Top-Themen

AppleEntwicklungHardwareInternetLinuxMicrosoftMultimediaNetzwerkeOff TopicSicherheitSonstige SystemeVirtualisierungWeiterbildungZusammenarbeit

Aktuelle Themen

Administrator.de FeedbackApache ServerAppleAssemblerAudioAusbildungAuslandBackupBasicBatch & ShellBenchmarksBibliotheken & ToolkitsBlogsCloud-DiensteClusterCMSCPU, RAM, MainboardsCSSC und C++DatenbankenDatenschutzDebianDigitiales FernsehenDNSDrucker und ScannerDSL, VDSLE-BooksE-BusinessE-MailEntwicklungErkennung und -AbwehrExchange ServerFestplatten, SSD, RaidFirewallFlatratesGoogle AndroidGrafikGrafikkarten & MonitoreGroupwareHardwareHosting & HousingHTMLHumor (lol)Hyper-VIconsIDE & EditorenInformationsdiensteInstallationInstant MessagingInternetInternet DomäneniOSISDN & AnaloganschlüsseiTunesJavaJavaScriptKiXtartKVMLAN, WAN, WirelessLinuxLinux DesktopLinux NetzwerkLinux ToolsLinux UserverwaltungLizenzierungMac OS XMicrosoftMicrosoft OfficeMikroTik RouterOSMonitoringMultimediaMultimedia & ZubehörNetzwerkeNetzwerkgrundlagenNetzwerkmanagementNetzwerkprotokolleNotebook & ZubehörNovell NetwareOff TopicOpenOffice, LibreOfficeOutlook & MailPapierkorbPascal und DelphiPeripheriegerätePerlPHPPythonRechtliche FragenRedHat, CentOS, FedoraRouter & RoutingSambaSAN, NAS, DASSchriftartenSchulung & TrainingSEOServerServer-HardwareSicherheitSicherheits-ToolsSicherheitsgrundlagenSolarisSonstige SystemeSoziale NetzwerkeSpeicherkartenStudentenjobs & PraktikumSuche ProjektpartnerSuseSwitche und HubsTipps & TricksTK-Netze & GeräteUbuntuUMTS, EDGE & GPRSUtilitiesVB for ApplicationsVerschlüsselung & ZertifikateVideo & StreamingViren und TrojanerVirtualisierungVisual StudioVmwareVoice over IPWebbrowserWebentwicklungWeiterbildungWindows 7Windows 8Windows 10Windows InstallationWindows MobileWindows NetzwerkWindows ServerWindows SystemdateienWindows ToolsWindows UpdateWindows UserverwaltungWindows VistaWindows XPXenserverXMLZusammenarbeit

Firewallprobleme beim internen Routen

Frage Linux Linux Netzwerk

Mitglied: 48895

48895 (Level 1)

30.05.2007, aktualisiert 06.05.2008, 4750 Aufrufe, 3 Kommentare

Hallo zusammen!

Ich stehe vor folgende Problematik:

Ich habe einen Server auf dem SuSE Linux 10.1 läuft. Es läuft darauf die SuSEfirewall2. Dieser Rechner stellt die Verbindung zum Internet über ein externes DSL Modem her. Dahinter ist ein Domänennetzwerk mit einem Windows 2003 Small Business Server auf dem der Exchange Server läuft. Mein Problem ist jetzt dass ich zwar von extern auf die Weboberfläche zugreifen kann, aber intern funktioniert es leider nicht.

Nun zu ein paar Daten:

a6fdbf60b41d61b7f9558c43b0cfab8c-aufzeichnen - Klicke auf das Bild, um es zu vergrößern


