Ich habe einen DSL-Zugang der von 2 Computer über LAN mithilfe eines Linux-Routers genutzt wird. Das ganze funktioniert auch, aber nicht einwandfrei...
Mein DSL-Modem hängt an eth1, mein Netwerk ist an eth0 angeschlossen. Wenn ich mich einwähle wird ein Gerät ppp0 erstellt. Den DSL-Zugang habe ich mit Yast2 eingerichtet.
Ganz am Anfang habe ich noch ne grundsätzliche Frage: Ist Masquerading ohne Firewall möglich?
Wenn ich den Router mit der SuSE personal-firewall betreibe, dann funktioniert alles einwandfrei. Allerdings nimmt der Router trotz Firwall Verbindungen von außen an (Telnet / SSH). Dabei habe ich aber ein ungutes Gefühl und ich würde das gern vermeiden... Habe ich evtl die Firewall falsch konfiguriert? Ich habe schon mehrere Möglichkeiten ausprobiert.
1) Reject_all_incoming_connections = "eth1 masq"
Hier funktioniert alles.
2) Reject_all_incoming_connections = "modem masq"
Hier geht nix mehr
3) Reject_all_incoming_connections = "modem eth1 masq"
Hier geht ebenfalls nix mehr...
Wenn ich das ganze mit SuSEFirewall2 (SuSEFirewall-Nachfolger für iptables und Kernel 2.4), dann kann ich mich nur 1x einwählen (Dial on Demand), bei der zweiten Einwahl funktioniert die Namensauflösung nicht mehr (!???). Ich könnte mir den Bind8 Namensserver zwar sparen, dann muss ich jedoch bei den Workstations immer die DNS-Server von T-Online eintragen. Mit Bind, muss ich nur die IP-des Routers eintragen, was wesentlich pratischer ist.
Mich würde eigentlich nur interessieren, ob ich nen absoluten Anfängerfehler (so einer bin ich) mache. Wenn ja, dann lasse ich das mit Bind einfach...
Verwendetes Linux: SuSE Linux 7.2
SuSEFirewall2 / Personal-Firewall
SuSEFirewall2 / Personal-Firewall
Last edited by xenic on 03. Jan 2002 19:50, edited 1 time in total.
-
Descartes
Re: SuSEFirewall2 / Personal-Firewall
> Ganz am Anfang habe ich noch ne grundsätzliche Frage: Ist Masquerading ohne Firewall möglich?
siehe den Dateianfang von /etc/rc.config.d/firewall2.rc.config
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
# iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of security:
# iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
# iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------
Nachfolgend ein Auszug (der Header wurde etwas gekürzt; ansonsten ist sie komplett) aus meiner /etc/rc.config.d/firewall2.rc.config (SuSE 7.3 mit SuSEfirewall2)
Das LAN hat ist 192.168.0.0/24 (also 192.168.0.x mit Subnetzmaske 255.255.255.0);
An eth0 hängt der Linux-Rechner am LAN und über eth1 ist das DSL-Modem angehängt.
Der Linux-Rechner stellt für das LAN diverse Dienste zur Verfügung (u.a. DHCP, DNS, FTP) die explizit nur für das LAN freigeschaltet sind. Zugriffe von Aussen (kommen z.B. über ppp0) werden abgeblockt und mitprotokolliert.
Die Homepage der SuSEfirewall2 Scripte ist <a href="http://www.suse.de/~marc/SuSE.html" target="_blank"><!--auto-->http://www.suse.de/~marc/SuSE.html</a><!--auto--> dort findest du auch noch ein paar Beispiel-Konfigurationsdateien mit verschiedener komplexität.
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
...
