[afnog] mail server
Hyeroba Peter
phyeroba at cfi.co.ug
Tue Dec 16 13:06:50 UTC 2008
Here is SuSEfirewall2
====================================================================
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights
reserved.
# Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany. All rights
reserved.
# Copyright (c) 2005 SUSE LINUX Products GmbH Nuernberg, Germany. All
rights reserved.
#
# Author: Marc Heuse, 2002
# Ludwig Nussel, 2004
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.3
#
# ------------------------------------------------------------------------
#
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall2 you
# are not secure per se! There is *not* such a thing you install and
# hence you are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
# * Secure all services you are offering to untrusted networks
# (internet) You can do this by using software which has been
# designed with security in mind (like postfix, vsftpd, ssh),
# setting these up without misconfiguration and praying, that
# they have got really no holes. SuSEcompartment can help in
# most circumstances to reduce the risk.
# * Do not run untrusted software. (philosophical question, can
# you trust SuSE or any other software distributor?)
# * Check the security of your server(s) regulary
# * If you are using this server as a firewall/bastion host to the
# internet for an internal network, try to run proxy services
# for everything and disable routing on this machine.
# * If you run DNS on the firewall: disable untrusted zone
# transfers and either don't allow access to it from the
# internet or run it split-brained.
#
# Good luck!
#
# Yours,
# SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
#
#
# If you are a end-user who is NOT connected to two networks (read: you have
# got a single user system and are using a dialup to the internet) you just
# have to configure (all other settings are OK): 2) and maybe 9).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
# 14)
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to configure *additionally* 4), 9), 12), 13), 18)
#
# Please note that if you use service names, they have to exist in
# /etc/services. There is for example no service "dns", it's called
# "domain"; email is called "smtp" etc.
#
# ------------------------------------------------------------------------
## Path: Network/Firewall/SuSEfirewall2
## Description: SuSEfirewall2 configuration
## Type: string
## Default: any
#
# 2.)
# Which are the interfaces that point to the internet/untrusted
# networks?
#
# Enter all untrusted network devices here
#
# Format: space separated list of interface or configuration names
#
# The special keyword "auto" means to use the device of the default
# route. "auto" cannot be mixed with other interface names.
#
# The special keyword "any" means that packets arriving on interfaces not
# explicitly configured as int, ext or dmz will be considered external.
Note:
# this setting only works for packets destined for the local machine. If you
# want forwarding or masquerading you still have to add the external
interfaces
# individually. "any" can be mixed with other interface names.
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any dsl0"
#
# Note: alias interfaces (like eth0:1) are ignored
#
FW_DEV_EXT="eth-id-00:1a:4b:e5:e3:2c"
## Type: string
#
# 3.)
# Which are the interfaces that point to the internal network?
#
# Enter all trusted network interfaces here. If you are not
# connected to a trusted network (e.g. you have just a dialup) leave
# this empty.
#
# Format: space separated list of interface or configuration names
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
#
FW_DEV_INT="eth-id-00:1a:4b:e5:e3:2a"
## Type: string
#
# 4.)
# Which are the interfaces that point to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected
# to the firewall, and should be reachable from the internet to
# provide services, e.g. WWW, Mail, etc. and hence is at risk from
# attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
# example.
#
# Note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Format: space separated list of interface or configuration names
#
# Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
#
FW_DEV_DMZ=""
## Type: yesno
## Default: no
#
# 5.)
# Should routing between the internet, dmz and internal network be
# activated?
#
# Set this to "yes" if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but
# this is not a good idea).
#
# This option overrides IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded. You also need to define
# internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
#
# defaults to "no" if not set
#
FW_ROUTE="yes"