Code von /etc/sysconfig/SuSEfirewall2
01.
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany.  All rights reserved. 
02.
# Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany.  All rights reserved. 
03.
# Copyright (c) 2005 SUSE LINUX Products GmbH Nuernberg, Germany.  All rights reserved. 
04.
05.
# Author: Marc Heuse, 2002 
06.
#         Ludwig Nussel, 2004 
07.
08.
# /etc/sysconfig/SuSEfirewall2 
09.
10.
# for use with /sbin/SuSEfirewall2 version 3.3 
11.
12.
# ------------------------------------------------------------------------      
13.
# PLEASE NOTE THE FOLLOWING: 
14.
15.
# Just by configuring these settings and using the SuSEfirewall2 you 
16.
# are not secure per se! There is *not* such a thing you install and 
17.
# hence you are safed from all (security) hazards. 
18.
19.
# To ensure your security, you need also: 
20.
21.
#   * Secure all services you are offering to untrusted networks 
22.
#     (internet) You can do this by using software which has been 
23.
#     designed with security in mind (like postfix, vsftpd, ssh), 
24.
#     setting these up without misconfiguration and praying, that 
25.
#     they have got really no holes. SuSEcompartment can help in 
26.
#     most circumstances to reduce the risk. 
27.
#   * Do not run untrusted software. (philosophical question, can 
28.
#     you trust SuSE or any other software distributor?) 
29.
#   * Check the security of your server(s) regulary 
30.
#   * If you are using this server as a firewall/bastion host to the 
31.
#     internet for an internal network, try to run proxy services 
32.
#     for everything and disable routing on this machine. 
33.
#   * If you run DNS on the firewall: disable untrusted zone 
34.
#     transfers and either don't allow access to it from the 
35.
#     internet or run it split-brained. 
36.
37.
# Good luck! 
38.
39.
# Yours, 
40.
#	SuSE Security Team 
41.
42.
# ------------------------------------------------------------------------ 
43.
44.
# Configuration HELP: 
45.
46.
# If you have got any problems configuring this file, take a look at 
47.
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST 
48.
49.
50.
# If you are a end-user who is NOT connected to two networks (read: you have 
51.
# got a single user system and are using a dialup to the internet) you just 
52.
# have to configure (all other settings are OK): 2) and maybe 9). 
53.
54.
# If this server is a firewall, which should act like a proxy (no direct 
55.
# routing between both networks), or you are an end-user connected to the 
56.
# internet and to an internal network, you have to setup your proxys and 
57.
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) 
58.
59.
# If this server is a firewall, and should do routing/masquerading between 
60.
# the untrusted and the trusted network, you have to reconfigure (all other 
61.
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), 
62.
# 14) 
63.
64.
# If you want to run a DMZ in either of the above three standard setups, you 
65.
# just have to configure *additionally* 4), 9), 12), 13), 18) 
66.
67.
# Please note that if you use service names, they have to exist in 
68.
# /etc/services. There is for example no service "dns", it's called 
69.
# "domain"; email is called "smtp" etc. 
70.
71.
# ------------------------------------------------------------------------ 
72.
## Path:	Network/Firewall/SuSEfirewall2 
73.
## Description:	SuSEfirewall2 configuration 
74.
## Type:	string 
75.
## Default:	any 
76.
77.
# 2.) 
78.
# Which are the interfaces that point to the internet/untrusted 
79.
# networks? 
80.
81.
# Enter all untrusted network devices here 
82.
83.
# Format: space separated list of interface or configuration names 
84.
85.
# The special keyword "auto" means to use the device of the default 
86.
# route. "auto" cannot be mixed with other interface names. 
87.
88.
# The special keyword "any" means that packets arriving on interfaces not 
89.
# explicitly configured as int, ext or dmz will be considered external. Note: 
90.
# this setting only works for packets destined for the local machine. If you 
91.
# want forwarding or masquerading you still have to add the external interfaces 
92.
# individually. "any" can be mixed with other interface names. 
93.
94.
# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any dsl0" 
95.
96.
# Note: alias interfaces (like eth0:1) are ignored 
97.
98.
FW_DEV_EXT="any eth-id-00:04:76:d8:34:69" 
99.
 
100.
## Type:	string 
101.
102.
# 3.) 
103.
# Which are the interfaces that point to the internal network? 
104.
105.
# Enter all trusted network interfaces here. If you are not 
106.
# connected to a trusted network (e.g. you have just a dialup) leave 
107.
# this empty. 
108.
109.
# Format: space separated list of interface or configuration names 
110.
111.
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" 
112.
113.
FW_DEV_INT="eth-id-00:04:75:98:f9:ab" 
114.
 
115.
## Type:	string 
116.
117.
# 4.) 
118.
# Which are the interfaces that point to the dmz or dialup network? 
119.
120.
# Enter all the network devices here which point to the dmz/dialups. 
121.
# A "dmz" is a special, seperated network, which is only connected 
122.
# to the firewall, and should be reachable from the internet to 
123.
# provide services, e.g. WWW, Mail, etc. and hence is at risk from 
124.
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an 
125.
# example. 
126.
127.
# Note: You have to configure FW_FORWARD to define the services 
128.
# which should be available to the internet and set FW_ROUTE to yes. 
129.
130.
# Format: space separated list of interface or configuration names 
131.
132.
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1" 
133.
134.
FW_DEV_DMZ="" 
135.
 
136.
## Type:	yesno 
137.
## Default:	no 
138.
139.
# 5.) 
140.
# Should routing between the internet, dmz and internal network be 
141.
# activated? 
142.
143.
# Set this to "yes" if you either want to masquerade internal 
144.
# machines or allow access to the dmz (or internal machines, but 
145.
# this is not a good idea). 
146.
#  
147.
# This option overrides IP_FORWARD from 
148.
# /etc/sysconfig/network/options 
149.
150.
# Setting this option one alone doesn't do anything. Either activate 
151.
# masquerading with FW_MASQUERADE below if you want to masquerade 
152.
# your internal network to the internet, or configure FW_FORWARD to 
153.
# define what is allowed to be forwarded. You also need to define 
154.
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ. 
155.
156.
# defaults to "no" if not set 
157.
158.
FW_ROUTE="yes" 
159.
 
160.
## Type:	yesno 
161.
## Default:	no 
162.
163.
# 6.) 
164.
# Do you want to masquerade internal networks to the outside? 
165.
166.
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV 
167.
168.
# "Masquerading" means that all your internal machines which use 
169.
# services on the internet seem to come from your firewall. Please 
170.
# note that it is more secure to communicate via proxies to the 
171.
# internet than to use masquerading. 
172.
#  
173.
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ. 
174.
175.
# defaults to "no" if not set 
176.
177.
FW_MASQUERADE="yes" 
178.
 
179.
## Type:	string 
180.
## Default:     $FW_DEV_EXT 
181.
182.
# 6a.) 
183.
# You must also define on which interfaces to masquerade on. Those 
184.
# are usually the same as the external interfaces. Most users can 
185.
# leave the default. 
186.
187.
# Examples: "ippp0", "$FW_DEV_EXT" 
188.
189.
FW_MASQ_DEV="$FW_DEV_EXT" 
190.
 
