| | This is the second article and covers the configuration of the openSUSE 11.0 firewall.
Rule # 1: Pay attention to IP Address conflicts. If the address is already used by another device, the configuration may be ok, but it still doesn't work. Of course everybody knows that, just wanted to throw this one in ... for 'almost' no reason :-)
Security fixes are applied, but I did not get the 11.1 upgrades yet. 11.1 version is still in beta and the ethernet driver (e1000e) problem is not completely fixed as of this writing. My plan is to free up one server by consolidating two systems. The free server will be my new production firewall, and the one I'm setting up now will be my backup and test system.
Hardware configuration is as follows:
Network device built on the motherboard plus two 10/100 adapters. That's three adapters, one for the public Internet, one for my internal network and the third for my servers that require access from both, the Internet and internal network. One PC has 512MB+ memory, 6GB disk and a Pentium 4 1.6GHz processor the other has 512MB memory, 6GB disk and a Pentium 4 2.8GHz processor. The older 1.6GHz uses 50 watts of power, the newer less then 30 watts. Because they are on a UPS, the power consumption really matters - not only for environmental reasons.
IPv6 Support?
In YaST2 to to Network Devices > Network Settings then to to Global Options, I unchecked the Enable IPv6 option. I don't use this yet and the Administration Document mentions that there is less overhead when disabled.
DHCP or not?
I don't use DHCP at all. If I do need the function, I'll power up my $20 Netgear Router, it does a fine job.
Firewall Zone in the Device Configuration
I also changed the Firewall Zone from Automatically Assign Zone to the correct zone. This is in YaST2 then goto Network Devices > Network Settings then goto Overview. Edit each Controller the General tab and select the correct zone if not already set.
Minor Problem (bug?) with adapter configuration:
When adding a new IP address to the external zone, I was not able to remove the address again. I can change, but not remove. I had to manually configure the file.
1. stop the network with rcnetwork stop
2. edit the /etc/sysconfig/network/ifcfg-eth2 and comment the line pairs with IPADDR_xx and LABEL_xx. Also commented the PREFIXLEN-xx lines.
3. save the file and restart the network with rcnetwork start
Now the configuration shows correctly in YaST and the firewall.
The final setup is as follows:
External Zone: about 10 IP Addresses all in the 207.176.something range
Internal Zone: the 192.168.1.1 network with all my desktops
Demilitarized Zone: the 10.10.10.1 network with my webserver(s).
In the firewall configuration, this is the basic setup.
Open YaST2 and go to Securty and Users > Firewall
Start-Up is not much to change
Interfaces shows my 3 network devices plus the any interface.
Allowed Services has the generic ports by zone that are needed to keep the PC working. More details below.
Masquerading has to bulk of the configuration. All the IP address, port and protocol forwarding rules are here.
Broadcast no change
IPsec Support no change
Logging Level no change
Custom Rules no change
Allowed Services configuration
When I checked the Protect Firewall from Internal Zone, I was not able to get the desktop PCs on the Internal Zone to work correctly. Eventually I just left it unchecked ... for now.
I added some services to the allow list for the Demilitarized Zone, such as DNS, SMTP and Notes.
I added no ports to the allow list for the External Zone.
No need to add anything on the Internal Zone since I didn't check the Protect Firewall from Internal Zone
Masquerading
To handle multiple IP addresses from the external Zone, I added several Masquerading entries.
I'm adding one entry per redirect and port/protocol. The source network is always 0/0 for my purpose, the requested IP is 207.176.156.3 which I redirect to 10.10.10.3
These are the major configuration changes and all works fine up to this point.
Update / Revision: January 3 2009
No problems with the firewall. I made major configuration changes to simplify my DNS entries and consequently simplifying my Masquerading configuration.
Back in mid December, I configured a brand new system based on my instructions here. It worked without a problem. Once the setup was done and the firewall was working with different IP addresses and only a minimal firewall configuration, it was time to switch the hardware.
One night, I copied the configuration files to the new system:
etc/sysconfig/SuSEfirewall2 << this is the firewall configuration
etc/sysconfig/network/ifcfg-eth2 << this is the IP address configuration for the external network
the ifcfg-eth0 and ifcfg-eth1 config files have one entry, the 10.10.10.1 and the 192.168.1.1, so no need to copy them as well.
First published on October 03, 2008 |