can I deny the access to my server for a specific OS? I have one PC which I want to give it acces from winxp, but if it's boot into ubuntu I want to deny all access to my server, same IP, same ethernet card
View 8 RepliesI greet you at the same time ask me to help with a problem I have and I could not solve. Within the requirements I have is to connect a network that is connected by VPN to my LAN.The detail is I could have connection to the network by adding a network card (eth3) on the firewall and connect to the VPN router (DLINK) cable network, but I can not reach the other estin that are in the VPN.
It should be noted if I add a station within the network: 10.30.1.X/24 has no problems connecting with the other destinations.Physically this router is inside my 10.30.1.X DATA CENTER another wan.
I suspect this is an initial configuration bug. All firewall logs seem to be going to all
three files. That causes a lot of clutter in the log files, and makes it difficult to see whether there are any serious problems being logged.
Even though I've set up HTTPS to be trusted, it still blocks my school's https site: "mnsu.edu/eservices" same with SAMBA and SSH.
If enter the GUI and authenticate as root, change anything and apply, then exit: it works fine and so does SAMBA. However, after restarting, everything stops working again.
yet secure firewall configuration that doesn't require any login or headaches.
I have a set of iptables rules generated by Firestarter, and i'm in the process of trying to familiarise myself with iptables itself, but there's one particular rule which is confusing me, perhaps somebody could explain it to me
My INPUT chain reads as follows:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- cdns01.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
ACCEPT udp -- cdns01.plus.net anywhere
ACCEPT tcp -- cdns02.plus.net anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
[Code]...
Given that the firewall is actually blocking packets, it can't be this simple, so what am I missing?
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
every now and then Firewall Builder fails to open rules (*.fwb)and I have to use some old backup. it does load 'object libraries' but the main 'currently editing policy' panel is empty.(in gnome, debian testing amd64)
View 1 Replies View RelatedI set up a squid transparent proxy and I have a problem with an iptable rules. I have a rule to redirect all request to port 80 to go on port 3128. To do so, I'm using this iptables command :
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This command is working like a charm. The only problem is, for some unknown reasons, this rule will be dropped at some point. I did not manage to identify what is causing this to happen. It occurs during night, but I have nothing about that in my log files. messages / firewall / ...) The only way I managed to reproduce this 'dropping' is this one: I type the command like as root. The command is effective and working fine. I open yast, I go to the firewall module, the I do a simple "save changes and restart firewall" (without changing anything). As soon as this process is finished, the iptables rule is gone.
-How can I make this rule permanent ?
-Is there a place where I can launch a script executing this rule, after the yast firewall module is 'touched' or something ?
Consolidate several lines of a CSV file with firewall rules, in order to parse them easier?
I have a .csv file, which I created using an HTML export from a Check Point firewall. The objective is to have all the firewall configuration lines where a given host is present. I have to do this for a few hundred, manually is not a reasonable option. I'm going to write a simple Python script for this.
The problem is that the output from the Check Point firewall is complicated to work with. If a firewall rule works with several source or destination hosts, services or other configurations, instead of having them separated with a symbol other than a comma, I get a new line.
This prevents me from exporting the line where the host is present, since I would be missing info.
Let me show you an example, hostnames are modified, of course:
NO.;NAME;SOURCE;DESTINATION;VPN**;SERVICE;ACTION;TRACK;INSTALL ON;TIME;COMMENT
1;;fwxcluster;mcast_vrrp;;vrrp;accept;Log;fwxcluster;Any;"VRRP;;*Comment suppressed*
;;;;;igmp;;;;;
2;;fwxcluster;fwxcluster;;FireWall;accept;Log;fwxcluster;Any;"Management FWg;*Comment suppressed*
;;fwmgmpe;fwmgmpe;;ssh;;;;;
;;fwmgm;fwmgm;;;;;;;
3;NTP;G_NTP_Clients;cmm_ntpserver_pe01;;ntp;accept;None;fwxcluster;Any;*Comment suppressed*
;;;cmm_ntpserver_pe02;;;;;;;
I want some advice for making my system more secure. I want deactivate any network connection that is unnecessary. Only my browser and the update ability of zypper should have access to the internet. On windows there are personal firewalls.
How can I block internetaccess for all other programmes on openSUSE?
Is it possible to apply a rule to a specific local IP? For example lets say I have a two IP's assigned to my server, 1.1.1.1 and 2.2.2.2.;.I want to deny all connections going to 1.1.1.1 only asides from a couple of trusted IP's I will define.
View 1 Replies View RelatedSamba is working correctly if Susefirewall2 is off. I have added Samba client and Samba Services for extern access but samba is not working when firewall is now on. Which services should I also add ?