## Type: yesno
## Default: no
#
# 6.)
# Do you want to masquerade internal networks to the outside?
#
# Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
#
# "Masquerading" means that all your internal machines which use
#
# "Masquerading" means that all your internal machines which use
# services on the internet seem to come from your firewall. Please
# note that it is more secure to communicate via proxies to the
# internet than to use masquerading.
#
# This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
#
# defaults to "no" if not set
#
FW_MASQUERADE="yes"
## Type: string
## Default: $FW_DEV_EXT
#
# 6a.)
# You must also define on which interfaces to masquerade on. Those
# are usually the same as the external interfaces. Most users can
# leave the default.
#
# Examples: "ippp0", "$FW_DEV_EXT"
#
FW_MASQ_DEV="$FW_DEV_EXT"
## Type: string
## Default: 0/0
#
# Which internal computers/networks are allowed to access the
# internet via masquerading (not via proxys on the firewall)?
#
# Format: space separated list of
# <source network>[,<destination network>,<protocol>[,port[:port]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# Examples: - "0/0" unrestricted access to the internet
# - "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access.
# - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet. -
# - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
# 10.0.1.0/24 network is allowed to access unprivileged
# ports whereas 10.0.2.0/24 is granted unrestricted
# access.
#
FW_MASQ_NETS="0/0"
## Type: yesno
## Default: no
#
# 7.)
# Do you want to protect the firewall from the internal network?
# Requires: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.
#
# the firewall.
#
# defaults to "yes" if not set
#
FW_PROTECT_FROM_INT="no"
## Type: string
#
# 9.)
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the
internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Format: space separated list of ports, port ranges or well known
# service names (see /etc/services)
#
# Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
#
FW_SERVICES_EXT_TCP="http pop3 smtp ssh"
## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# see comments for FW_SERVICES_EXT_TCP
#
# Example: "53"
#
FW_SERVICES_EXT_UDP=""
## Type: string
#
# Which UDP services _on the firewall_ should be accessible from
# untrusted networks?
#
# Usually for VPN/Routing which END at the firewall
#
# Example: "esp"
#
FW_SERVICES_EXT_IP=""
## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore may be able
# to have SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
FW_SERVICES_EXT_RPC=""
## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""
## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""
## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""
## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""
## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP="http pop3 ssh"
## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=""
## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP="http"
## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""
## Type: string
#
# Packets to silently drop without log message
#
# Format: space separated list of net,protocol[,port][,sport]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
# The special value _rpc_ is recognized as protocol and means that dport is
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_DROP_EXT=""
## Type: string
## Default: 0/0,tcp,113
#
# Packets to silently reject without log message. Common usage is
# TCP port 113 which if dropped would cause long timeouts when
# sending mail or connecting to IRC servers.
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,113"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_REJECT_EXT=""
## Type: string
## Default: 0/0,tcp,113
#
# Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol[,dport][,sport]
# Example: "0/0,tcp,22"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
FW_SERVICES_ACCEPT_EXT="192.168.200.0/24,tcp,80 192.168.200.0/24,tcp,22"
## Type: string
#
# 10.)
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal
or
# external) and the services (tcp,udp,icmp) they are allowed to use. This
can
# be used instead of FW_SERVICES_* for further access restriction. Please
note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS="192.168.200.0/24"
