[afnog] mail server
Noah Sematimba
ksemat at psg.com
Tue Dec 16 13:58:26 UTC 2008
The following lines are redundant because you already set that the
firewall should not be protected from the internal network.:
FW_SERVICES_INT_TCP="http pop3 ssh"
FW_SERVICES_INT_IP="http"
FW_TRUSTED_NETS="192.168.200.0/24"
The following does not make sense and should be removed as you already
set to allow that particular access using FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="192.168.200.0/24,tcp,80 192.168.200.0/24,tcp,22"
Also please unset:
FW_FORWARD="192.168.200.0/24,192.168.0.0/24"
as it does not make sense if you take time to read the explanation
that comes before that setting.
I am not sure how all these contradictions end up affecting your
firewall rules since I simply did not have time to read the actual /
sbin/SuSEfirewall2 script that sources this configuration file. Please
change those and restart your firewall to see if that solves your
problem.
Noah.
On Dec 16, 2008, at 4:06 PM, Hyeroba Peter wrote:
> Here is SuSEfirewall2
>
> ====================================================================
> # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights
> reserved.
> # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany. All
> rights
> reserved.
> # Copyright (c) 2005 SUSE LINUX Products GmbH Nuernberg, Germany. All
> rights reserved.
> #
> # Author: Marc Heuse, 2002
> # Ludwig Nussel, 2004
> #
> # /etc/sysconfig/SuSEfirewall2
> #
> # for use with /sbin/SuSEfirewall2 version 3.3
> #
> #
> ------------------------------------------------------------------------
> #
> # PLEASE NOTE THE FOLLOWING:
> #
> # Just by configuring these settings and using the SuSEfirewall2 you
> # are not secure per se! There is *not* such a thing you install and
> # hence you are safed from all (security) hazards.
> #
> # To ensure your security, you need also:
> #
> # * Secure all services you are offering to untrusted networks
> # (internet) You can do this by using software which has been
> # designed with security in mind (like postfix, vsftpd, ssh),
> # setting these up without misconfiguration and praying, that
> # they have got really no holes. SuSEcompartment can help in
> # most circumstances to reduce the risk.
> # * Do not run untrusted software. (philosophical question, can
> # you trust SuSE or any other software distributor?)
> # * Check the security of your server(s) regulary
> # * If you are using this server as a firewall/bastion host to the
> # internet for an internal network, try to run proxy services
> # for everything and disable routing on this machine.
> # * If you run DNS on the firewall: disable untrusted zone
> # transfers and either don't allow access to it from the
> # internet or run it split-brained.
> #
> # Good luck!
> #
> # Yours,
> # SuSE Security Team
> #
> #
> ------------------------------------------------------------------------
> #
> # Configuration HELP:
> #
> # If you have got any problems configuring this file, take a look at
> # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST
> #
> #
> # If you are a end-user who is NOT connected to two networks (read:
> you have
> # got a single user system and are using a dialup to the internet)
> you just
> # have to configure (all other settings are OK): 2) and maybe 9).
> #
> # If this server is a firewall, which should act like a proxy (no
> direct
> # routing between both networks), or you are an end-user connected
> to the
> # internet and to an internal network, you have to setup your proxys
> and
> # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7),
> 11), 14)
> #
> # If this server is a firewall, and should do routing/masquerading
> between
>
> # If this server is a firewall, which should act like a proxy (no
> direct
> # routing between both networks), or you are an end-user connected
> to the
> # internet and to an internal network, you have to setup your proxys
> and
> # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7),
> 11), 14)
> #
> # If this server is a firewall, and should do routing/masquerading
> between
> # the untrusted and the trusted network, you have to reconfigure
> (all other
> # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12),
> 13),
> # 14)
> #
> # If you want to run a DMZ in either of the above three standard
> setups, you
> # just have to configure *additionally* 4), 9), 12), 13), 18)
> #
> # Please note that if you use service names, they have to exist in
> # /etc/services. There is for example no service "dns", it's called
> # "domain"; email is called "smtp" etc.
> #
> #
> ------------------------------------------------------------------------
>
> ## Path: Network/Firewall/SuSEfirewall2
> ## Description: SuSEfirewall2 configuration
> ## Type: string
> ## Default: any
> #
> # 2.)
> # Which are the interfaces that point to the internet/untrusted
> # networks?
> #
> # Enter all untrusted network devices here
> #
> # Format: space separated list of interface or configuration names
> #
> # The special keyword "auto" means to use the device of the default
> # route. "auto" cannot be mixed with other interface names.
> #
> # The special keyword "any" means that packets arriving on
> interfaces not
> # explicitly configured as int, ext or dmz will be considered
> external.
> Note:
> # this setting only works for packets destined for the local
> machine. If you
> # want forwarding or masquerading you still have to add the external
> interfaces
> # individually. "any" can be mixed with other interface names.
> #
> # Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any
> dsl0"
> #
> # Note: alias interfaces (like eth0:1) are ignored
> #
> FW_DEV_EXT="eth-id-00:1a:4b:e5:e3:2c"
>
> ## Type: string
> #
> # 3.)