View 1 Replies View RelatedI have a CSV file, which I created using an HTML export from a Check Point firewall policy. Each rule is represented as several lines, in some cases. That occurs when a rule has several address sources, destinations or services.
I need the output to have each rule described in only one line. It's easy to distinguish when each rule begins. In the first column, there's the rule ID, which is a number.
Here's an example. In green are marked the strings that should be moved:
See example. The strings that should be moved are in bold:
NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp;accept;
;;;;igmp;;
2;Testing;fwgcluster;fwgcluster;FireWall;accept;
;;fwmgmpe;fwmgmpe;ssh;;
;;fwmgm;fwmgm;;;
What I need ,explained in pseudo code, is this:
Read the first column of the next line. If there's a number:
Evaluate the first column of the next line. If there's no number there, concatenate (separating with a comma) the strings in the columns of this line with the last one and eliminate the text in the current one
The output should be something like this. The strings in bold are the ones that were moved:
NO.;NAME;SOURCE;DESTINATION;SERVICE;ACTION;
1;;fwgcluster;mcast_vrrp;vrrp-igmp;accept;
;;;;;;
2;Testing;fwgcluster-fwmgmpe-fwmgm;fwgcluster-fwmgmpe-fwmgm;FireWall-ssh;accept;
;;;;;;
The empty lines are there only to be more clear, I don't actually need them.
Please what will it take me to write a perl full functioning program to filter emails for specific rules? Will that be possible? The actual thing am trying to get is to write a perl program and attach to a mail server so that, when the mails come in, the perl script get call and then the perl program will let another external program that is not on the server run and check or filter the mails.
View 8 Replies View RelatedI have my own internal bind9 server, for my local domain, and I forward internal requests for public domains to OpenDNS servers. This server is not in a DMZ, but is instead behind an dynamic NAT. I do not accept queries from the public network, only responses. I understand that DNS is primarilly a UDP protocol, so it can't pass through a stateful/nat. without a firewall allow.
I've done a little reading and learned that bind9 does not run 53 <-> 53 anymore (is now >1024 <-> 53), and modified my config so it works like bind4 did, but I am concerned that this makes me less secure. additionally, I'd really rather not have a completely open 53 rule, but it seems that if I constrain 53 traffic to my known forwarders, it interfers with some of my network services like transmission. so, what firewall rules would you guys recommend for recieving forwarded DNS query responses to my server?
I am trying to add a custom allow rule in the firewall for a range of IPs from 74.201.102.0 - 74.201.103.255, what exactly am I supposed to enter in the source box? I believe I have to add two separate rules for 102 and 103, and I put /24 at the end of both, is this correct to get the whole range of IPs?
View 3 Replies View Related1. Under openSUSE 11.2, I allowed printer sharing through CUPS by setting the Firewall to Allow Services of CUPS in the External Zone section. I don't see the CUPS option in the Allow Services of the Firewall under 11.4, any zone. Is my system missing something?2. If I turn off the Firewall, the client computer can see the printers, even get the broadcasted names. If I put port 631 in TCP of the Advanced setting of the External Zone, the client computer can see the printer too, but I know I read somewhere that putting 631 in the External Zone is basically allowing printer requests from the entire internet.
View 2 Replies View Relatedswitched recently to 11.2 and it works fine for me as workstation I want to set up a router separating a part of the network and also acting as a firewall/proxy... Configured 2 Ethernet Interfaces, checked Ip forwarding in Yast but it does not forward the packets from the "internal" to the "external" network. Hovewer after I set up my router as default for machines on internal network I can ping the external interface but no adress on external network (particularly the one of the default router) !!! From the router I can reach both networks and the net via default gateway on external. Tried to:
a) switch firewall completely off
b) iptables -P FORWARD ACCEPT
c) masquarading internal adresses to the external network
my interfaces configuration looks like:
eth0 Link encap:Ethernet HWaddr 00:13:D4:E3:A2:7B
inet addr:192.168.1.34 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::213:d4ff:fee3:a27b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
[Code].....
We have reason to ask this of you following some strange firewall behaviour - But don't panic If you use openSUSE 11.2 and you think: Your Firewall should be running You are not sure but think it should be check and report back here.
This is how to check:
Go to Yast > Security and Users > Firewall
I did a shields up test and it told me that 1056 ports were stealth but that my pc responded to ping and was visible on the net. How do i fix this?
View 4 Replies View RelatedI can't get my openvpn work if the firewall is on , and I also don't see any option to allow openvpn service in firewall allow service.
