Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 648 — #674
i
i
i
i
i
i
i
i
26.3.4 SuSEfirewall2
SuSEfirewall2 is a script that reads the variables set in /etc/sysconfig/
SuSEfirewall2 to generate a set of iptables rules. It defines three secu-
rity zones, although only the first and the second one are considered in the
following sample configuration:
External Network Given that there is no way to control what is happen-
ing on the external network, the host needs to be protected from it.
In most cases, the external network is the Internet, but it could be an-
other insecure network, such as a WLAN.
Internal Network This refers to the private network, in most cases the
LAN. If the hosts on this network use IP addresses from the private
range (see Section 21.1.2 on page 419), enable network address trans-
lation (NAT), so hosts on the internal network can access the external
one.
Demilitarized Zone (DMZ) While hosts located in this zone can be
reached both from the external and the internal network, they can-
not access the internal network themselves. This setup can be used
to put an additional line of defense in front of the internal network,
because the DMZ systems are isolated from the internal network.
Any kind of network traffic not explicitly allowed by the filtering rule set
is suppressed by iptables. Therefore, each of the interfaces with incoming
traffic must be placed into one of the three zones. For each of the zones, de-
fine the services or protocols allowed. The rule set is only applied to pack-
ets originating from external hosts. Locally generated packets are not cap-
tured by the firewall.
The configuration can be performed with YaST (see Section 26.3.4 on
page 650). It can also be made manually in the file /etc/sysconfig/
SuSEfirewall2, which is well commented.
Manual Configuration
The following paragraphs provide step-by-step instructions for a successful
configuration. Each configuration item is marked as to whether it is rele-
vant to firewalling or masquerading. Aspects related to the DMZ (demil-
itarized zone) as mentioned in the configuration file are not covered here.
They are applicable only to a more complex network infrastructure found
in larger organizations (corporate networks), which require extensive con-
figuration and in-depth knowledge about the subject.
648 26.3. Masquerading and Firewalls