Specifications
online help. To leave the file editor, select ‘Finish’ from the menu. Save your
modifications to configuration files by pressing ‘Finish’.
Testing the Configuration
The configuration created with the administration program still needs to be
tested before it is used. To do this, start the firewall is started without any
connection to the Internet or intranet. Connect the firewall directly to the Ad-
minhost with a crossover cable.
Tests for the packet filter can be simply carried out using a port scan-
ner. For this purpose, the program nmap is installed on the Adminhost.
If you run the port scan from the Adminhost, make sure its packet fil-
ter of the Adminhost is switched off. Log in as the user root and enter
SuSEfirewall stop on a console. This ensures that all returning IP pack-
ets can be accepted by the Adminhost. Do not forget to activate the packet
filter after tests have been completed with SuSEfirewall start.
After the port scan, the result of the scan and the log file on the firewall
should be documented and saved. Check the function of the following ser-
vices:
Test the name server, for example, with nslookup followed by
the name of the firewall. Observe the log file, for example, with
grep named /var/log/messages. No messages may occur contain-
ing error.
Test the mail relays by sending an e-mail and observing the log files
/var/log/mail and /var/log/messages. Search log files for
postfix (grep postfix /var/log/mail)
Test the FTP proxies, for example, telnet to your firewall.
Test the HTTP proxy by trying to reach the Internet from a client.
Test ssh by logging in from a client to the firewall.
Always check all procedures by using the log files.
110 Testing the Configuration