> # Which are the interfaces that point to the internal network?
> #
> # Enter all trusted network interfaces here. If you are not
> # connected to a trusted network (e.g. you have just a dialup) leave
> # this empty.
> #
> # Format: space separated list of interface or configuration names
> #
> # Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
>
> #
> # Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
> #
> FW_DEV_INT="eth-id-00:1a:4b:e5:e3:2a"
>
> ## Type: string
> #
> # 4.)
> # Which are the interfaces that point to the dmz or dialup network?
> #
> # Enter all the network devices here which point to the dmz/dialups.
> # A "dmz" is a special, seperated network, which is only connected
> # to the firewall, and should be reachable from the internet to
> # provide services, e.g. WWW, Mail, etc. and hence is at risk from
> # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
> # example.
> #
> # Note: You have to configure FW_FORWARD to define the services
> # which should be available to the internet and set FW_ROUTE to yes.
> #
> # Format: space separated list of interface or configuration names
> #
> # Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
> #
> FW_DEV_DMZ=""
>
> ## Type: yesno
> ## Default: no
> #
> # 5.)
> # Should routing between the internet, dmz and internal network be
> # activated?
> #
> # Set this to "yes" if you either want to masquerade internal
> # machines or allow access to the dmz (or internal machines, but
> # this is not a good idea).
> #
> # This option overrides IP_FORWARD from
> # /etc/sysconfig/network/options
> #
> # Setting this option one alone doesn't do anything. Either activate
> # masquerading with FW_MASQUERADE below if you want to masquerade
> # your internal network to the internet, or configure FW_FORWARD to
> # define what is allowed to be forwarded. You also need to define
> # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
> #
> # defaults to "no" if not set
> #
> FW_ROUTE="yes"
>
> ## Type: yesno
> ## Default: no
> #
> # 6.)
> # Do you want to masquerade internal networks to the outside?
> #
> # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
> #
> # "Masquerading" means that all your internal machines which use
>
> #
> # "Masquerading" means that all your internal machines which use
> # services on the internet seem to come from your firewall. Please
> # note that it is more secure to communicate via proxies to the
> # internet than to use masquerading.
> #
> # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
> #
> # defaults to "no" if not set
> #
> FW_MASQUERADE="yes"
>
> ## Type: string
> ## Default: $FW_DEV_EXT
> #
> # 6a.)
> # You must also define on which interfaces to masquerade on. Those
> # are usually the same as the external interfaces. Most users can
> # leave the default.
> #
> # Examples: "ippp0", "$FW_DEV_EXT"
> #
> FW_MASQ_DEV="$FW_DEV_EXT"
>
> ## Type: string
> ## Default: 0/0
> #
> # Which internal computers/networks are allowed to access the
> # internet via masquerading (not via proxys on the firewall)?
> #
> # Format: space separated list of
> # <source network>[,<destination network>,<protocol>[,port[:port]]
> #
> # If the protocol is icmp then port is interpreted as icmp type
> #
> # Examples: - "0/0" unrestricted access to the internet
> # - "10.0.0.0/8" allows the whole 10.0.0.0 network with
> # unrestricted access.
> # - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
> # the 10.0.1.0 network to use www/ftp to the internet. -
> # - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
> # 10.0.1.0/24 network is allowed to access unprivileged
> # ports whereas 10.0.2.0/24 is granted unrestricted
> # access.
> #
> FW_MASQ_NETS="0/0"
>
> ## Type: yesno
> ## Default: no
> #
> # 7.)
> # Do you want to protect the firewall from the internal network?
> # Requires: FW_DEV_INT
> #
> # If you set this to "yes", internal machines may only access
> # services on the firewall you explicitly allow. If you set this to
> # "no", any internal user can connect (and attack) any service on
> # the firewall.
> #
> # the firewall.
> #
> # defaults to "yes" if not set
> #
> FW_PROTECT_FROM_INT="no"
>
> ## Type: string
> #
> # 9.)
> # Which TCP services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # Enter all ports or known portnames below, seperated by a space.
> # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
> # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
> # e.g. if a webserver on the firewall should be accessible from the
> internet:
> # FW_SERVICES_EXT_TCP="www"
> # e.g. if the firewall should receive syslog messages from the dmz:
> # FW_SERVICES_DMZ_UDP="syslog"
> # For IP protocols (like GRE for PPTP, or OSPF for routing) you need
> to set
> # FW_SERVICES_*_IP with the protocol name or number (see /etc/
> protocols)
> #
> # Format: space separated list of ports, port ranges or well known
> # service names (see /etc/services)
> #
> # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
> #
> FW_SERVICES_EXT_TCP="http pop3 smtp ssh"
>
> ## Type: string
> #
> # Which UDP services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # see comments for FW_SERVICES_EXT_TCP
> #
> # Example: "53"
> #
> FW_SERVICES_EXT_UDP=""
>
> ## Type: string
> #
> # Which UDP services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # Usually for VPN/Routing which END at the firewall
> #
> # Example: "esp"
> #
> FW_SERVICES_EXT_IP=""
>
> ## Type: string
> #
> # Which RPC services _on the firewall_ should be accessible from
> # untrusted networks?