191.
## Type:	string 
192.
## Default:	0/0 
193.
194.
# Which internal computers/networks are allowed to access the 
195.
# internet via masquerading (not via proxys on the firewall)? 
196.
197.
# Format: space separated list of 
198.
#  <source network>[,<destination network>,<protocol>[,port[:port]] 
199.
#   
200.
#  If the protocol is icmp then port is interpreted as icmp type 
201.
202.
# Examples: - "0/0" unrestricted access to the internet 
203.
#           - "10.0.0.0/8" allows the whole 10.0.0.0 network with 
204.
#             unrestricted access. 
205.
#           - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows 
206.
#             the 10.0.1.0 network to use www/ftp to the internet. - 
207.
#           - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the 
208.
#             10.0.1.0/24 network is allowed to access unprivileged 
209.
#             ports whereas 10.0.2.0/24 is granted unrestricted 
210.
#             access. 
211.
#            
212.
FW_MASQ_NETS="0/0" 
213.
 
214.
## Type:	yesno 
215.
## Default:	no 
216.
217.
# 7.) 
218.
# Do you want to protect the firewall from the internal network? 
219.
# Requires: FW_DEV_INT 
220.
221.
# If you set this to "yes", internal machines may only access 
222.
# services on the firewall you explicitly allow. If you set this to 
223.
# "no", any internal user can connect (and attack) any service on 
224.
# the firewall. 
225.
226.
# defaults to "yes" if not set 
227.
#  
228.
FW_PROTECT_FROM_INT="no" 
229.
 
230.
## Type:	string 
231.
232.
# 9.) 
233.
# Which TCP services _on the firewall_ should be accessible from 
234.
# untrusted networks? 
235.
236.
# Enter all ports or known portnames below, seperated by a space. 
237.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and 
238.
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. 
239.
# e.g. if a webserver on the firewall should be accessible from the internet: 
240.
# FW_SERVICES_EXT_TCP="www" 
241.
# e.g. if the firewall should receive syslog messages from the dmz: 
242.
# FW_SERVICES_DMZ_UDP="syslog" 
243.
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set 
244.
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) 
245.
246.
# Format: space separated list of ports, port ranges or well known 
247.
#         service names (see /etc/services) 
248.
249.
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" 
250.
251.
FW_SERVICES_EXT_TCP="1002 2703 3551 443 4559 5000 5900 6277 67 68 749 80 8081 88 995 domain pop3 smtp" 
252.
 
253.
## Type:	string 
254.
255.
# Which UDP services _on the firewall_ should be accessible from 
256.
# untrusted networks? 
257.
258.
# see comments for FW_SERVICES_EXT_TCP 
259.
260.
# Example: "53" 
261.
262.
FW_SERVICES_EXT_UDP="1002 22 2703 4559 5900 6277 67 749 88 995 bootpc domain ipsec-nat-t isakmp" 
263.
 
264.
## Type:	string 
265.
#  
266.
# Which UDP services _on the firewall_ should be accessible from 
267.
# untrusted networks? 
268.
269.
# Usually for VPN/Routing which END at the firewall 
270.
271.
# Example: "esp" 
272.
273.
FW_SERVICES_EXT_IP="esp" 
274.
 
275.
## Type:        string 
276.
277.
# Which RPC services _on the firewall_ should be accessible from 
278.
# untrusted networks? 
279.
280.
# Port numbers of RPC services are dynamically assigned by the 
281.
# portmapper. Therefore "rpcinfo -p localhost" has to be used to 
282.
# automatically determine the currently assigned port for the 
283.
# services specified here. 
284.
285.
# USE WITH CAUTION! 
286.
# regular users can register rpc services and therefore may be able 
287.
# to have SuSEfirewall2 open arbitrary ports 
288.
289.
# Example: "mountd nfs" 
290.
FW_SERVICES_EXT_RPC="" 
291.
 
292.
## Type:	string 
293.
294.
# see comments for FW_SERVICES_EXT_TCP 
295.
FW_SERVICES_DMZ_TCP="80 995 https" 
296.
 
297.
## Type:	string 
298.
299.
# see comments for FW_SERVICES_EXT_UDP 
300.
FW_SERVICES_DMZ_UDP="" 
301.
 
302.
## Type:	string 
303.
304.
# see comments for FW_SERVICES_EXT_IP 
305.
FW_SERVICES_DMZ_IP="" 
306.
 
307.
## Type:        string 
308.
309.
# see comments for FW_SERVICES_EXT_RPC 
310.
FW_SERVICES_DMZ_RPC="" 
311.
 
312.
## Type:	string 
313.
314.
# see comments for FW_SERVICES_EXT_TCP 
315.
FW_SERVICES_INT_TCP="80 443" 
316.
 
317.
## Type:	string 
318.
319.
# see comments for FW_SERVICES_EXT_UDP 
320.
FW_SERVICES_INT_UDP="" 
321.
 
322.
## Type:	string 
323.
324.
# see comments for FW_SERVICES_EXT_IP 
325.
FW_SERVICES_INT_IP="" 
326.
 
327.
## Type:        string 
328.
329.
# see comments for FW_SERVICES_EXT_RPC 
330.
FW_SERVICES_INT_RPC="" 
331.
 