## Type: string
## Type: string
## Default:
#
# 11.)
# Specify which ports are allowed to access unprivileged ports (>1023)
#
# Format: yes, no or space separated list of ports
#
# You may either allow everyone from anyport access to your highports
("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber
or
# known portname). Note that this is easy to circumvent! The best choice is
to
# keep this option unset or set to 'no'
#
# defaults to "no" if not set (good choice)
#
# Note: Use of this variable is deprecated and it will likely be
# removed in the future. If you think it should be kept please
# report your use case at
# http://forge.novell.com/modules/xfmod/project/?susefirewall2
#
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
## Type: string
## Default:
#
# See FW_ALLOW_INCOMING_HIGHPORTS_TCP
#
# defaults to "no" if not set (good choice)
#
# Note: Use of this variable is deprecated and it will likely be
# removed in the future. If you think it should be kept please
# report your use case at
# http://forge.novell.com/modules/xfmod/project/?susefirewall2
#
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
## Type: string
#
# 13.)
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# The only flag currently supported is 'ipsec' which means to only
# match packets that originate from an IPsec tunnel
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
FW_FORWARD="192.168.200.0/24,192.168.0.0/24"
## Type: string
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect
port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 10.10.0.10 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
# Note: du to inconsitent iptables behaviour only port numbers are possible
but
# no service names
(https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273)
#
FW_FORWARD_MASQ=""
## Type: string
#
# 15.)
# Which accesses to services should be redirected to a local port on
# the firewall machine?
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination
network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Note: contrary to previous SuSEfirewall2 versions it is no longer
necessary
# to additionally open the local port
FW_REDIRECT=""
## Type: yesno
## Default: yes
#
# 16.)
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"
## Type: yesno
## Default: no
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_FW_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"
## Type: yesno
## Default: yes
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests, access to high
# udp/tcp port and forwarded pakets.
#
# defaults to "yes" if not set
#
FW_LOG_ACCEPT_CRIT="yes"
## Type: yesno
## Default: no
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"
## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""
## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# only change this if you know what you are doing!
FW_LOG=""
## Type: yesno
## Default: yes
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, rp_filter, routing flush,
# bootp_relay, proxy_arp, secure_redirects, accept_source_route
# icmp_echo_ignore_broadcasts, ipfrag_time)
#
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="yes"
## Type: yesno
## Default: no
#
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# Choices "yes" or "no", if not set defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"
## Type: yesno
## Default: yes
#
# 19.)
# Allow the firewall to reply to icmp echo requests
#
# defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
## Type: yesno
## Default: no
#
# 19a.)
# Allow hosts in the dmz to be pinged by internal and external hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ="no"
## Type: yesno
## Default: no
#
# 19b.)
# Allow external hosts to be pinged from internal or dmz hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT="no"
##
# END of /etc/sysconfig/SuSEfirewall2
##
# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #
## Type: yesno
## Default: yes
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking,
however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH=""
## Type: string(yes,no)
#
# 22.)
# Allow IP Broadcasts?
#
# Whether the firewall allows broadcasts packets.
# Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
#
# If you want to drop broadcasts however ignore the annoying log entries,
set
# FW_IGNORE_FW_BROADCAST_* to yes.
#
# Note that if you allow specifc ports here it just means that broadcast
# packets for that port are not dropped. You still need to set
# FW_SERVICES_*_UDP to actually allow regular unicast packets to
# reach the applications.
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" allow broadcast packets on port 631 and 137
# to enter the machine but drop any other broadcasts
# - "yes" do not install any extra drop rules for
# broadcast packets. They'll be treated just as unicast
# packets in this case.
# - "no" drop all broadcast packets before other filtering
# rules
#
# defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST_EXT="no"
## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_INT="no"
## Type: string
#
# see comments for FW_ALLOW_FW_BROADCAST_EXT
FW_ALLOW_FW_BROADCAST_DMZ="no"
## Type: string(yes,no)
#
# Suppress logging of dropped broadcast packets. Useful if you don't allow
# broadcasts on a LAN interface.
#
# This setting only affects packets that are not allowed according
# to FW_ALLOW_FW_BROADCAST_*
#
# Format: either
# - "yes" or "no"
# - list of udp destination ports
#
# Examples: - "631 137" silently drop broadcast packets on port 631 and 137
# - "yes" do not log dropped broadcast packets
# - "no" log all dropped broadcast packets
#
#
# defaults to "no" if not set
FW_IGNORE_FW_BROADCAST_EXT="yes"
## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_INT="no"
## Type: string
#
# see comments for FW_IGNORE_FW_BROADCAST_EXT
FW_IGNORE_FW_BROADCAST_DMZ="no"
## Type: yesno
## Default: no
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_ALLOW_CLASS_ROUTING=""
## Type: string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""
## Type: string
#
# 27.)
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="dsl0,125"
# where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing
traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="dsl0,250"
# might be a better value than "dsl0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic
you
# have on your line but 5% under your maximum upstream might be a good
start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""
## Type: list(no,drop,reject)
## Default: drop
#
# 28.)
# What to do with IPv6 Packets?
#
# On older kernels ip6tables was not stateful so it's not possible to
implement
# the same features as for IPv4 on such machines. For these there are three
# choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets.
#
# - reject: reject all IPv6 packets. This is the default if stateful
matching is
# not available.
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
# Leave empty to automatically detect whether your kernel supports stateful
matching.