> #
> # Port numbers of RPC services are dynamically assigned by the
> # portmapper. Therefore "rpcinfo -p localhost" has to be used to
> # automatically determine the currently assigned port for the
> # portmapper. Therefore "rpcinfo -p localhost" has to be used to
> # automatically determine the currently assigned port for the
> # services specified here.
> #
> # USE WITH CAUTION!
> # regular users can register rpc services and therefore may be able
> # to have SuSEfirewall2 open arbitrary ports
> #
> # Example: "mountd nfs"
> FW_SERVICES_EXT_RPC=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_TCP
> FW_SERVICES_DMZ_TCP=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_UDP
> FW_SERVICES_DMZ_UDP=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_IP
> FW_SERVICES_DMZ_IP=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_RPC
> FW_SERVICES_DMZ_RPC=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_TCP
> FW_SERVICES_INT_TCP="http pop3 ssh"
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_UDP
> FW_SERVICES_INT_UDP=""
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_IP
> FW_SERVICES_INT_IP="http"
>
> ## Type: string
> #
> # see comments for FW_SERVICES_EXT_RPC
> FW_SERVICES_INT_RPC=""
>
> ## Type: string
> #
> # Packets to silently drop without log message
> #
> # Format: space separated list of net,protocol[,port][,sport]
> # Example: "0/0,tcp,445 0/0,udp,4662"
> #
> # The special value _rpc_ is recognized as protocol and means that
> dport is
> #
> # The special value _rpc_ is recognized as protocol and means that
> dport is
> # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
> # details.
> #
> FW_SERVICES_DROP_EXT=""
>
> ## Type: string
> ## Default: 0/0,tcp,113
> #
> # Packets to silently reject without log message. Common usage is
> # TCP port 113 which if dropped would cause long timeouts when
> # sending mail or connecting to IRC servers.
> #
> # Format: space separated list of net,protocol[,dport][,sport]
> # Example: "0/0,tcp,113"
> #
> # The special value _rpc_ is recognized as protocol and means that
> dport is
> # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
> # details.
> #
> FW_SERVICES_REJECT_EXT=""
>
> ## Type: string
> ## Default: 0/0,tcp,113
> #
> # Services to allow. This is a more generic form of
> FW_SERVICES_{IP,UDP,TCP}
> # and more specific than FW_TRUSTED_NETS
> #
> # Format: space separated list of net,protocol[,dport][,sport]
> # Example: "0/0,tcp,22"
> #
> # The special value _rpc_ is recognized as protocol and means that
> dport is
> # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
> # details.
> #
> FW_SERVICES_ACCEPT_EXT="192.168.200.0/24,tcp,80 192.168.200.0/24,tcp,
> 22"
>
>
> ## Type: string
> #
> # 10.)
> # Which services should be accessible from 'trusted' hosts or nets?
> #
> # Define trusted hosts or networks (doesn't matter whether they are
> internal
> or
> # external) and the services (tcp,udp,icmp) they are allowed to use.
> This
> can
> # be used instead of FW_SERVICES_* for further access restriction.
> Please
> note
> # that this is no replacement for authentication since IP addresses
> can be
> # spoofed. Also note that trusted hosts/nets are not allowed to ping
> the
> # firewall until you also permit icmp.
> #
> # Format: space separated list of network[,protocol[,port]]
> # in case of icmp, port means the icmp type
> #
> # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
> #
> FW_TRUSTED_NETS="192.168.200.0/24"
>
> ## Type: string
>
>
> ## Type: string
> ## Default:
> #
> # 11.)
> # Specify which ports are allowed to access unprivileged ports (>1023)
> #
> # Format: yes, no or space separated list of ports
> #
> # You may either allow everyone from anyport access to your highports
> ("yes"),
> # disallow anyone ("no"), anyone who comes from a defined port
> (portnumber
> or
> # known portname). Note that this is easy to circumvent! The best
> choice is
> to
> # keep this option unset or set to 'no'
> #
> # defaults to "no" if not set (good choice)
> #
> # Note: Use of this variable is deprecated and it will likely be
> # removed in the future. If you think it should be kept please
> # report your use case at
> # http://forge.novell.com/modules/xfmod/project/?susefirewall2
> #
> FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
>
> ## Type: string
> ## Default:
> #
> # See FW_ALLOW_INCOMING_HIGHPORTS_TCP
> #
> # defaults to "no" if not set (good choice)
> #
> # Note: Use of this variable is deprecated and it will likely be
> # removed in the future. If you think it should be kept please
> # report your use case at
> # http://forge.novell.com/modules/xfmod/project/?susefirewall2
> #
> FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
>
> ## Type: string
> #
> # 13.)
> # Which services or networks are allowed to be routed through the
> # firewall, no matter which zone they are in?