332.
## Type: string 
333.
334.
# Packets to silently drop without log message 
335.
336.
# Format: space separated list of net,protocol[,port][,sport] 
337.
# Example: "0/0,tcp,445 0/0,udp,4662" 
338.
339.
# The special value _rpc_ is recognized as protocol and means that dport is 
340.
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 
341.
# details. 
342.
343.
FW_SERVICES_DROP_EXT="" 
344.
 
345.
## Type: string 
346.
## Default: 0/0,tcp,113 
347.
348.
# Packets to silently reject without log message. Common usage is 
349.
# TCP port 113 which if dropped would cause long timeouts when 
350.
# sending mail or connecting to IRC servers. 
351.
352.
# Format: space separated list of net,protocol[,dport][,sport] 
353.
# Example: "0/0,tcp,113" 
354.
355.
# The special value _rpc_ is recognized as protocol and means that dport is 
356.
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 
357.
# details. 
358.
359.
FW_SERVICES_REJECT_EXT="0/0,tcp,113" 
360.
 
361.
## Type: string 
362.
## Default: 0/0,tcp,113 
363.
364.
# Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP} 
365.
# and more specific than FW_TRUSTED_NETS 
366.
367.
# Format: space separated list of net,protocol[,dport][,sport] 
368.
# Example: "0/0,tcp,22" 
369.
370.
# The special value _rpc_ is recognized as protocol and means that dport is 
371.
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for 
372.
# details. 
373.
374.
FW_SERVICES_ACCEPT_EXT="" 
375.
 
376.
## Type:	string 
377.
378.
# 10.) 
379.
# Which services should be accessible from 'trusted' hosts or nets? 
380.
381.
# Define trusted hosts or networks (doesn't matter whether they are internal or 
382.
# external) and the services (tcp,udp,icmp) they are allowed to use. This can 
383.
# be used instead of FW_SERVICES_* for further access restriction. Please note 
384.
# that this is no replacement for authentication since IP addresses can be 
385.
# spoofed. Also note that trusted hosts/nets are not allowed to ping the 
386.
# firewall until you also permit icmp. 
387.
388.
# Format: space separated list of network[,protocol[,port]] 
389.
# in case of icmp, port means the icmp type 
390.
391.
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" 
392.
393.
FW_TRUSTED_NETS="" 
394.
 
395.
## Type:	string 
396.
## Default: 
397.
398.
# 11.) 
399.
# Specify which ports are allowed to access unprivileged ports (>1023) 
400.
401.
# Format: yes, no or space separated list of ports 
402.
403.
# You may either allow everyone from anyport access to your highports ("yes"), 
404.
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or 
405.
# known portname). Note that this is easy to circumvent! The best choice is to 
406.
# keep this option unset or set to 'no' 
407.
408.
# defaults to "no" if not set (good choice) 
409.
410.
# Note: Use of this variable is deprecated and it will likely be 
411.
# removed in the future. If you think it should be kept please 
412.
# report your use case at 
413.
# http://forge.novell.com/modules/xfmod/project/?susefirewall2 
414.
415.
FW_ALLOW_INCOMING_HIGHPORTS_TCP="" 
416.
 
417.
## Type:	string 
418.
## Default: 
419.
420.
# See FW_ALLOW_INCOMING_HIGHPORTS_TCP 
421.
422.
# defaults to "no" if not set (good choice) 
423.
424.
# Note: Use of this variable is deprecated and it will likely be 
425.
# removed in the future. If you think it should be kept please 
426.
# report your use case at 
427.
# http://forge.novell.com/modules/xfmod/project/?susefirewall2 
428.
429.
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
01.
## Type:	string 
02.
03.
# 13.) 
04.
# Which services or networks are allowed to be routed through the 
05.
# firewall, no matter which zone they are in? 
06.
# Requires: FW_ROUTE 
07.
08.
# With this option you may allow access to e.g. your mailserver. The 
09.
# machines must have valid, non-private, IP addresses which were 
10.
# assigned to you by your ISP. This opens a direct link to the 
11.
# specified network, so please think twice befor using this option! 
12.
13.
# Format: space separated list of 
14.
#    <source network>,<destination network>[,protocol[,port[,flags]]] 
15.
16.
#  If the protocol is icmp then port is interpreted as icmp type 
17.
18.
#  The only flag currently supported is 'ipsec' which means to only 
19.
#  match packets that originate from an IPsec tunnel 
20.
21.
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any 
22.
#             service on the host 2.2.2.2 
23.
#           - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16 
24.
#             to access any service in the network 4.4.4.4/24 
25.
#           - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages 
26.
#              from 5.5.5.5 to 6.6.6.6 
27.
#           - "0/0,0/0,udp,514" always permit udp port 514 to pass 
28.
#             the firewall 
29.
#           - "192.168.1.0/24,10.10.0.0/16,,,ipsec  
30.
#              10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic 
31.
#              from 192.168.1.0/24 to 10.10.0.0/16 and vice versa 
32.
#              provided that both networks are connected via an 
33.
#              IPsec tunnel. 
34.
FW_FORWARD="0/0,192.168.1.6 0/0,192.168.1.6"
01.
## Type:	string 
02.
03.
# 14.) 
04.
# Which services accessed from the internet should be allowed to masqueraded 
05.
# servers (on the internal network or dmz)? 
06.
# Requires: FW_ROUTE 
07.
08.
# With this option you may allow access to e.g. your mailserver. The 
09.
# machines must be in a masqueraded segment and may not have public 
10.
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface 
11.
# you have to set FW_FORWARD from internal to DMZ for the service as 
12.
# well to allow access from internal! 
13.
14.
# Please note that this should *not* be used for security reasons! 
15.
# You are opening a hole to your precious internal network. If e.g. 
16.
# the webserver there is compromised - your full internal network is 
17.
# compromised! 
18.
19.
# Format: space separated list of 
20.
#    <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]] 
21.
22.
# Protocol must be either tcp or udp 
23.
24.
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on 
25.
#             port 80 coming from the 4.0.0.0/8 network to the 
26.
#             internal server 10.10.0.10 
27.
#           - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on 
28.
#             port 80 coming from the 4.0.0.0/8 network to the 
29.
#             internal server 10.10.0.10 on port 81 
30.
#           - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202" 
31.
#             the network 200.200.200.0/24 trying to access the 
32.
#             address 202.202.202.202 on port 80 will be forwarded 
33.
#             to the internal server 10.0.0.10 on port 81 
34.
35.
# Note: du to inconsitent iptables behaviour only port numbers are possible but 
36.
# no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273) 
37.
38.
FW_FORWARD_MASQ="0/0,192.168.1.6,tcp,443,443,0/0 0/0,192.168.1.6,tcp,995,995,0/0 0/0,192.168.1.6,tcp,80,80,0/0 192.168.1.0/254,192.168.1.6,tcp,443,443,0/0 0/0,192.168.1.6,tcp,6246,995,0/0" 
39.
FW_REDIRECT="192.168.1.6,0/0,tcp,443,443 192.168.1.6,0/0,udp,443,443" 
40.
 