#
FW_IPv6=""
## Type: yesno
## Default: yes
#
# 28a.)
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
# Defaults to "yes" if not set
#
FW_IPv6_REJECT_OUTGOING=""
## Type: list(yes,no,int,ext,dmz)
## Default: no
#
# 29.)
# Trust level of IPsec packets.
#
# You do not need to change this if you do not intend to run
# services that should only be available trough an IPsec tunnel.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or
'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_EXT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INT="no"
#
# Defaults to "no" if not set
#
FW_IPSEC_TRUST="no"
## Type: string
## Default:
#
# 30.)
# Define additional firewall zones
# The built-in zones INT, EXT and DMZ must not be listed here. Names
# of additional zones must only contain lowercase ascii characters.
# To define rules for the additional zone, take the approriate
# variable for a built-in zone and substitute INT/EXT/DMZ with the
# name of the additional zone.
#
# Example:
# FW_ZONES="wlan"
# FW_DEV_wlan="wlan0"
# FW_SERVICES_wlan_TCP="80"
# FW_ALLOW_FW_BROADCAST_wlan="yes"
#
FW_ZONES=""
## Type: list(yes,no,auto,)
## Default:
#
# 31.)
# Whether to use iptables-batch
#
# iptables-batch commits all rules in an almost atomic way similar
# to iptables-restore. This avoids excessive iptables calls and race
# conditions.
#
# Choice:
# - yes: use iptables-batch if available and warn if it isn't
# - no: don't use iptables-batch
# - auto: use iptables-batch if available, silently fall back to
# iptables if it isn't
#
# Defaults to "auto" if not set
#
FW_USE_IPTABLES_BATCH=""
## Type: string
## Default:
#
# 32.)
# Which additional kernel modules to load at startup
#
# Example:
# FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp"
#
FW_LOAD_MODULES=""
## Type: string
## Default:
#
# 33.)
# Bridge interfaces without IP address
#
# Traffic on bridge interfaces like the one used by xen appears to
# enter and leave on the same interface. Add such interfaces here in
# order to install special permitting rules for them.
#
# Format: list of interface names separated by space
#
# Example:
# FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
#
FW_FORWARD_ALWAYS_INOUT_DEV=""
========================================================================
Hyeroba W. Peter
Computer Frontiers International limited;
Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
Cell-phone: +256 78 247 9192;
Website: www.cfi.co.ug
-----Original Message-----
From: Noah Sematimba [mailto:ksemat at psg.com]
Sent: Tuesday, December 16, 2008 3:52 PM
To: Hyeroba Peter
Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
Subject: Re: [afnog] mail server
and /etc/sysconfig/SuSEfirewall2 ?
Noah.
On Dec 16, 2008, at 3:28 PM, Hyeroba Peter wrote:
> Hi guys again my apologies for the scarcity of info. Below is my
>
> iptables -L -n output.