> # Requires: FW_ROUTE
> #
> # With this option you may allow access to e.g. your mailserver. The
> # machines must have valid, non-private, IP addresses which were
> # assigned to you by your ISP. This opens a direct link to the
> # specified network, so please think twice befor using this option!
> #
> # Format: space separated list of
> # <source network>,<destination network>[,protocol[,port[,flags]]]
> #
> # If the protocol is icmp then port is interpreted as icmp type
> #
> # The only flag currently supported is 'ipsec' which means to only
> # match packets that originate from an IPsec tunnel
> #
> # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
> # service on the host 2.2.2.2
>
> # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
> # service on the host 2.2.2.2
> # - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
> # to access any service in the network 4.4.4.4/24
> # - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
> # from 5.5.5.5 to 6.6.6.6
> # - "0/0,0/0,udp,514" always permit udp port 514 to pass
> # the firewall
> # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
> # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
> # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
> # provided that both networks are connected via an
> # IPsec tunnel.
> FW_FORWARD="192.168.200.0/24,192.168.0.0/24"
>
> ## Type: string
> #
> # 14.)
> # Which services accessed from the internet should be allowed to
> masqueraded
> # servers (on the internal network or dmz)?
> # Requires: FW_ROUTE
> #
> # With this option you may allow access to e.g. your mailserver. The
> # machines must be in a masqueraded segment and may not have public
> # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
> # you have to set FW_FORWARD from internal to DMZ for the service as
> # well to allow access from internal!
> #
> # Please note that this should *not* be used for security reasons!
> # You are opening a hole to your precious internal network. If e.g.
> # the webserver there is compromised - your full internal network is
> # compromised!
> #
> # Format: space separated list of
> # <source network>,<ip to forward to>,<protocol>,<port>[,redirect
> port,[destination ip]]
> #
> # Protocol must be either tcp or udp
> #
> # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
> # port 80 coming from the 4.0.0.0/8 network to the
> # internal server 10.10.0.10
> # - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp
> request on
> # port 80 coming from the 4.0.0.0/8 network to the
> # internal server 10.10.0.10 on port 81
> # - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
> # the network 200.200.200.0/24 trying to access the
> # address 202.202.202.202 on port 80 will be forwarded
> # to the internal server 10.0.0.10 on port 81
> #
> # Note: du to inconsitent iptables behaviour only port numbers are
> possible
> but
> # no service names
> (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273)
> #
> FW_FORWARD_MASQ=""
>
> ## Type: string
> #
> # 15.)
> # Which accesses to services should be redirected to a local port on
> # the firewall machine?
> # Which accesses to services should be redirected to a local port on
> # the firewall machine?
> #
> # This option can be used to force all internal users to surf via
> # your squid proxy, or transparently redirect incoming webtraffic to
> # a secure webserver.
> #
> # Format: list of <source network>[,<destination
> network>,<protocol>[,dport[:lport]]
> # Where protocol is either tcp or udp. dport is the original
> # destination port and lport the port on the local machine to
> # redirect the traffic to
> #
> # An exclamation mark in front of source or destination network
> # means everything EXCEPT the specified network
> #
> # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
> #
> # Note: contrary to previous SuSEfirewall2 versions it is no longer
> necessary
> # to additionally open the local port
> FW_REDIRECT=""
>
> ## Type: yesno
> ## Default: yes
> #
> # 16.)
> # Which kind of packets should be logged?
> #
> # When set to "yes", packages that got dropped and are considered
> # 'critical' will be logged. Such packets include for example
> # spoofed packets, tcp connection requests and certain icmp types.
> #
> # defaults to "yes" if not set
> #
> FW_LOG_DROP_CRIT="yes"
>
> ## Type: yesno
> ## Default: no
> #
> # whether all dropped packets should be logged
> #
> # Note: for broadcasts to be logged you also need to set
> # FW_IGNORE_FW_BROADCAST_* to 'no'
> #
> # defaults to "no" if not set
> #
> FW_LOG_DROP_ALL="no"
>
> ## Type: yesno
> ## Default: yes
> #
> # When set to "yes", packages that got accepted and are considered
> # 'critical' will be logged. Such packets include for example tcp
> # connection requests, rpc connection requests, access to high
> # udp/tcp port and forwarded pakets.
> #
> # defaults to "yes" if not set
> #
> FW_LOG_ACCEPT_CRIT="yes"
>
>
> ## Type: yesno
> ## Default: no
> #
> # whether all accepted packets should be logged
> #
> # Note: setting this to 'yes' causes _LOTS_ of log entries and may
> # fill your disk quickly. It also disables FW_LOG_LIMIT
> #
> # defaults to "no" if not set
> #
> FW_LOG_ACCEPT_ALL="no"
>
> ## Type: string
> #
> # How many packets per time unit get logged for each logging rule.
> # When empty a default of 3/minute is used to prevent port scans
> # flooding your log files. For desktop usage it's a good idea to
> # have the limit, if you are using logfile analysis tools however
> # you might want to disable it.
> #
> # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
> # to 'yes' disables this option as well.