41.
## Type:	yesno 
42.
## Default:	yes 
43.
44.
# 16.) 
45.
# Which kind of packets should be logged? 
46.
47.
# When set to "yes", packages that got dropped and are considered 
48.
# 'critical' will be logged. Such packets include for example 
49.
# spoofed packets, tcp connection requests and certain icmp types. 
50.
51.
# defaults to "yes" if not set 
52.
53.
FW_LOG_DROP_CRIT="yes"
01.
## Type:	yesno 
02.
## Default:	no 
03.
04.
# whether all dropped packets should be logged 
05.
06.
# Note: for broadcasts to be logged you also need to set 
07.
# FW_IGNORE_FW_BROADCAST_* to 'no' 
08.
09.
# defaults to "no" if not set 
10.
11.
FW_LOG_DROP_ALL="no" 
12.
 
13.
## Type:	yesno 
14.
## Default:	yes 
15.
16.
# When set to "yes", packages that got accepted and are considered 
17.
# 'critical' will be logged. Such packets include for example tcp 
18.
# connection requests, rpc connection requests, access to high 
19.
# udp/tcp port and forwarded pakets. 
20.
21.
# defaults to "yes" if not set 
22.
23.
FW_LOG_ACCEPT_CRIT="yes" 
24.
 
25.
## Type:	yesno 
26.
## Default:	no 
27.
28.
# whether all accepted packets should be logged 
29.
30.
# Note: setting this to 'yes' causes _LOTS_ of log entries and may 
31.
# fill your disk quickly. It also disables FW_LOG_LIMIT 
32.
33.
# defaults to "no" if not set 
34.
35.
FW_LOG_ACCEPT_ALL="no" 
36.
 
37.
## Type:	string 
38.
39.
# How many packets per time unit get logged for each logging rule. 
40.
# When empty a default of 3/minute is used to prevent port scans 
41.
# flooding your log files. For desktop usage it's a good idea to 
42.
# have the limit, if you are using logfile analysis tools however 
43.
# you might want to disable it. 
44.
45.
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL 
46.
# to 'yes' disables this option as well. 
47.
#  
48.
# Format: a digit and suffix /second, /minute, /hour or /day 
49.
FW_LOG_LIMIT="" 
50.
 
51.
## Type:	string 
52.
53.
# iptables logging option. Must end with --log-prefix and some prefix 
54.
# characters 
55.
56.
# only change this if you know what you are doing! 
57.
FW_LOG="" 
58.
 
59.
## Type:	yesno 
60.
## Default:	yes 
61.
62.
# 17.) 
63.
# Do you want to enable additional kernel TCP/IP security features? 
64.
# If set to yes, some obscure kernel options are set. 
65.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, 
66.
#  icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, 
67.
#  ip_local_port_range, log_martians, rp_filter, routing flush, 
68.
#  bootp_relay, proxy_arp, secure_redirects, accept_source_route 
69.
#  icmp_echo_ignore_broadcasts, ipfrag_time) 
70.
71.
# Tip: Set this to "no" until you have verified that you have got a 
72.
# configuration which works for you. Then set this to "yes" and keep it 
73.
# if everything still works. (It should!) ;-) 
74.
75.
# Choice: "yes" or "no", if not set defaults to "yes" 
76.
77.
FW_KERNEL_SECURITY="yes" 
78.
 
