In order to increase security we have installed the SuSEfirewall and
SuąSEfirewall2 on our
Linux-machines. In the following text, you may find what we have changed
compared to the default values of SuSE Linux - please note, that you should
include machines, with which you are in 'close' contact, into the
'FW_TRUSTED_NETS' entry (e.g. if you want to NFS-mount directories of such
machines or if you want to obtain X-windows from such machines).
Important: Read the comments contained in /etc/rc.config.d/firewall.rc.config
(SuSE 7.3) and /etc/sysconfig/SuSEfirewall (SuSE 8.0).
and in /usr/share/doc/packages/SuSEfirewall/EXAMPLES (SuSE 7.3) and
/usr/share/doc/packages/SuSEfirewall2/EXAMPLES (SuSE 8.0) !
Note: Under SuSE Linux 7.3 you will get an 'error message' during boot time, if you do not have a permanent connection to the internet, saying that ipchains is not supported. Neglect this message: As soon as the connection to the internet is established (e.g. via modem), ipchains will be activated in your kernel and the firewall will work properly!
I like both SuSEfirewall and SuSEfirewall2, but currently I prefer SuSEfirewall2, although its configuration is somewhat different to SuSEfirewall.
The following is a short description of what we did to get things running properly:
SuSE firewall
-------------
- SuSEfirewall(2) is already installed under Versions 7.2, 7.3, and 8.0
* SuSE 7.x:
- Edit /etc/rc.config
set: START_FW="yes
- cd /etc/rc.config.d
- Edit firewall.rc.config and change the following lines:
FW_DEV_WORLD="eth0" # for modem connections we use "ppp0"
If you have really trusted machines, then set the following three lines:
FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # add your machines here...
FW_SERVICES_TRUSTED_TCP="1:65535"
FW_SERVICES_TRUSTED_UDP="1:65535"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" # was: yes
FW_ALLOW_INCOMING_HIGHPORTS_UDP="dns" # was: yes
FW_ALLOW_PING_FW="no" # was: yes
(Note: the settings above are used by us on machines with one LAN interface
and not on servers with several interfaces)
- If you have SuSE Linux 7.3, do the following:
The following two things have only to be done, if you have *updated* to
7.3 - if you have newly *installed* 7.3, just *update* SuSEfirewall
(e.g. with Online-Update) after the installation of 7.3; then nothing has
to be done in /etc/init.d/boot.local !
- cd /etc/init.d
- Edit the file boot.local and add at the bottom of this file (in order
to load the ipchains module into the kernel):
/sbin/modprobe ipchains
- Also recommended is to uninstall SuSEfirewall2 (should it be installed),
because it's start is tried at boot even though START_FW2='no' in the
/etc/rc.config :
rpm -e SuSEfirewall2
- /sbin/SuSEconfig
- Restart your system (then ipchains will be properly loaded)
and SuSEfirewall will be activated.
- Later: After changes in file: /etc/rc.config.d/firewall.rc.config
do the following:
/sbin/SuSEfirewall stop
/sbin/SuSEfirewall start
--> Sometimes, SuSEfirewall cannot be started and you will receive the
following error message:
Warning: interface eth0 is not active.
No interfaces active! exiting ...
SuSEfirewall: clearing rules now ... done
I have not yet found out, why this happens, even when the machine is
on the net. In such cases I reboot the machine and SuSEfirewall is then
up again.
- From now on, you may view the activities from the outside to your machine
with either
grep DENY /var/log/firewall
or
tail -f /var/log/firewall
(both as root only)
* SuSE 8.0:
Comments will follow here.....
The output of the SuSEfirewall is written to the file /var/log/firewall. Using the program sfirescan allows you to easily understand and visualize who accessed your machine.