Maybe it works?:

Cyberclops Cyberclops at hawaii.rr.com
Wed Apr 11 14:29:37 PDT 2001 

These are the lines I changed to get it to act as a firewall yet pass
the date information.  I am SuSE's "Scenario I" plus a little bit more. 
Basically it is the simplest configuration.  I will send the modified
Lines in the next email.

############
#Scenario 1:
#
#A User with his nice SuSE Linux PC wants to be protected when connected
to
#the internet via the ISDN dialup of his ISP.
#He wants to offer NO services to the internet.
#He is NOT connected to any other network, nor are any other network
cards
#active.
#
#FW_DEV_WORLD="ippp0"	# this is the isdn interface, modem would be ppp0
#FW_STOP_KEEP_ROUTING_STATE="yes"        # isdn probably needs this
#
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are end end-user connected to
the
# internet and to a internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 10),
11)
# 12), 14) and 18).
#
# If this server is a firewall, and should do routing/masquerading
between
# the untrusted and the trusted network, you have to reconfigure (all
other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12),
15), 18).
#
# If you want to run a DMZ in either of the above three standard setups,
you
# just have to config 4), 9), 13) and maybe 19).
#
# If you know what you are doing, you may also change 8), 16), 17), 18)
# and the expert options 20), 21), 22) at the far end, but you should
NOT.
#
# If you use diald or ISDN autodialing, you might want to set 18).
#
# To get programs like traceroutes to your firewall to work is a bit
tricky,
# you have to set the following options to "yes" : 11 (UDP only), 19 and
20.
#
# If you want to load the full firewall rules for an interface even if
it's not
# available, configure a static IP and netmask (see 2, 3 and 4 for an
example).
#
# Please note that if you use service names, that they exist in
/etc/services.
# There is no service "dns", it's called "domain"; email is called
"smtp" etc.
#
# *Any* routing between interfaces except masquerading requires to set
FW_ROUTE
# to "yes" and use FW_FORWARD_TCP and/or FW_FORWARD_UDP.
#
# If you just want to do masquerading without filtering, ignore this
script
# and run this line (exchange "ippp0" with your masquerade/external
interface):
# ipchains -A forward -j MASQ -i ippp0
#