#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="ppp0"
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth0"
#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""
#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"
#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
# FW_MASQ_NETS="192.168.0.0/24"
#
# 20:21 => ftp-data & ftp
# 25 => smtp (Email senden)
# 53 => domain (DNS)
# 80 => http
# 110 => pop3 (Email abholen)
# 119 => nntp (NEWS) z.Z. noch nicht benoetigt
# 193 => irc (IRC-Chat) z.Z. noch nicht benoetigt
# 443 => https (Secure HTTP)
# 554 => rtsp (Real Time Streaming Protocol) (fuer RealMedia streaming videos)
# 1214 => -?- (MORPHEUS)
#
# das LAN (192.68.0.0/24) darf auf folgenden Ports ins Internet raus:
#
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,20:21 \
192.168.0.0/24,0/0,tcp,25 \
192.168.0.0/24,0/0,tcp,53 \
192.168.0.0/24,0/0,tcp,80 \
192.168.0.0/24,0/0,tcp,110 \
192.168.0.0/24,0/0,tcp,443 \
192.168.0.0/24,0/0,tcp,554 \
192.168.0.0/24,0/0,tcp,1214 \
"
#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="yes"
#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="yes"
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP=""
# Common: domain
FW_SERVICES_EXT_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
# FW_SERVICES_INT_TCP="ftp 20:21 ssh 22 telnet 23 smtp 25 domain 53 www 80 pop3 110 1000:65000"
# 20:21 => ftp-data & ftp
# 22 => ssh
# 23 => telnet
# 25 => smtp (Email senden) z.Z. nicht benoetigt
# 53 => domain (DNS)
# 80 => http
# 110 => pop3 (Email abholen) z.Z. nicht benoetigt
# 443 => https (Secure HTTP)
# 6000:6063 => x11 (X Window System)
FW_SERVICES_INT_TCP="20:21 22 23 53 80 443 6000:6063"
# Common: domain syslog
# 53 => domain (DNS)
#
# mein Rechner stellt fuer das LAN den DNS Server dar
FW_SERVICES_INT_UDP="53"
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""
#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""
#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set the TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works <img src="http://www.pl-forum.de/UltraBoard/Images/Sad.gif" border="0" align="middle">
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
#
FW_SERVICE_AUTODETECT="yes"
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="yes"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="yes"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"
#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD=""
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ=""
#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
FW_REDIRECT=""
#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"
#
FW_LOG_DROP_ALL="no"
#
FW_LOG_ACCEPT_CRIT="yes"
#
FW_LOG_ACCEPT_ALL="no"
#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) <img src="http://www.pl-forum.de/UltraBoard/Images/Wilk.gif" border="0" align="middle">
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"
#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="no"
#
FW_ALLOW_PING_EXT="no"
##
# END of rc.firewall
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="yes"
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"
#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"
</font><hr></pre></blockquote>
siehe den Dateianfang von /etc/rc.config.d/firewall2.rc.config
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
# iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of security:
# iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
# iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------
Nachfolgend ein Auszug (der Header wurde etwas gekürzt; ansonsten ist sie komplett) aus meiner /etc/rc.config.d/firewall2.rc.config (SuSE 7.3 mit SuSEfirewall2)
Das LAN hat ist 192.168.0.0/24 (also 192.168.0.x mit Subnetzmaske 255.255.255.0);
An eth0 hängt der Linux-Rechner am LAN und über eth1 ist das DSL-Modem angehängt.
Der Linux-Rechner stellt für das LAN diverse Dienste zur Verfügung (u.a. DHCP, DNS, FTP) die explizit nur für das LAN freigeschaltet sind. Zugriffe von Aussen (kommen z.B. über ppp0) werden abgeblockt und mitprotokolliert.
Die Homepage der SuSEfirewall2 Scripte ist <a href="http://www.suse.de/~marc/SuSE.html" target="_blank"><!--auto-->http://www.suse.de/~marc/SuSE.html</a><!--auto--> dort findest du auch noch ein paar Beispiel-Konfigurationsdateien mit verschiedener komplexität.
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
...
#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="ppp0"
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth0"
#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""
#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"
#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
# FW_MASQ_NETS="192.168.0.0/24"
#
# 20:21 => ftp-data & ftp
# 25 => smtp (Email senden)
# 53 => domain (DNS)
# 80 => http
# 110 => pop3 (Email abholen)
# 119 => nntp (NEWS) z.Z. noch nicht benoetigt
# 193 => irc (IRC-Chat) z.Z. noch nicht benoetigt
# 443 => https (Secure HTTP)
# 554 => rtsp (Real Time Streaming Protocol) (fuer RealMedia streaming videos)
# 1214 => -?- (MORPHEUS)
#
# das LAN (192.68.0.0/24) darf auf folgenden Ports ins Internet raus:
#
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,20:21 \
192.168.0.0/24,0/0,tcp,25 \
192.168.0.0/24,0/0,tcp,53 \
192.168.0.0/24,0/0,tcp,80 \
192.168.0.0/24,0/0,tcp,110 \
192.168.0.0/24,0/0,tcp,443 \
192.168.0.0/24,0/0,tcp,554 \
192.168.0.0/24,0/0,tcp,1214 \
"
