DMZ FW_ROUTE=yes FW_MASQUERADE=yes FW_MASQ_NETS=192.168.10.0/24 FW_MASQ_DEV=eth0 FW_PROTECT_FROM_INTERNAL=yes FW_AUTOPROTECT_GLOBAL_SERVICES=yes FW_SERVICES_EXTERNAL_TCP=www smtp 137:139 3128 FW_SERVICES_EXTERNAL_UDP=domain FW_SERVICES_DMZ_TCP FW_SERVICES_DMZ_UDP FW_SERVICES_INTERNAL_TCP=www smtp 137:139 3128 10000 3000 FW_SERVICES_INTERNAL_UDP=domain FW_TRUSTED_NETS FW_SERVICES_TRUSED_TCP FW_SERVICES_TRUSED_UDP FW_ALLOW_INCOMING_HIGHPORTS_TCP=yes FW_ALLOW_INCOMING_HIGHPORTS_UDP=yes FW_SERVICE_DNS=yes FW_SERVICE_DHCP_CLIENT=no FW_SERVICE_SAMBA=no FW_FORWARD_TCP FW_FORWARD_UDP FW_FORWARD_MASQ_TCP FW_FORWARD_MASQ_UDP FW_REDIRECT_TCP FW_REDIRECT_UDP FW_LOG_DENY_CRIT=yes FW_LOG_DENY_ALL=no FW_LOG_ACCEPT_CRIT=yes FW_LOG_ACCEPT_ALL=no FW-KERNEL_SECURITY=yes FW_STOP_KEEP_ROUTING_STATE=no FW_ALLOW_PING_FW=yes FW_ALLOW_PING_DMZ=no
Enter Own Comment