79.
## Type:	yesno 
80.
## Default:	no 
81.
82.
# 18.) 
83.
# Keep the routing set on, if the firewall rules are unloaded? 
84.
# REQUIRES: FW_ROUTE 
85.
86.
# Choices "yes" or "no", if not set defaults to "no" 
87.
88.
FW_STOP_KEEP_ROUTING_STATE="yes" 
89.
 
90.
## Type:	yesno 
91.
## Default:	yes 
92.
93.
# 19.) 
94.
# Allow the firewall to reply to icmp echo requests 
95.
96.
# defaults to "no" if not set 
97.
98.
FW_ALLOW_PING_FW="yes" 
99.
 
100.
## Type:	yesno 
101.
## Default:	no 
102.
103.
# 19a.) 
104.
# Allow hosts in the dmz to be pinged by internal and external hosts 
105.
# REQUIRES: FW_ROUTE 
106.
107.
# defaults to "no" if not set 
108.
109.
FW_ALLOW_PING_DMZ="yes"
01.
## Type:	yesno 
02.
## Default:	no 
03.
04.
# 19b.) 
05.
# Allow external hosts to be pinged from internal or dmz hosts 
06.
# REQUIRES: FW_ROUTE 
07.
08.
# defaults to "no" if not set 
09.
10.
FW_ALLOW_PING_EXT="yes" 
11.
 
12.
## 
13.
# END of /etc/sysconfig/SuSEfirewall2 
14.
## 
15.
 
16.
#                                                                         # 
17.
#-------------------------------------------------------------------------# 
18.
#                                                                         # 
19.
# EXPERT OPTIONS - all others please don't change these!                  # 
20.
#                                                                         # 
21.
#-------------------------------------------------------------------------# 
22.
#                                                                         # 
23.
 
24.
## Type:	yesno 
25.
## Default:	yes 
26.
27.
# 21.) 
28.
# Allow ICMP sourcequench from your ISP? 
29.
30.
# If set to yes, the firewall will notice when connection is choking, however 
31.
# this opens yourself to a denial of service attack. Choose your poison. 
32.
33.
# Defaults to "yes" if not set 
34.
35.
FW_ALLOW_FW_SOURCEQUENCH="" 
36.
 
37.
## Type:	string(yes,no) 
38.
39.
# 22.) 
40.
# Allow IP Broadcasts? 
41.
42.
# Whether the firewall allows broadcasts packets. 
43.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games. 
44.
45.
# If you want to drop broadcasts however ignore the annoying log entries, set 
46.
# FW_IGNORE_FW_BROADCAST_* to yes. 
47.
48.
# Note that if you allow specifc ports here it just means that broadcast 
49.
# packets for that port are not dropped. You still need to set 
50.
# FW_SERVICES_*_UDP to actually allow regular unicast packets to 
51.
# reach the applications. 
52.
53.
# Format: either 
54.
#           - "yes" or "no" 
55.
#           - list of udp destination ports 
56.
57.
# Examples: - "631 137" allow broadcast packets on port 631 and 137 
58.
#              to enter the machine but drop any other broadcasts 
59.
#           - "yes" do not install any extra drop rules for 
60.
#              broadcast packets. They'll be treated just as unicast 
61.
#              packets in this case. 
62.
#           - "no" drop all broadcast packets before other filtering 
63.
#              rules 
64.
65.
# defaults to "no" if not set 
66.
67.
FW_ALLOW_FW_BROADCAST_EXT="no"
01.
## Type:	string 
02.
03.
# see comments for FW_ALLOW_FW_BROADCAST_EXT 
04.
FW_ALLOW_FW_BROADCAST_INT="no" 
05.
 
06.
## Type:	string 
07.
08.
# see comments for FW_ALLOW_FW_BROADCAST_EXT 
09.
FW_ALLOW_FW_BROADCAST_DMZ="no" 
10.
 
11.
## Type:	string(yes,no) 
12.
13.
# Suppress logging of dropped broadcast packets. Useful if you don't allow 
14.
# broadcasts on a LAN interface. 
15.
16.
# This setting only affects packets that are not allowed according 
17.
# to FW_ALLOW_FW_BROADCAST_* 
18.
19.
# Format: either 
20.
#           - "yes" or "no" 
21.
#           - list of udp destination ports 
22.
23.
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137 
24.
#           - "yes" do not log dropped broadcast packets 
25.
#           - "no" log all dropped broadcast packets 
26.
27.
28.
# defaults to "no" if not set 
29.
FW_IGNORE_FW_BROADCAST_EXT="yes" 
30.
 
31.
## Type:	string 
32.
33.
# see comments for FW_IGNORE_FW_BROADCAST_EXT 
34.
FW_IGNORE_FW_BROADCAST_INT="no" 
35.
 
36.
## Type:	string 
37.
38.
# see comments for FW_IGNORE_FW_BROADCAST_EXT 
39.
FW_IGNORE_FW_BROADCAST_DMZ="no" 
40.
 
41.
## Type:	yesno 
42.
## Default:	no 
43.
44.
# 23.) 
45.
# Allow same class routing per default? 
46.
# REQUIRES: FW_ROUTE 
47.
48.
# Do you want to allow routing between interfaces of the same class 
49.
# (e.g. between all internet interfaces, or all internal network interfaces) 
50.
# be default (so without the need setting up FW_FORWARD definitions)? 
51.
52.
# Choice: "yes" or "no", if not set defaults to "no" 
53.
54.
# Defaults to "no" if not set 
55.
56.
FW_ALLOW_CLASS_ROUTING="yes" 
57.
 