Warren Togami wrote:
> 
> I am glad to hear you got it working, but please understand this.
> 
> That script has rules for INPUT, FORWARD, OUTPUT and possibly other chains.
> Your computer is NOT a firewall, and that script sets rules mainly on the
> FORWARD chain.  The FORWARD chain does nothing to your ruleset because you
> are not routing packets.  You made it work by fixing an INPUT chain,
> possibly by removing some restricting rule.
> 
> So... yeah it works now, but only because your current rules are no
> different than without the script on the INPUT and OUTPUT chains.
> Everything in the FORWARD chain is doing nothing but using RAM.
> 
> Also please understand that SuSE is no different than any other Linux
> distribution using the 2.4 kernel.  There is nothing "state of the art"
> about it beyond being the first to release a 2.4 kernel distribution, though
> the installation and configuration looks much cleaner in SuSE.  That SuSE
> firewall script will run the same way in any other Linux distribution (using
> a 2.4 kernel with Netfilter included).
> 
> I am curious, could you type "iptables -L" and e-mail the chains that
> output?
> 
> ----- Original Message -----
> From: "Cyberclops" <Cyberclops at hawaii.rr.com>
> To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> Sent: Wednesday, April 11, 2001 10:27 AM
> Subject: [luau] Re:Maybe it works?:
> 
> > Just as you posted this, I believe I have it working.  At least I
> > believe this log message shows it is working.  I'm now going back over
> > the SuSE firewall to eliminate as much stuff as possible to see exactly
> > what made it work, and what didn't have any effect.  Then I will post
> > the line that made if work for comment.  While I sure securing a system
> > in a traditional manner is a good idea, I still remain a believer in the
> > SuSE firewall, as my understanding is that "it is state of the art" as
> > compared to previous Linux kernels.  Plus SuSE has their own way of
> > doing things which is different from other Linux distributions I have
> > tried.  Moreover, I like SuSE 7.1 better than any other Linux
> > distribution I have tried.  To be blunt, it is the only one that has
> > worked with any relative ease and actually worked.  A lot of people tout
> > Mandrake as being great.  I did try Mandrake 7.0, 7.1, and 7.2.  My
> > personal experience was that Mandrake 7.2 was a disappointment for many
> > different reasons.  In contrast my experience with SuSE 7.1 is that
> > while not being totally easy to use, it is acceptable, and best of all,
> > it appears to be absolutely solid.  That's why I would like to get it
> > working up to it's full potential.  One thing that's great about Linux,
> > is that if you don't like one distribution, there's always another one
> > to choose.  This competition among distributions is very heathy.  I just
> > wish some of the self appointed experts who advocate Mandrake as being
> > the best solution would give SuSE 7.1 an honest evaluation.  I have
> > noticed there have been several people who state Mandrake 7.2 or (8.0
> > beta) is the best, yet they seemingly have no experience with SuSE 7.1.
> > Anyway please excuse me for being stubborn about SuSE 7.1.  It's just
> > that I have tried many distributions at this point and have found SuSE
> > 7.1 to be the best so far for my tastes.  I know their firewall works,
> > so it seems to be both the simplest and easiest solution is to learn how
> > to properly configure it.
> >
> >
> >
> > Apr 11 09:53:22 a24b161n139client142 ntpdate[487]: step time server
> > 128.2.191.71 offset -0.002408 sec
> > Apr 11 09:53:22 a24b161n139client142 xntpd[492]: ntpd 4.0.99f Mon Apr  9
> > 19:30:07 GMT 2001 (1)
> > Apr 11 09:53:22 a24b161n139client142 xntpd[492]: signal_no_reset: signal
> > 13 had flags 4000000
> > Apr 11 09:53:22 a24b161n139client142 xntpd[492]: precision = 9 usec
> > Apr 11 09:53:22 a24b161n139client142 xntpd[492]: kern_enable is 1
> > Apr 11 09:53:22 a24b161n139client142 xntpd[492]: using kernel phase-lock
> > loop 0040
> > Apr 11 09:53:23 a24b161n139client142 xntpd[492]: frequency initialized
> > 0.000 from /etc/ntp.drift
> > Apr 11 09:53:23 a24b161n139client142 xntpd[492]: using kernel phase-lock
> > loop 0041
> > Warren Togami wrote:
> > >
> > > On Saturday after I realized you had a single NIC, I realized what you
> were
> > > trying to do.  I tried to explain to you that a "firewall" is NOT what
> you
> > > want, especially that firewall script in particular.  Most firewall
> scripts
> > > like the one you are trying to make work are designed to use two network
> > > interfaces, filtering traffic from the outside internet to a local area
> > > network.  You do not have two network interfaces.  You are confusing the
> > > need for a "firewall" with those personal firewall products for Windows
> like
> > > Zonealarm, Zonefree or BlackIce Defender.  These products are arguably
> not
> > > firewalls in a traditional sense.  They simply track and disallow
> certain
> > > types of packets from entering or leaving your computer, and perhaps log
> > > data.
> > >
> > > Most users of Linux do not go to this extreme because it is simply not
> > > needed.  This is a very advanced topic, the likes of which very few of
> us on
> > > this list have even begun to master.  I would suggest securing your
> system
> > > in the normal way first, learning a bit more about the services, TCP
> > > wrappers, kernel configuration, Netfilter and iptables.  At that point
> you
> > > will understand that a "personal firewall" is NOT needed, though you can
> > > easily implement rules to make one if you want.
> > >
> > > This is the third time I will say this: Please do not persist in trying
> to
> > > make this script work on your system.  This script was NOT designed to
> do
> > > what you want.  Please start from scratch with simple INPUT and OUTPUT
> > > chains and work from there.  But first, secure your services and the
> kernel
> > > the normal way.
> > >
> > > As for the services to disable, please refer to this discussion about
> some
> > > services and their descriptions.
> > > http://forum.mplug.org/viewthread.php3?FID=4&TID=3
> > >
> > > If you have any further questions please post again.
> >
> > ---
> > You are currently subscribed to luau as: warren at togami.com
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> 
> ---
> You are currently subscribed to luau as: Cyberclops at hawaii.rr.com
> To unsubscribe send a blank email to $subst('Email.Unsub')

More information about the LUAU mailing list