> #
> # Format: a digit and suffix /second, /minute, /hour or /day
> FW_LOG_LIMIT=""
>
> ## Type: string
> #
> # iptables logging option. Must end with --log-prefix and some prefix
> # characters
> #
> # only change this if you know what you are doing!
> FW_LOG=""
>
> ## Type: yesno
> ## Default: yes
> #
> # 17.)
> # Do you want to enable additional kernel TCP/IP security features?
> # If set to yes, some obscure kernel options are set.
> # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
> # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
> # ip_local_port_range, log_martians, rp_filter, routing flush,
> # bootp_relay, proxy_arp, secure_redirects, accept_source_route
> # icmp_echo_ignore_broadcasts, ipfrag_time)
> #
> # Tip: Set this to "no" until you have verified that you have got a
> # configuration which works for you. Then set this to "yes" and keep
> it
> # if everything still works. (It should!) ;-)
> #
> # Choice: "yes" or "no", if not set defaults to "yes"
> #
> FW_KERNEL_SECURITY="yes"
>
> ## Type: yesno
> ## Default: no
> #
>
> #
> # 18.)
> # Keep the routing set on, if the firewall rules are unloaded?
> # REQUIRES: FW_ROUTE
> #
> # Choices "yes" or "no", if not set defaults to "no"
> #
> FW_STOP_KEEP_ROUTING_STATE="no"
>
> ## Type: yesno
> ## Default: yes
> #
> # 19.)
> # Allow the firewall to reply to icmp echo requests
> #
> # defaults to "no" if not set
> #
> FW_ALLOW_PING_FW="yes"
>
> ## Type: yesno
> ## Default: no
> #
> # 19a.)
> # Allow hosts in the dmz to be pinged by internal and external hosts
> # REQUIRES: FW_ROUTE
> #
> # defaults to "no" if not set
> #
> FW_ALLOW_PING_DMZ="no"
>
> ## Type: yesno
> ## Default: no
> #
> # 19b.)
> # Allow external hosts to be pinged from internal or dmz hosts
> # REQUIRES: FW_ROUTE
> #
> # defaults to "no" if not set
> #
> FW_ALLOW_PING_EXT="no"
>
> ##
> # END of /etc/sysconfig/SuSEfirewall2
> ##
>
> # #
> #-------------------------------------------------------------------------#
> # #
> # EXPERT OPTIONS - all others please don't change
> these! #
> # #
> #-------------------------------------------------------------------------#
> # #
>
> ## Type: yesno
> ## Default: yes
> #
> # 21.)
> # Allow ICMP sourcequench from your ISP?
>
> #
> # If set to yes, the firewall will notice when connection is choking,
> however
> # this opens yourself to a denial of service attack. Choose your
> poison.
> #
> # Defaults to "yes" if not set
> #
> FW_ALLOW_FW_SOURCEQUENCH=""
>
> ## Type: string(yes,no)
> #
> # 22.)
> # Allow IP Broadcasts?
> #
> # Whether the firewall allows broadcasts packets.
> # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games.
> #
> # If you want to drop broadcasts however ignore the annoying log
> entries,
> set
> # FW_IGNORE_FW_BROADCAST_* to yes.
> #
> # Note that if you allow specifc ports here it just means that
> broadcast
> # packets for that port are not dropped. You still need to set
> # FW_SERVICES_*_UDP to actually allow regular unicast packets to
> # reach the applications.
> #
> # Format: either
> # - "yes" or "no"
> # - list of udp destination ports
> #
> # Examples: - "631 137" allow broadcast packets on port 631 and 137
> # to enter the machine but drop any other broadcasts
> # - "yes" do not install any extra drop rules for
> # broadcast packets. They'll be treated just as unicast
> # packets in this case.
> # - "no" drop all broadcast packets before other filtering
> # rules
> #
> # defaults to "no" if not set
> #
> FW_ALLOW_FW_BROADCAST_EXT="no"
>
> ## Type: string
> #
> # see comments for FW_ALLOW_FW_BROADCAST_EXT
> FW_ALLOW_FW_BROADCAST_INT="no"
>
> ## Type: string
> #
> # see comments for FW_ALLOW_FW_BROADCAST_EXT
> FW_ALLOW_FW_BROADCAST_DMZ="no"
>
> ## Type: string(yes,no)
> #
> # Suppress logging of dropped broadcast packets. Useful if you don't
> allow
> # broadcasts on a LAN interface.
> #
> # This setting only affects packets that are not allowed according
> # to FW_ALLOW_FW_BROADCAST_*
>
> #
> # Format: either
> # - "yes" or "no"
> # - list of udp destination ports
> #
> # Examples: - "631 137" silently drop broadcast packets on port 631
> and 137
> # - "yes" do not log dropped broadcast packets
> # - "no" log all dropped broadcast packets
> #
> #
> # defaults to "no" if not set
> FW_IGNORE_FW_BROADCAST_EXT="yes"
>
> ## Type: string
> #
> # see comments for FW_IGNORE_FW_BROADCAST_EXT
> FW_IGNORE_FW_BROADCAST_INT="no"
>
> ## Type: string
> #
> # see comments for FW_IGNORE_FW_BROADCAST_EXT
> FW_IGNORE_FW_BROADCAST_DMZ="no"
>
> ## Type: yesno
> ## Default: no
> #
> # 23.)