#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="yes"
#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="yes"
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP=""
# Common: domain
FW_SERVICES_EXT_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
# FW_SERVICES_INT_TCP="ftp 20:21 ssh 22 telnet 23 smtp 25 domain 53 www 80 pop3 110 1000:65000"
# 20:21 => ftp-data & ftp
# 22 => ssh
# 23 => telnet
# 25 => smtp (Email senden) z.Z. nicht benoetigt
# 53 => domain (DNS)
# 80 => http
# 110 => pop3 (Email abholen) z.Z. nicht benoetigt
# 443 => https (Secure HTTP)
# 6000:6063 => x11 (X Window System)
FW_SERVICES_INT_TCP="20:21 22 23 53 80 443 6000:6063"
# Common: domain syslog
# 53 => domain (DNS)
#
# mein Rechner stellt fuer das LAN den DNS Server dar
FW_SERVICES_INT_UDP="53"
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""
#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""
#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set the TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works <img src="http://www.pl-forum.de/UltraBoard/Images/Sad.gif" border="0" align="middle">
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
#
FW_SERVICE_AUTODETECT="yes"
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="yes"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="yes"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"
#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD=""
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ=""
#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
FW_REDIRECT=""
#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"
#
FW_LOG_DROP_ALL="no"
#
FW_LOG_ACCEPT_CRIT="yes"
#
FW_LOG_ACCEPT_ALL="no"
#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) <img src="http://www.pl-forum.de/UltraBoard/Images/Wilk.gif" border="0" align="middle">
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"
#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="no"
#
FW_ALLOW_PING_EXT="no"
##
# END of rc.firewall
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="yes"
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"
#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"
</font><hr></pre></blockquote>
-
Descartes
Re: SuSEFirewall2 / Personal-Firewall
> Ich könnte mir den Bind8 Namensserver zwar sparen, dann muss ich jedoch bei den Workstations immer die DNS-Server von T-Online eintragen. Mit Bind, muss ich nur die IP-des Routers eintragen, was wesentlich pratischer ist.
Wenn du auf dem Linux-Rechner einen DHCP-Server aufsetzt, dann kannst du dir selbst das sparen. Der DHCP weist dann den Clients auf Anfrage nicht nur die TCP/IP-Adresse zu, sondern auch gleich noch die TCP/IP-Adresse des Nameservers (entweder dein eigener oder den deines Providers).
Auszug aus /etc/dhcpd.conf (SuSE 7.3)
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2"># /etc/dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
# GEAENDERT: see "man 5 dhcpd.conf" why this is needed <img src="http://www.pl-forum.de/UltraBoard/Images/Happy.gif" border="0" align="middle">
#-- begin DNS SERVER SYNC/UPDATE --
# erstellen mit: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
#
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret hYYmKOoO98aJ1X2xoCdw2g==;
};
# ad-hoc interim none
ddns-update-style ad-hoc;
#-- end DNS SERVER SYNC/UPDATE --
option domain-name "linux.home";
#default-lease-time 600;
default-lease-time 7200;
max-lease-time 7200;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.150 192.168.0.199;
option domain-name-servers 192.168.0.250; # <-- oder eben der DNS deines Providers
option netbios-name-servers 192.168.0.250;
option domain-name "linux.home";
option routers 192.168.0.250;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# ein paar hosts bekommen feste tcp/ip adressen:
host balrog {
hardware ethernet 00:00:cb:59:13:37;
fixed-address 192.168.0.101;
}
host bilbo {
hardware ethernet 00:00:cb:59:0e:70;
fixed-address 192.168.0.102;
}
host aragorn {
hardware ethernet 00:20:E0:65:ED:2F;
fixed-address 192.168.0.103;
}
</font><hr></pre></blockquote>
Wenn du auf dem Linux-Rechner einen DHCP-Server aufsetzt, dann kannst du dir selbst das sparen. Der DHCP weist dann den Clients auf Anfrage nicht nur die TCP/IP-Adresse zu, sondern auch gleich noch die TCP/IP-Adresse des Nameservers (entweder dein eigener oder den deines Providers).
Auszug aus /etc/dhcpd.conf (SuSE 7.3)
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2"># /etc/dhcpd.conf
#
# Sample configuration file for ISC dhcpd
#
# option definitions common to all supported networks...
# GEAENDERT: see "man 5 dhcpd.conf" why this is needed <img src="http://www.pl-forum.de/UltraBoard/Images/Happy.gif" border="0" align="middle">
#-- begin DNS SERVER SYNC/UPDATE --
# erstellen mit: dnssec-keygen -a HMAC-MD5 -b 128 -n USER DHCP_UPDATER
#
key DHCP_UPDATER {
algorithm HMAC-MD5.SIG-ALG.REG.INT;
secret hYYmKOoO98aJ1X2xoCdw2g==;
};
# ad-hoc interim none
ddns-update-style ad-hoc;
#-- end DNS SERVER SYNC/UPDATE --
option domain-name "linux.home";
#default-lease-time 600;
default-lease-time 7200;
max-lease-time 7200;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.150 192.168.0.199;
option domain-name-servers 192.168.0.250; # <-- oder eben der DNS deines Providers
option netbios-name-servers 192.168.0.250;
option domain-name "linux.home";
option routers 192.168.0.250;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
