Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Kurt Minder (kurtminder_at_bluewin.ch)
Date: Tue Nov 12 2002 - 07:43:03 CST
> -----Ursprüngliche Nachricht-----
> Von: Chris FitzGerald [mailto:merscopandora.be]
> Gesendet: Dienstag, 12. November 2002 12:17
> An: Suse-Security (E-Mail)
> Betreff: Re: [suse-security] SuSEfirewall2 configuration
> In answer to 1
> When you use FW_SERVICES_DMZ it opens up the ports you wish
> to allow. not
> looking if it came from internal or external.
> You do have to open up the ports on the external and internal
> services to
> allow the traffic to come in in the first place .
Ok. I understand. What you let in from any (EXT, INT)interface may should
access to the DMZ
In my case it doesn't, nor the DMZ can access the services opened in the
So i'm back on the solution to use FW_FORWARD. Is this normal? or is it a
conflict in the configuration?
Obviously the DMZ rules are never applied because the packages ar dropped
> Togan wrote:
> I would say wide open by defining TCP/UDP/IGMP you rare limiting the
> protocols that are allowed when you add the port number than only the
> protocol along with the matching port is allowed.
I agree with you. For the MASQ_NETS (restrict access from INT to EXT)
section it works like this, but when i use this in the TRUSTED_NETS section
it won't. I configured the whole INT and DMZ as trusted net
(FW_TRUSTED_NETS="192.168.0.0/16"), i know bad idea. But everthing is
dropped or denied.
Hopefully someone knows something about the reasons.
> Tricky question for me too...
> Make money while you work !!! No surfing required!
> This is for real !!!
> ----- Original Message -----
> From: "Kurt Minder" <kurtminderbluewin.ch>
> To: "Suse-Security (E-Mail)" <suse-securitysuse.com>
> Sent: Tuesday, November 12, 2002 12:02 PM
> Subject: [suse-security] SuSEfirewall2 configuration
> > Hi folks
> > I followed the threads about configuring the firewall, but
> it was not
> > enlightning me (sorry).
> > So some questions:
> > 1.)
> > Does the FW_SERVICE_DMZ open only a connection form DEV_EXT
> to DEV_DMZ ?
> > Because when i want to access the DMZ from internal i have
> to use the
> > FW_FORWARD statement.
> > 2.)
> > A question to the notation
> > # A forwarding rule consists of 1) source IP/net and 2)
> destination IP
> > # seperated by a comma. e.g. "22.214.171.124,126.96.36.199 188.8.131.52/16,184.108.40.206/24"
> > # Optional is a protocol, seperated by a comma, e.g.
> > # Optional is a port after the protocol with a comma, e.g.
> > When i leave away protocol and port what is (or should)open then?
> > I'm using 7.3
> > Cheers Kurt
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-helpsuse.com
> > Security-related bug reports go to securitysuse.de, not here
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-helpsuse.com
> Security-related bug reports go to securitysuse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here