> # Allow same class routing per default?
> # REQUIRES: FW_ROUTE
> #
> # Do you want to allow routing between interfaces of the same class
> # (e.g. between all internet interfaces, or all internal network
> interfaces)
> # be default (so without the need setting up FW_FORWARD definitions)?
> #
> # Choice: "yes" or "no", if not set defaults to "no"
> #
> # Defaults to "no" if not set
> #
> FW_ALLOW_CLASS_ROUTING=""
>
> ## Type: string
> #
> # 25.)
> # Do you want to load customary rules from a file?
> #
> # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
> # READ THE EXAMPLE CUSTOMARY FILE AT
> /etc/sysconfig/scripts/SuSEfirewall2-custom
> #
> #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
> FW_CUSTOMRULES=""
>
> ## Type: yesno
> ## Default: no
> #
> # 26.)
> # Do you want to REJECT packets instead of DROPing?
> #
>
> # DROPing (which is the default) will make portscans and attacks much
> # slower, as no replies to the packets will be sent. REJECTing
> means, that
> # for every illegal packet, a connection reject packet is sent to the
> # sender.
> #
> # Choice: "yes" or "no", if not set defaults to "no"
> #
> # Defaults to "no" if not set
> #
> FW_REJECT=""
>
> ## Type: string
> #
> # 27.)
> # Tuning your upstream a little bit via HTB (Hierarchical Token
> Bucket)
> # for more information about HTB see http://www.lartc.org
> #
> # If your download collapses while you have a parallel upload,
> # this parameter might be an option for you. It manages your
> # upload stream and reserves bandwidth for special packets like
> # TCP ACK packets or interactive SSH.
> # It's a list of devices and maximum bandwidth in kbit.
> # For example, the german TDSL account, provides 128kbit/s upstream
> # and 768kbit/s downstream. We can only tune the upstream.
> #
> # Example:
> # If you want to tune a 128kbit/s upstream DSL device like german
> TDSL set
> # the following values:
> # FW_HTB_TUNE_DEV="dsl0,125"
> # where dsl0 is your pppoe device and 125 stands for 125kbit/s
> upstream
> #
> # you might wonder why 125kbit/s and not 128kbit/s. Well practically
> you'll
> # get a better performance if you keep the value a few percent under
> your
> # real maximum upload bandwidth, to prevent the DSL modem from queuing
> traffic in
> # it's own buffers because queing is done by us now.
> # So for a 256kbit upstream
> # FW_HTB_TUNE_DEV="dsl0,250"
> # might be a better value than "dsl0,256". There is no perfect value
> for a
> # special kind of modem. The perfect value depends on what kind of
> traffic
> you
> # have on your line but 5% under your maximum upstream might be a good
> start.
> # Everthing else is special fine tuning.
> # If you want to know more about the technical background,
> # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
> # is a good start
> #
> FW_HTB_TUNE_DEV=""
>
> ## Type: list(no,drop,reject)
> ## Default: drop
> #
> # 28.)
> # What to do with IPv6 Packets?
> #
> # On older kernels ip6tables was not stateful so it's not possible to
> implement
> # the same features as for IPv4 on such machines. For these there
> are three
> # choices:
> #
> # - no: do not set any IPv6 rules at all. Your Host will allow any
> IPv6
> # traffic unless you setup your own rules.
> #
> # - drop: drop all IPv6 packets.
> #
> # - reject: reject all IPv6 packets. This is the default if stateful
> matching is
> # not available.
> #
> # Disallowing IPv6 packets may lead to long timeouts when connecting
> to IPv6
> # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
> #
> # Leave empty to automatically detect whether your kernel supports
> stateful
> matching.
> #
> FW_IPv6=""
>
> ## Type: yesno
> ## Default: yes
> #
> # 28a.)
> # Reject outgoing IPv6 Packets?
> #
> # Set to yes to avoid timeouts because of dropped IPv6 Packets. This
> Option
> # does only make sense with FW_IPv6 != no
> #
> # Defaults to "yes" if not set
> #
> FW_IPv6_REJECT_OUTGOING=""
>
> ## Type: list(yes,no,int,ext,dmz)
> ## Default: no
> #
> # 29.)
> # Trust level of IPsec packets.
> #
> # You do not need to change this if you do not intend to run
> # services that should only be available trough an IPsec tunnel.
> #
> # The value specifies how much IPsec packets are trusted. 'int',
> 'ext' or
> 'dmz'
> # are the respective zones. 'yes' is the same as 'int. 'no' means
> that IPsec
> # packets belong to the same zone as the interface they arrive on.
> #
> # Note: you still need to explicitely allow IPsec traffic.