}
# Hosts which require special configuration options can be listed in
# host statements. If no address is specified, the address will be
# allocated dynamically (if possible), but the host-specific information
# will still come from the host declaration.
#host passacaglia {
# hardware ethernet 0:0:c0:5d:bd:95;
# filename "vmunix.passacaglia";
# server-name "toccata.fugue.com";
#}
# ein paar hosts bekommen feste tcp/ip adressen:
host balrog {
hardware ethernet 00:00:cb:59:13:37;
fixed-address 192.168.0.101;
}
host bilbo {
hardware ethernet 00:00:cb:59:0e:70;
fixed-address 192.168.0.102;
}
host aragorn {
hardware ethernet 00:20:E0:65:ED:2F;
fixed-address 192.168.0.103;
}
</font><hr></pre></blockquote>
Re: SuSEFirewall2 / Personal-Firewall
Thx erstmal für die Antworten. An DHCP hab ich garnicht gedacht, ich werd mal ein bisschen rumlesen...Wobei bei 2 PCs der Aufwand wahrscheinlich völlig übertrieben ist...
Mit der SuSEfirewall2 und personal-Firewall habe ich schon rumprobiert. Ich glaube auch so ziemlich alle Optionen zu verstehen, aber es funktioniert wie gesagt bei der zweiten Einwahl die Namensauflösung nicht mehr...
Das lässt sich dann wahrscheinlich mit DHCP umgehen, aber vielleicht weis einer, was hier falsch läuft
Mit der SuSEfirewall2 und personal-Firewall habe ich schon rumprobiert. Ich glaube auch so ziemlich alle Optionen zu verstehen, aber es funktioniert wie gesagt bei der zweiten Einwahl die Namensauflösung nicht mehr...
Das lässt sich dann wahrscheinlich mit DHCP umgehen, aber vielleicht weis einer, was hier falsch läuft
-
Descartes
Re: SuSEFirewall2 / Personal-Firewall
> Thx erstmal für die Antworten. An DHCP hab ich garnicht gedacht, ich werd mal ein bisschen rumlesen...Wobei bei 2 PCs der Aufwand wahrscheinlich völlig übertrieben ist...
Aber leicht erweiterbar wenn du dir einen weiteren PC (die Frau/Freundin ? die Kinder ?) zulegst oder wenn ein paar Kumpels mit ihren Laptops vorbeikommen -- Netzwerk anklemmen und es geht.
> Mit der SuSEfirewall2 und personal-Firewall habe ich schon rumprobiert. Ich glaube auch so ziemlich alle Optionen zu verstehen, aber es funktioniert wie gesagt bei der zweiten Einwahl die Namensauflösung nicht mehr...
> Das lässt sich dann wahrscheinlich mit DHCP umgehen, aber vielleicht weis einer, was hier falsch läuft
Hmmm ich habe hier auch TOnline aber die von dir genannten Probleme dass nach einem Disconnet/Re-connect die Adresseauflösung nicht mehr funktioniert habe ich bisher noch nicht bestätigen können. Der PPP-Daemon ist doch mit "usepeerdns" konfiguriert (/etc/ppp/options) sodass bei einem Verbindungsaufbau automatisch die vom Provider genannten max. zwei DNS-Serveradressen verwendet werden ?!
Statt in der Firewall das Masquerading zu konfigurieren kannst du auch den SQUI-Proxy installieren und dann im LAN deinen Webbrowser / FTP-Client / Napster / ... darauf konfigurieren den Proxy (dein Linux-Rechner mit Port 3128) zu verwenden. Hierzu muss natürlich die /etc/rc.config.d/firewall2.rc.config angepasst werden:
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
...
# Wenn dein LAN nur den SQUID Proxy verwendet,
# kannst du das Masquerading komplett deaktivieren
#
# FW_MASQ_NETS=""
...
# fuer das LAN musst du dann nur SSH (zum Remote-Administrieren)
# und den Proxy-Port (3128) freischalten
#
# Common: ssh smtp domain
# 22 => ssh
# 3128 => squid proxy
FW_SERVICES_INT_TCP="22 3128"
...
# fuer SQUID musst du noch folgenden Punkt aktivieren
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="yes"
...
