LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   How to set up personal firewall in SuSE SLED 10? (https://www.linuxquestions.org/questions/linux-newbie-8/how-to-set-up-personal-firewall-in-suse-sled-10-a-509910/)

narayanaras 12-12-2006 10:59 PM
How to set up personal firewall in SuSE SLED 10?
 
Hi all,

I am a Linux Newbie (but Windows veteran). I am trying out the SuSE SLED 10 (Eval) in dual boot mode with Windows XP (SP-2). I am connected to Internet through an external ADSL modem, which is connected to my PC through an Ethernet cable.

While setting the firewall (through YAsT), I cannot decide which mode to set.

I referred to some commercial books on SuSE. The book describes a firewall that needs to run on a separate machine; to protect PCs/servers on a LAN.

For example, it says that the firewall has three interfaces:
1. "Internet" (connected to Internet)
2. "Internal network" (All PCs on the LAN)
3. "De-Militarized Zone" (DMZ)-- For servers (FTP, Web server, etc)

I checked the forum about this, and the thread http://www.linuxquestions.org/questi...d.php?t=411432 says that this is meant for a computer with 3 network cards.

But this makes sense only if I have another machine to run the firewall. But that's not the case here: I only want the firewall protection for my home PC.

Secondly, although the book describes three separate connections that exist simultaneously, my GUI provides all of them from a single pull-down menu, which implies that I can select only ONE of the options. This is confusing!

Thirdly, the pull-down menu of the Firewall GUI does not have a "personal firewall" option, where there is only one outgoing connection (to the ADSL modem).

What should I do?

Thanks in advance!

jschiwal 12-13-2006 12:27 AM
I'm assuming that the YaST2 firewall configuration is similar to OpenSUSE 10.1.
In the firewall2 YaST2 configuration, select "interfaces". Select the NIC interface that connects to your modem. Then select "external" in the drop down list.

If you have another NIC interface that connects to a LAN, then do the same, but select "inside". The DMZ zone would connect to another computer or network that you were using as an internet server, such as a web server or ftp server. This is the setting you would use if you were offering a server on the internet and this computer functioned as your filewall.

Now on the same list where you selected selected the interface, select "services" instead.
Select "external" on the first drop down box on the page. Then select the service to allow through the firewall in the second drop down box and click the Add button.
For an interface that connects to the internet, only select a service that you are offering to the modem or outside world. It could be that all you need to select is "DHCP Client" if your modem offers a DHCP service and you get your IP address that way.

narayanaras 12-13-2006 03:24 AM
Thanks a lot for the reply. I will try it tonight and revert.

My home PC is a stand-alone (there is no LAN), and it has only one network card.

I actually used the "DMZ" option, because the "Internal Network" option in the pull-down says "(No protection)", which seemed alarming! I thought that this option assumes that I am in the secure LAN zone; which is protected by another firewall (running on another PC/server)!

But I am not running any servers on my home PC. Neither do I expect anyone from outside to make an inbound connection (such as P2P or FTP; if these are the correct examples). So, in that case, should I select the "External" option (not "DMZ")?

narayanaras 12-14-2006 03:07 AM
I checked this out: Changing to the "external" option is easy (I just have to select that from the pull-down menu).

But that's not the basic issue: The moot point is, is that the right choice in my case?

jschiwal 12-14-2006 03:34 AM
Use "external". It's purpose is to protect you from the internet. Internal is for interfaces behind a firewall. If in the future, you add another computer, you could add another interface and select internal for it. If you have only one IP address assigned, you could use NAT to allow the second computer to access the internet, though your first computer. The second interface of the first computer and the interface of the second computer should both have an IP address from a private range (Such as 192.168.1.xxx). You would select "internal" for those interfaces.

The button on the bottom of the firewall setup will engage the firewall for internal interfaces as well. The DMZ option is for a device outside of a network firewall that is offering services over the internet. The setup allows you to define different rules for different roles. You could even define your own type and use that instead or as well as another.

In your case, with only one computer, I think you only want to select "DHCP Client" in the port drop-down list and click Add to add that service. I'm not 100% certain on the port because I've never used DSL so I don't have to deal with dialing and ppoe. If you were assigned a static internet IP address, then you don't use dhcp.

narayanaras 12-15-2006 09:25 PM
Thank you for the tips!

@DHCP:
I contacted the service provider (BSNL), which provided guidance for Linux. (The steps are same as in case of Windows). So connecting to Internet was fairly easy.

In fact, even when I had set the zone to "DMZ", I could access the Internet (thank god my modem didn't turn out to be a Winmodem!) But now I am happy that my protection is correctly set.

Thanks once again!


All times are GMT -5. The time now is 10:44 AM.