>
> =
> =
> ======================================================================
> mail:~ # iptables -L -n
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> input_int all -- 0.0.0.0/0 0.0.0.0/0
> input_ext all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x06/0x02 TCPMSS clamp to PMTU
> forward_int all -- 0.0.0.0/0 0.0.0.0/0
> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
>
> Chain forward_ext (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-
> FORW '
> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDext-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain forward_int (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-
> FORW '
> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
> RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-FWDint-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain input_ext (1 references)
> target prot opt source destination
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> broadcast
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 4
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
> type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 12
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 14
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 18
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 3 code 2
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED icmp type 5
> LOG all -- 192.168.200.0/24 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-
> TRUST '
> ACCEPT all -- 192.168.200.0/24 0.0.0.0/0 state
> NEW,RELATED,ESTABLISHED
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 80
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:110 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 110
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 25
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC-TCP '
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
> 22
> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 80
> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC '
> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 80
> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 22
> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
> `SFW2-INext-ACC '
> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
> 22
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT '
> DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
> multicast
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT '
> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
> avg
> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
> `SFW2-INext-DROP-DEFLT-INV '
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain input_int (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain reject_func (0 references)
> target prot opt source destination
> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> tcp-reset
> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> icmp-port-unreachable
> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
> with
> icmp-proto-unreachable
>
> =
> ======================================================================
>
>
> Hyeroba W. Peter
> Computer Frontiers International limited;
> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
> Cell-phone: +256 78 247 9192;
> Website: www.cfi.co.ug
>
>
> -----Original Message-----
> From: Noah Sematimba [mailto:ksemat at psg.com]
> Sent: Tuesday, December 16, 2008 12:42 PM
> To: Hyeroba Peter
> Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
> Subject: Re: [afnog] mail server
>
>
> Despite the scarcity of information from your side I would suspect
> that the problem is that you're automatically redirecting all your web
> requests to squid including those meant to connect to the local server
> itself. You need to put an exception to the redirect rule for the
> local server.
>
> Please post the output of
> iptables -L -n
>
> and the contents of /etc/sysconfig/SuSEfirewall2
>
> cheers,
>
> Noah.
> On Dec 16, 2008, at 11:45 AM, Hyeroba Peter wrote:
>
>> Sorry about the very vague initial post,
>>
>> If I run telnet 192.168.200.1 80 it actually connects
>> If I access my webmail from the 192.168.0.1 interface, I can do so
>> properly.
>>
>> The 192.168.200.1 and 192.168.0.1 are the internal and external
>> interfaces
>> respectively in relation to my firewall.
>>
>> So if I tell someone outside my network to access my webmail, they
>> do so
>> perfectly well. But if I try to do so on my LAN, I cannot.
>>
>>
>> Hyeroba W. Peter
>> Computer Frontiers International limited;
>> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
>> Cell-phone: +256 78 247 9192;
>> Website: www.cfi.co.ug
>>
>>
>> -----Original Message-----
>> From: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
>> Sent: Tuesday, December 16, 2008 11:12 AM
>> To: Hyeroba Peter
>> Cc: afnog at afnog.org
>> Subject: Re: mail server
>>
>> On Tue, Dec 16, 2008 at 10:01:36AM +0300,
>> Hyeroba Peter <phyeroba at cfi.co.ug> wrote
>> a message of 21 lines which said:
>>
>>> I have a mail server on that also doubles as a firewall, its an suse
>>> enterprise server, the problem is I can access the openwebmail off
>>> the internet but cannot access it over the local network.
>>
>> As always, "cannot" is not a proper error message.
>>
>> 1) What command did you type?
>> 2) What result did you get?
>>
>> Example: "I type telnet mywebmail.example 80 and I get "Connection
>> foobared at 192.0.2.1"
>>
>> Remember that graphical behemoths like Firefox (and, worse, IE) are
>> very poor debugging tools.
>>
>> Typical tools to debug system and network administration problems:
>>
>> - telnet (you can give a port number after the host name to test
>> various services)
>>
>> - ping (to check IP routing)
>>
>> - the log of the server (if the connection was refused by the server,
>> if the firewall is Linux Netfilter, dmesg - if the target is LOG -
>> or 'iptables -v -L CHAINNAME' may help)
>>
>> ...
>>
>>
>> _______________________________________________
>> afnog mailing list
>> http://afnog.org/mailman/listinfo/afnog
>>
>
>
>
More information about the afnog
mailing list