</font><hr></pre></blockquote>
Das schöne an SQUID <a href="http://www.squid-cache.org/" target="_blank"><!--auto-->http://www.squid-cache.org/</a><!--auto--> ist dass du zusätzlich noch den squidGuard <a href="http://www.squidguard.org/" target="_blank"><!--auto-->http://www.squidguard.org/</a><!--auto--> installieren kannst womit du dann unerwünschte Webinhalte (z.B. Werbung, Hate, Porn, ...) bequem ausfiltern kannst.
Entsprechende "schwarze Listen" mit URLs bekommst du z.B. auf der squidGuard Seite: <a href="ftp://ftp.teledanmark.no/pub/www/proxy/ ... 105.tar.gz" target="_blank"><!--auto-->ftp://ftp.teledanmark.no/pub/www/proxy/ ... <!--auto-->
Aber leicht erweiterbar wenn du dir einen weiteren PC (die Frau/Freundin ? die Kinder ?) zulegst oder wenn ein paar Kumpels mit ihren Laptops vorbeikommen -- Netzwerk anklemmen und es geht.
> Mit der SuSEfirewall2 und personal-Firewall habe ich schon rumprobiert. Ich glaube auch so ziemlich alle Optionen zu verstehen, aber es funktioniert wie gesagt bei der zweiten Einwahl die Namensauflösung nicht mehr...
> Das lässt sich dann wahrscheinlich mit DHCP umgehen, aber vielleicht weis einer, was hier falsch läuft
Hmmm ich habe hier auch TOnline aber die von dir genannten Probleme dass nach einem Disconnet/Re-connect die Adresseauflösung nicht mehr funktioniert habe ich bisher noch nicht bestätigen können. Der PPP-Daemon ist doch mit "usepeerdns" konfiguriert (/etc/ppp/options) sodass bei einem Verbindungsaufbau automatisch die vom Provider genannten max. zwei DNS-Serveradressen verwendet werden ?!
Statt in der Firewall das Masquerading zu konfigurieren kannst du auch den SQUI-Proxy installieren und dann im LAN deinen Webbrowser / FTP-Client / Napster / ... darauf konfigurieren den Proxy (dein Linux-Rechner mit Port 3128) zu verwenden. Hierzu muss natürlich die /etc/rc.config.d/firewall2.rc.config angepasst werden:
<blockquote><pre><font size="1" face="">code:</font><hr><font face="Courier New" size="2">
...
# Wenn dein LAN nur den SQUID Proxy verwendet,
# kannst du das Masquerading komplett deaktivieren
#
# FW_MASQ_NETS=""
...
# fuer das LAN musst du dann nur SSH (zum Remote-Administrieren)
# und den Proxy-Port (3128) freischalten
#
# Common: ssh smtp domain
# 22 => ssh
# 3128 => squid proxy
FW_SERVICES_INT_TCP="22 3128"
...
# fuer SQUID musst du noch folgenden Punkt aktivieren
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="yes"
...
</font><hr></pre></blockquote>
Das schöne an SQUID <a href="http://www.squid-cache.org/" target="_blank"><!--auto-->http://www.squid-cache.org/</a><!--auto--> ist dass du zusätzlich noch den squidGuard <a href="http://www.squidguard.org/" target="_blank"><!--auto-->http://www.squidguard.org/</a><!--auto--> installieren kannst womit du dann unerwünschte Webinhalte (z.B. Werbung, Hate, Porn, ...) bequem ausfiltern kannst.
Entsprechende "schwarze Listen" mit URLs bekommst du z.B. auf der squidGuard Seite: <a href="ftp://ftp.teledanmark.no/pub/www/proxy/ ... 105.tar.gz" target="_blank"><!--auto-->ftp://ftp.teledanmark.no/pub/www/proxy/ ... <!--auto-->
Re: SuSEFirewall2 / Personal-Firewall
Proxy ist nix für mich, da ich ja nicht nur Standarddienste verwenden will, sondern z.B. auch noch spielen will.
"usepeerdns" ? Ich hab da nichts verändert an /etc/ppp/options. Wo muss ich das einstellen, ist das nicht Standard?
"usepeerdns" ? Ich hab da nichts verändert an /etc/ppp/options. Wo muss ich das einstellen, ist das nicht Standard?
Re: SuSEFirewall2 / Personal-Firewall
@xenix:
das device heisst ppp0 und nicht modem!
das device heisst ppp0 und nicht modem!
Re: SuSEFirewall2 / Personal-Firewall
Laut SuSE-Linux-Netzwerk-Handbuch, sollte man für alle Geräte, deren Namen mit "ppp" beginnt, sprich Modems, "modem" eintragen. "ppp0" hab ich auch probiert...