Installing and Configuring SuSEfirewall and SuSEfirewall2 Installing and Configuring SuSEfirewall and SuSEfirewall2


In order to increase security we have installed the SuSEfirewall and SuąSEfirewall2 on our Linux-machines. In the following text, you may find what we have changed compared to the default values of SuSE Linux - please note, that you should include machines, with which you are in 'close' contact, into the 'FW_TRUSTED_NETS' entry (e.g. if you want to NFS-mount directories of such machines or if you want to obtain X-windows from such machines).
Important: Read the comments contained in /etc/rc.config.d/firewall.rc.config (SuSE 7.3) and /etc/sysconfig/SuSEfirewall (SuSE 8.0). and in /usr/share/doc/packages/SuSEfirewall/EXAMPLES (SuSE 7.3) and /usr/share/doc/packages/SuSEfirewall2/EXAMPLES (SuSE 8.0) !

Note: Under SuSE Linux 7.3 you will get an 'error message' during boot time, if you do not have a permanent connection to the internet, saying that ipchains is not supported. Neglect this message: As soon as the connection to the internet is established (e.g. via modem), ipchains will be activated in your kernel and the firewall will work properly!

I like both SuSEfirewall and SuSEfirewall2, but currently I prefer SuSEfirewall2, although its configuration is somewhat different to SuSEfirewall.

The following is a short description of what we did to get things running properly:

SuSE firewall
- SuSEfirewall(2) is already installed under Versions 7.2, 7.3, and 8.0

* SuSE 7.x:

- Edit /etc/rc.config
  set:  START_FW="yes

- cd /etc/rc.config.d

- Edit firewall.rc.config and change the following lines:
  FW_DEV_WORLD="eth0"                # for modem connections we use "ppp0"
  If you have really trusted machines, then set the following three lines:
     FW_TRUSTED_NETS=" 195.195.yyy.zzz"  # add your machines here...

  FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"  # was: yes
  FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns"       # was: yes
  FW_ALLOW_PING_FW="no"   # was: yes

  (Note: the settings above are used by us on machines with one LAN interface
   and not on servers with several interfaces)

- If you have SuSE Linux 7.3, do the following:
   The following two things have only to be done, if you have *updated* to
   7.3 - if you have newly *installed* 7.3, just *update* SuSEfirewall
   (e.g. with Online-Update) after the installation of 7.3; then nothing has
   to be done in /etc/init.d/boot.local !

   - cd /etc/init.d

   - Edit the file boot.local and add at the bottom of this file (in order
     to load the ipchains module into the kernel):
     /sbin/modprobe ipchains

   - Also recommended is to uninstall SuSEfirewall2 (should it be installed),
     because it's start is tried at boot even though START_FW2='no' in the
     /etc/rc.config :
     rpm -e SuSEfirewall2

- /sbin/SuSEconfig

- Restart your system (then ipchains will be properly loaded)
  and SuSEfirewall will be activated.
- Later: After changes in file: /etc/rc.config.d/firewall.rc.config
  do the following:

  /sbin/SuSEfirewall stop
  /sbin/SuSEfirewall start

  --> Sometimes, SuSEfirewall cannot be started and you will receive the
      following error message:
         Warning: interface eth0 is not active.
         No interfaces active! exiting ...
         SuSEfirewall: clearing rules now ... done
      I have not yet found out, why this happens, even when the machine is
      on the net. In such cases I reboot the machine and SuSEfirewall is then
      up again.

- From now on, you may view the activities from the outside to your machine
  with either
    grep DENY /var/log/firewall
    tail -f /var/log/firewall
  (both as root only)

* SuSE 8.0:

Comments will follow here.....

The output of the SuSEfirewall is written to the file /var/log/firewall. Using the program sfirescan allows you to easily understand and visualize who accessed your machine.

Last Update: 29Sep2002 uk --- Created: 11Jul2001 uk