> # Example:
> # FW_IPSEC_TRUST="int"
> # FW_SERVICES_EXT_IP="esp"
> # FW_SERVICES_EXT_UDP="isakmp"
> # FW_PROTECT_FROM_INT="no"
> #
> # Defaults to "no" if not set
> #
> FW_IPSEC_TRUST="no"
>
> ## Type: string
> ## Default:
> #
> # 30.)
> # Define additional firewall zones
> # The built-in zones INT, EXT and DMZ must not be listed here. Names
> # of additional zones must only contain lowercase ascii characters.
> # To define rules for the additional zone, take the approriate
> # variable for a built-in zone and substitute INT/EXT/DMZ with the
> # name of the additional zone.
> #
> # Example:
> # FW_ZONES="wlan"
> # FW_DEV_wlan="wlan0"
> # FW_SERVICES_wlan_TCP="80"
> # FW_ALLOW_FW_BROADCAST_wlan="yes"
> #
> FW_ZONES=""
>
> ## Type: list(yes,no,auto,)
> ## Default:
> #
> # 31.)
> # Whether to use iptables-batch
> #
> # iptables-batch commits all rules in an almost atomic way similar
> # to iptables-restore. This avoids excessive iptables calls and race
> # conditions.
> #
> # Choice:
> # - yes: use iptables-batch if available and warn if it isn't
> # - no: don't use iptables-batch
> # - auto: use iptables-batch if available, silently fall back to
> # iptables if it isn't
> #
> # Defaults to "auto" if not set
> #
> FW_USE_IPTABLES_BATCH=""
>
> ## Type: string
> ## Default:
> #
> # 32.)
> # Which additional kernel modules to load at startup
> #
> # Example:
> # FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp"
> #
> FW_LOAD_MODULES=""
>
> ## Type: string
> ## Default:
> #
> # 33.)
> # Bridge interfaces without IP address
> #
> # Traffic on bridge interfaces like the one used by xen appears to
> # enter and leave on the same interface. Add such interfaces here in
> # order to install special permitting rules for them.
> #
> # Format: list of interface names separated by space
> #
> # Example:
> # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
> #
> FW_FORWARD_ALWAYS_INOUT_DEV=""
>
>
> =
> =
> ======================================================================
>
>
> Hyeroba W. Peter
> Computer Frontiers International limited;
> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
> Cell-phone: +256 78 247 9192;
> Website: www.cfi.co.ug
>
>
> -----Original Message-----
> From: Noah Sematimba [mailto:ksemat at psg.com]
> Sent: Tuesday, December 16, 2008 3:52 PM
> To: Hyeroba Peter
> Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
> Subject: Re: [afnog] mail server
>
>
> and /etc/sysconfig/SuSEfirewall2 ?
>
> Noah.
> On Dec 16, 2008, at 3:28 PM, Hyeroba Peter wrote:
>
>> Hi guys again my apologies for the scarcity of info. Below is my
>>
>> iptables -L -n output.
>>
>> =
>> =
>> =
>> =====================================================================
>> mail:~ # iptables -L -n
>> Chain INPUT (policy DROP)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>> input_int all -- 0.0.0.0/0 0.0.0.0/0
>> input_ext all -- 0.0.0.0/0 0.0.0.0/0
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain FORWARD (policy DROP)
>> target prot opt source destination
>> TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
>> flags:0x06/0x02 TCPMSS clamp to PMTU
>> forward_int all -- 0.0.0.0/0 0.0.0.0/0
>> forward_ext all -- 0.0.0.0/0 0.0.0.0/0
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
>>
>> Chain forward_ext (1 references)
>> target prot opt source destination
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 11
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 12
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 14
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 18
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3 code 2
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 5
>> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
>> avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDext-ACC-
>> FORW '
>> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
>> RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
>> `SFW2-FWDext-DROP-DEFLT '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>> PKTTYPE =
>> multicast
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-FWDext-DROP-DEFLT '
>> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
>> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
>> `SFW2-FWDext-DROP-DEFLT-INV '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain forward_int (1 references)
>> target prot opt source destination
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 11
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 12
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 14
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 18
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3 code 2
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 5
>> LOG all -- 192.168.200.0/24 192.168.0.0/24 limit:
>> avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-FWDint-ACC-
>> FORW '
>> ACCEPT all -- 192.168.200.0/24 192.168.0.0/24 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 192.168.0.0/24 192.168.200.0/24 state
>> RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
>> `SFW2-FWDint-DROP-DEFLT '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>> PKTTYPE =
>> multicast
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-FWDint-DROP-DEFLT '
>> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
>> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
>> `SFW2-FWDint-DROP-DEFLT-INV '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain input_ext (1 references)
>> target prot opt source destination
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>> PKTTYPE =
>> broadcast
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
>> type 4
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp
>> type 8
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 0
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 11