58.
## Type:	string 
59.
60.
# 25.) 
61.
# Do you want to load customary rules from a file? 
62.
63.
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! 
64.
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom 
65.
66.
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" 
67.
FW_CUSTOMRULES=""
01.
## Type:	yesno 
02.
## Default:	no 
03.
04.
# 26.) 
05.
# Do you want to REJECT packets instead of DROPing? 
06.
07.
# DROPing (which is the default) will make portscans and attacks much 
08.
# slower, as no replies to the packets will be sent. REJECTing means, that 
09.
# for every illegal packet, a connection reject packet is sent to the 
10.
# sender. 
11.
12.
# Choice: "yes" or "no", if not set defaults to "no" 
13.
14.
# Defaults to "no" if not set 
15.
16.
FW_REJECT="" 
17.
 
18.
## Type:	string 
19.
20.
# 27.) 
21.
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket) 
22.
# for more information about HTB see http://www.lartc.org 
23.
24.
# If your download collapses while you have a parallel upload, 
25.
# this parameter might be an option for you. It manages your 
26.
# upload stream and reserves bandwidth for special packets like 
27.
# TCP ACK packets or interactive SSH. 
28.
# It's a list of devices and maximum bandwidth in kbit. 
29.
# For example, the german TDSL account, provides 128kbit/s upstream 
30.
# and 768kbit/s downstream. We can only tune the upstream. 
31.
32.
# Example: 
33.
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set 
34.
# the following values: 
35.
# FW_HTB_TUNE_DEV="dsl0,125" 
36.
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream 
37.
38.
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll 
39.
# get a better performance if you keep the value a few percent under your 
40.
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in 
41.
# it's own buffers because queing is done by us now. 
42.
# So for a 256kbit upstream 
43.
#   FW_HTB_TUNE_DEV="dsl0,250" 
44.
# might be a better value than "dsl0,256". There is no perfect value for a 
45.
# special kind of modem. The perfect value depends on what kind of traffic you 
46.
# have on your line but 5% under your maximum upstream might be a good start. 
47.
# Everthing else is special fine tuning. 
48.
# If you want to know more about the technical background, 
49.
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ 
50.
# is a good start 
51.
52.
FW_HTB_TUNE_DEV="" 
53.
 
54.
## Type:	list(no,drop,reject) 
55.
## Default:	drop 
56.
57.
# 28.) 
58.
# What to do with IPv6 Packets? 
59.
60.
# On older kernels ip6tables was not stateful so it's not possible to implement 
61.
# the same features as for IPv4 on such machines. For these there are three 
62.
# choices: 
63.
#  
64.
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6 
65.
#   traffic unless you setup your own rules. 
66.
67.
# - drop: drop all IPv6 packets. 
68.
69.
# - reject: reject all IPv6 packets. This is the default if stateful matching is 
70.
#   not available. 
71.
72.
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6 
73.
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this. 
74.
75.
# Leave empty to automatically detect whether your kernel supports stateful matching. 
76.
77.
FW_IPv6="" 
78.
 
79.
## Type:	yesno 
80.
## Default:	yes 
81.
82.
# 28a.) 
83.
# Reject outgoing IPv6 Packets? 
84.
85.
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option 
86.
# does only make sense with FW_IPv6 != no 
87.
88.
# Defaults to "yes" if not set 
89.
90.
FW_IPv6_REJECT_OUTGOING=""
01.
## Type:	list(yes,no,int,ext,dmz) 
02.
## Default:	no 
03.
04.
# 29.) 
05.
# Trust level of IPsec packets. 
06.
07.
# You do not need to change this if you do not intend to run 
08.
# services that should only be available trough an IPsec tunnel. 
09.
10.
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz' 
11.
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec 
12.
# packets belong to the same zone as the interface they arrive on. 
13.
14.
# Note: you still need to explicitely allow IPsec traffic. 
15.
# Example: 
16.
#   FW_IPSEC_TRUST="int" 
17.
#   FW_SERVICES_EXT_IP="esp" 
18.
#   FW_SERVICES_EXT_UDP="isakmp" 
19.
#   FW_PROTECT_FROM_INT="no" 
20.
21.
# Defaults to "no" if not set 
22.
23.
FW_IPSEC_TRUST="no" 
24.
 
25.
## Type:	string 
26.
## Default:	 
27.
28.
# 30.) 
29.
# Define additional firewall zones 
30.
31.
# The built-in zones INT, EXT and DMZ must not be listed here. Names 
32.
# of additional zones must only contain lowercase ascii characters. 
33.
# To define rules for the additional zone, take the approriate 
34.
# variable for a built-in zone and substitute INT/EXT/DMZ with the 
35.
# name of the additional zone. 
36.
37.
# Example: 
38.
#   FW_ZONES="wlan" 
39.
#   FW_DEV_wlan="wlan0" 
40.
#   FW_SERVICES_wlan_TCP="80" 
41.
#   FW_ALLOW_FW_BROADCAST_wlan="yes" 
42.
43.
FW_ZONES="" 
44.
 