View 1 Replies View RelatedI'm trying to get OpenMPI (a parallel programming library) working on my home system. I have just two machines on it now, t61 and quad, connected through a router. (Which is also connected to cable modem for internet.) I can ssh between the machnes, mount directories with NFS, etc. However, I just can't get the OpenMPI to run. The OpenMPI message board suggested that the most probable cause is that the firewall is blocking TCP. I don't know how to tell if that's the problem, and can't find any manual for the SuSE firewall, while the various Wikis &c that pop up in a search don't provide any information that addresses my problem.
View 9 Replies View RelatedOk here's my setup :
SuSE 10.0 X86 32 acting as my internet gateway and firewall.
eth0 is my internal interface network 192.168.0.0/24 IP 192.168.0.254 dsl0 is my internet connection and is a single ip PtP connection to my ISP.
My internal network is masquaraded onto the external network.
I run an smtp server on my gateway box that I need to be accessable to both the internal and external networks.
However I want to prevent machines on the internal network from establishing connections to external smtp servers, but still alow them to connect to the smtp server on the gateway to send email.
NOTE I do not want to force attempts to connect to [URL] 25 to be re-directed to my internal server I just want to drop or reject the connection.
The firewall up until now has just been configured through YaST, but am not afraid to edit script files if needed
The reason for doing this it to prevent spambots from being able to send through my isp, I keep my own machines clean but sometimes get asked to disinfect machines for other people (family members etc), where I need to connect to the outside world to get updates/virus defs etc, but don't want them spamming from my network.
I've setup vnc over ssh tunnelling however the Suse firewall seems to be blocking it. On the local host I have this in ~/.ssh/config:LocalForward localhost:5900 remotehost.com:5900 The problem is that this only works when I either disable the firewall or add an exception for VNC. Both of these actions defeat the whole purpose of ssh tunnelling since they leave my VNC port open to the outside world (very insecure).
View 2 Replies View RelatedI'm in the situation where I'm trying to create 2 private networks using ESX server, all behind a NAT router (static ips are used). I used an openSuse11 vm as a router and was able to configure it so that a machine on one private network was able to access the public network. The problem I have now it that I need to be able to access a machine on the private network from the public network using a different set of IP's.
So if a machine in the private network has an IP of 10.1.0.222 I should be able to ping it using 10.99.0.222 or some other IP. I have never done this before and after reading up on iptables and linux routing I feel more confused than before. Is it possible to add IPs to eth0 (public) and have them mapped to machines on a private network eth1 or eth
I'm looking forward to the release of openSUSE 11.4, which I'm looking to install as an Internet facing gateway on a mini-ITX machine with 2 Ethernet cards. As such I've been reading up on the YaST Firewall trying to find out to configure it, and there's one thing I'd like to be able to do: 'stealth' all the firewall ports.
In other words, if someone were to hypothetically do a port scan of my external IP address, I would rather they not know whether any of the ports on my gateway are open or closed, so instead of replying with the status of those ports the packets get dropped. I've been able to do this with a product called Astaro Security Gateway, which I currently have installed on a second hand Dell Optiplex machine, but I am now looking into the possibility of installing this as a virtual machine inside an openSUSE 11.4 host (extra level of security) and would like the same functionality for the host OS.
How I can refuse an outgoing connection on opensuse firewall by default outbound policy is permissive, and the p2p I explicitly deny an outgoing, according to protocol, remote port and local port.
But I can add rules as how to run opensuse firewall rules are permissive only for inbound traffic and so I can not specifically deny an outgoing connection.
Before using fwbuilder is very powerful and configurable but now I'm with suse for convenience but want to know if you can do what I want, if not I will have to use fwbuilder.
I have done a new install of 11.4 and as with previous versions, I have to go to YAST2 and disable the firewall before I have internet and local network access. Finally I must find out how to do this correctly.
How to I change the default firewall to allow me internet and local network access without disabling it completely? Also I am unclear about the function of Novel Network Armor? What does this do?
I tryed to setup a second IP address with yast on a openSUSE 11.2 on eth0 as eth0:2nd but with a different firewall zone. But SUSE firewall just see eth0.
I want to define with services are available on with IP address. Also with custom rules I can't specify a destination IP.
So now can I do this with yast? Or have I todo this manually without SUSE firewall?
I have a couple of openSUSE 11.2 machines and each is directly connected to the Internet (they are not behind a router, firewall, etc). I want them to be able to communicate without any firewall restrictions, but keep the firewall rules for all other IP addresses. Is this possible? the software package I'm trying to use randomly chooses a port to use in the range of 32768-61000 and I don't feel comfortable having a port range that wide open on both machines.
View 5 Replies View Related