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 12
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 14
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 18
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 3 code 2
>> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
>> RELATED,ESTABLISHED icmp type 5
>> LOG all -- 192.168.200.0/24 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-ACC-
>> TRUST '
>> ACCEPT all -- 192.168.200.0/24 0.0.0.0/0 state
>> NEW,RELATED,ESTABLISHED
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC-TCP '
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
>> 80
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp dpt:110 flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC-TCP '
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
>> 110
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC-TCP '
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
>> 25
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp dpt:22 flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC-TCP '
>> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:
>> 22
>> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
>> 80
>> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC '
>> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
>> 80
>> LOG tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
>> 22
>> state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix
>> `SFW2-INext-ACC '
>> ACCEPT tcp -- 192.168.200.0/24 0.0.0.0/0 tcp dpt:
>> 22
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 PKTTYPE = multicast LOG flags 6 level 4 prefix
>> `SFW2-INext-DROP-DEFLT '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>> PKTTYPE =
>> multicast
>> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
>> `SFW2-INext-DROP-DEFLT '
>> LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
>> LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
>> LOG all -- 0.0.0.0/0 0.0.0.0/0 limit:
>> avg
>> 3/min burst 5 state INVALID LOG flags 6 level 4 prefix
>> `SFW2-INext-DROP-DEFLT-INV '
>> DROP all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain input_int (1 references)
>> target prot opt source destination
>> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>>
>> Chain reject_func (0 references)
>> target prot opt source destination
>> REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-
>> with
>> tcp-reset
>> REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-
>> with
>> icmp-port-unreachable
>> REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-
>> with
>> icmp-proto-unreachable
>>
>> =
>> =
>> =====================================================================
>>
>>
>> Hyeroba W. Peter
>> Computer Frontiers International limited;
>> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
>> Cell-phone: +256 78 247 9192;
>> Website: www.cfi.co.ug
>>
>>
>> -----Original Message-----
>> From: Noah Sematimba [mailto:ksemat at psg.com]
>> Sent: Tuesday, December 16, 2008 12:42 PM
>> To: Hyeroba Peter
>> Cc: 'Stephane Bortzmeyer'; afnog at afnog.org
>> Subject: Re: [afnog] mail server
>>
>>
>> Despite the scarcity of information from your side I would suspect
>> that the problem is that you're automatically redirecting all your
>> web
>> requests to squid including those meant to connect to the local
>> server
>> itself. You need to put an exception to the redirect rule for the
>> local server.
>>
>> Please post the output of
>> iptables -L -n
>>
>> and the contents of /etc/sysconfig/SuSEfirewall2
>>
>> cheers,
>>
>> Noah.
>> On Dec 16, 2008, at 11:45 AM, Hyeroba Peter wrote:
>>
>>> Sorry about the very vague initial post,
>>>
>>> If I run telnet 192.168.200.1 80 it actually connects
>>> If I access my webmail from the 192.168.0.1 interface, I can do so
>>> properly.
>>>
>>> The 192.168.200.1 and 192.168.0.1 are the internal and external
>>> interfaces
>>> respectively in relation to my firewall.
>>>
>>> So if I tell someone outside my network to access my webmail, they
>>> do so
>>> perfectly well. But if I try to do so on my LAN, I cannot.
>>>
>>>
>>> Hyeroba W. Peter
>>> Computer Frontiers International limited;
>>> Tel: +256 31 230 1800 or +254 41 456 4200; Fax: +256 41 434 0456;
>>> Cell-phone: +256 78 247 9192;
>>> Website: www.cfi.co.ug
>>>
>>>
>>> -----Original Message-----
>>> From: Stephane Bortzmeyer [mailto:bortzmeyer at nic.fr]
>>> Sent: Tuesday, December 16, 2008 11:12 AM
>>> To: Hyeroba Peter
>>> Cc: afnog at afnog.org
>>> Subject: Re: mail server
>>>
>>> On Tue, Dec 16, 2008 at 10:01:36AM +0300,
>>> Hyeroba Peter <phyeroba at cfi.co.ug> wrote
>>> a message of 21 lines which said:
>>>
>>>> I have a mail server on that also doubles as a firewall, its an
>>>> suse
>>>> enterprise server, the problem is I can access the openwebmail off
>>>> the internet but cannot access it over the local network.
>>>
>>> As always, "cannot" is not a proper error message.
>>>
>>> 1) What command did you type?
>>> 2) What result did you get?
>>>
>>> Example: "I type telnet mywebmail.example 80 and I get "Connection
>>> foobared at 192.0.2.1"
>>>
>>> Remember that graphical behemoths like Firefox (and, worse, IE) are
>>> very poor debugging tools.
>>>
>>> Typical tools to debug system and network administration problems:
>>>
>>> - telnet (you can give a port number after the host name to test
>>> various services)
>>>
>>> - ping (to check IP routing)
>>>
>>> - the log of the server (if the connection was refused by the
>>> server,
>>> if the firewall is Linux Netfilter, dmesg - if the target is LOG -
>>> or 'iptables -v -L CHAINNAME' may help)
>>>
>>> ...
>>>
>>>
>>> _______________________________________________
>>> afnog mailing list
>>> http://afnog.org/mailman/listinfo/afnog
>>>
>>
>>
>>
>
>
>
More information about the afnog
mailing list