45.
## Type:	list(yes,no,auto,) 
46.
## Default:	 
47.
48.
# 31.) 
49.
# Whether to use iptables-batch 
50.
51.
# iptables-batch commits all rules in an almost atomic way similar 
52.
# to iptables-restore. This avoids excessive iptables calls and race 
53.
# conditions. 
54.
55.
# Choice: 
56.
#     - yes: use iptables-batch if available and warn if it isn't 
57.
#     - no: don't use iptables-batch 
58.
#     - auto: use iptables-batch if available, silently fall back to 
59.
#       iptables if it isn't 
60.
61.
# Defaults to "auto" if not set 
62.
63.
FW_USE_IPTABLES_BATCH=""
01.
## Type:	string 
02.
## Default:	 
03.
04.
# 32.) 
05.
# Which additional kernel modules to load at startup 
06.
07.
# Example: 
08.
#   FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp" 
09.
10.
FW_LOAD_MODULES="" 
11.
 
12.
## Type:	string 
13.
## Default:	 
14.
15.
# 33.) 
16.
# Bridge interfaces without IP address 
17.
18.
# Traffic on bridge interfaces like the one used by xen appears to 
19.
# enter and leave on the same interface. Add such interfaces here in 
20.
# order to install special permitting rules for them. 
21.
22.
# Format: list of interface names separated by space 
23.
24.
# Example: 
25.
#   FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0" 
26.
27.
FW_FORWARD_ALWAYS_INOUT_DEV=""
Wäre echt super wenn mir jemand weiterhelfen könnte.
Falls ihr noch weitere informationen braucht, meldet euch einfach!

Grüße,
Daniel
Mitglied: tbw-01
30.05.2007 um 17:36 Uhr
Kurz und schmerzlos:

Deine Linux-Firewall kommt bei internen Netzverkehr (clients<=>Server) doch gar nicht zum Tragen.
Die FW greift nur, wenn das Netz 192.168.1.0 verlassen wird (z.B. Internet).
Und da sich der Server und die Clients im selben Subnetz befinden, wird die FW zur Kommunikation nicht herrangezogen.

Vielleicht stimmen die Netzwereinstellungen (GW, DNS usw.) auf den Clients nicht.
Oder auf dem SBS läuft ne Firewall oder sonst was.

Cu,
TBW
Bitte warten ..
Mitglied: 48895
31.05.2007 um 13:25 Uhr
Da hab ich mich wohl falsch ausgedrück:

Wenn ich intern den Server direkt anspreche also http://192.168.1.6/exchange dann komm ich natürlich ohne Probleme auf die Weboberfläche. Aber wenn ich intern die externe Gdresse angebe, dann funktioniert's nicht z.B. http://webmail.meinefirma.de/exchange

Das ist aber schon gagangen, als Linux noch nicht als Router fungierte. Da hatten wir den Vigor2200E von DrayTek, der ist uns aber leider durchgebrannt, deshalb sind wir nun kurzfristig auf Linux umgestiegen.

Ausserdem, sobald ich unter Punkt 6a.) bei FW_MASQ_DEV= den Wert von "$FW_DEV_EXT" auf "$FW_DEV_INT" ändere funktionierts ja, aber dann kommt man sonst nicht mehr in's Internet.


Grüße,
Daniel
Bitte warten ..
Mitglied: D3S3RT
06.05.2008 um 08:39 Uhr
und dem Linux router nen statischen hosts eintrag verpassen, dass der von Intern die Firmenadresse nicht ins Netz auflöst, sondern direkt ins LAN zurückschickt, möchtest du nicht ?

Ich hab das so, dass wenn ich @home bin die www.xyz.de auf 192.168.1.100 verweist, wenn ich @work bin, dann auf www.xyz.de.

Oder möchtest du mit dem Aufruf auch testen, ob der externe Zugriff klappt ? Evt hilft es, im Browser der Clients zu testzwecken nen externen Proxy zu nutzen. Das hab bei mir für abhilfe gesorgt. Sonst hat sich mein Linux Router auch gegen dieses Raus-Rein Geroute gesperrt.
Bitte warten ..
Neuester Wissensbeitrag
Humor (lol)

Linkliste für Adventskalender

(3)

Information von nikoatit zum Thema Humor (lol) ...

Ähnliche Inhalte
Outlook & Mail
Spam von angeblich eigenen internen Adressen (6)

Frage von JensDND zum Thema Outlook & Mail ...

Exchange Server
gelöst Neue email auf sbs 2011 geht nur mit internen emailabsendern (6)

Frage von jensgebken zum Thema Exchange Server ...

Netzwerkgrundlagen
Routen bei openvpn (4)

Frage von davman zum Thema Netzwerkgrundlagen ...

Router & Routing
gelöst Routing MikroTik RB750Gr2 - Subnetz1 u. Subnetz2 definieren und routen (8)

Frage von darky24 zum Thema Router & Routing ...

Heiß diskutierte Inhalte
Windows Server
DHCP Server switchen (25)

Frage von M.Marz zum Thema Windows Server ...

SAN, NAS, DAS
gelöst HP-Proliant Microserver Betriebssystem (14)

Frage von Yannosch zum Thema SAN, NAS, DAS ...

Grafikkarten & Monitore
Win 10 Grafikkarte Crash von Software? (13)

Frage von Marabunta zum Thema Grafikkarten & Monitore ...

Windows 7
Verteillösung für IT-Raum benötigt (12)

Frage von TheM-Man zum Thema Windows 7 ...