In order to increase security we have installed the SuSEfirewall and
SuąSEfirewall2 on our
Linux-machines. In the following text, you may find what we have changed
compared to the default values of SuSE Linux - please note, that you should
include machines, with which you are in 'close' contact, into the
'FW_TRUSTED_NETS' entry (e.g. if you want to NFS-mount directories of such
machines or if you want to obtain X-windows from such machines).
Important: Read the comments contained in /etc/rc.config.d/firewall.rc.config
(SuSE 7.3) and /etc/sysconfig/SuSEfirewall (SuSE 8.0).
and in /usr/share/doc/packages/SuSEfirewall/EXAMPLES (SuSE 7.3) and
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES (SuSE 8.0) !
Note: Under SuSE Linux 7.3 you will get an 'error message' during boot time, if you do not have a permanent connection to the internet, saying that ipchains is not supported. Neglect this message: As soon as the connection to the internet is established (e.g. via modem), ipchains will be activated in your kernel and the firewall will work properly!
I like both SuSEfirewall and SuSEfirewall2, but currently I prefer SuSEfirewall2, although its configuration is somewhat different to SuSEfirewall.
The following is a short description of what we did to get things running properly:
SuSE firewall ------------- - SuSEfirewall(2) is already installed under Versions 7.2, 7.3, and 8.0 * SuSE 7.x: - Edit /etc/rc.config set: START_FW="yes - cd /etc/rc.config.d - Edit firewall.rc.config and change the following lines: FW_DEV_WORLD="eth0" # for modem connections we use "ppp0" If you have really trusted machines, then set the following three lines: FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # add your machines here... FW_SERVICES_TRUSTED_TCP="1:65535" FW_SERVICES_TRUSTED_UDP="1:65535" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # was: yes FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" # was: yes FW_ALLOW_PING_FW="no" # was: yes (Note: the settings above are used by us on machines with one LAN interface and not on servers with several interfaces) - If you have SuSE Linux 7.3, do the following: The following two things have only to be done, if you have *updated* to 7.3 - if you have newly *installed* 7.3, just *update* SuSEfirewall (e.g. with Online-Update) after the installation of 7.3; then nothing has to be done in /etc/init.d/boot.local ! - cd /etc/init.d - Edit the file boot.local and add at the bottom of this file (in order to load the ipchains module into the kernel): /sbin/modprobe ipchains - Also recommended is to uninstall SuSEfirewall2 (should it be installed), because it's start is tried at boot even though START_FW2='no' in the /etc/rc.config : rpm -e SuSEfirewall2 - /sbin/SuSEconfig - Restart your system (then ipchains will be properly loaded) and SuSEfirewall will be activated. - Later: After changes in file: /etc/rc.config.d/firewall.rc.config do the following: /sbin/SuSEfirewall stop /sbin/SuSEfirewall start --> Sometimes, SuSEfirewall cannot be started and you will receive the following error message: Warning: interface eth0 is not active. No interfaces active! exiting ... SuSEfirewall: clearing rules now ... done I have not yet found out, why this happens, even when the machine is on the net. In such cases I reboot the machine and SuSEfirewall is then up again. - From now on, you may view the activities from the outside to your machine with either grep DENY /var/log/firewall or tail -f /var/log/firewall (both as root only) * SuSE 8.0: Comments will follow here.....
The output of the SuSEfirewall is written to the file /var/log/firewall. Using the program sfirescan allows you to easily understand and visualize who accessed your machine.