Specifications
C
Network Security
For example: "172.20.0.0/16 172.30.4.2" means that all hosts
which have an IP address beginning with 172.20.x.x, along with the
host with the IP address 172.30.4.2, are allowed to pass through the
firewall.
FW_SERVICES_TRUSTED_TCP (firewall): Here, specify the port ad-
dresses which may be used by the “trusted hosts”. For example, to
grant them access to all services, enter 1:65535. Usually, it is sufficient
to enter ssh as the only service.
FW_SERVICES_TRUSTED_UDP (firewall): Just like above, but for UDP
ports.
FW_ALLOW_INCOMING_HIGHPORTS_TCP (firewall): Set this to
ftp-data if you intend to use normal (active) FTP services.
FW_ALLOW_INCOMING_HIGHPORTS_UDP (firewall): Set this to dns
to use the name servers registered in /etc/resolv.conf. If you enter
yes here, all high ports will be enabled.
FW_SERVICE_DNS (firewall): Enter yes if you run a name server that
is supposed to be available to external hosts. At the same time, enable
port 53 under FW_TCP_SERVICES_*.
FW_SERVICE_DHCLIENT (firewall): Enter yes here if you use
dhclient to get your IP address assigned.
FW_LOG_* (firewall): Specify the firewall’s logging activity. For normal
operation, it is sufficient to set FW_LOG_DENY_CRIT to yes.
FW_STOP_KEEP_ROUTING_STATE (firewall): Insert yes if you have
configured your dial-up procedure to work automatically via diald or
ISDN (dial on demand).
Now that you have configured SuSEfirewall, do not forget to test your setup
(for example, with telnet from an external host). Have a look at /var/
log/messages, where you should see something like:
Feb 7 01:54:14 www kernel: Packet log: input DENY eth0
PROTO=6 129.27.43.9:1427 195.58.178.210:23 L=60 S=0x00
I=36981 F=0x4000 T=59 SYN (#119)
189SuSE Linux – Firewall on CD2