SuSEfirewall2

Aller à : navigation, rechercher
Language.png Cette page n'est pas encore traduite (ou pas complètement)

Cet article a besoin d'être traduit. Merci de participer au travail si vous en avez le temps et la compétence.
Si vous cherchez quelque chose à faire, regardez les autres Pages à traduire.

À propos

SuSEfirewall2 est un filtre de paquets réseau dynamique également connu sous le nom de pare-feu. C'est un script qui génère des règles iptables de configuration stockées dans le fichier /etc/sysconfig/SuSEfirewall2. SuSEfirewall2 vous protège contre les attaques réseau en rejetant ou en stoppant certains paquets indésirables qui atteignent votre interface réseau. Pour des configurations plus avancées, le pare-feu offre trois différentes zones auxquelles vous pouvez assigner votre interface réseau. Cela permet à SuSEfirewall2 d'agir également comme un routeur de réseau entre les trois réseaux différents, ou plutôt un serveur LAN qui permet un masquage d'Internet (ou autre réseau).

 +----------------------+
 | chaque zone Firewall |
 +----------+-----------+
            |
            +--> [ A des interfaces réseau attribuées ]
            |
            +--> [ A des services autorisés définis ]

Configuration

pour configurer SuSEfirewall2, vous pouvez soit

  • éditer le fichier /etc/sysconfig/SuSEfirewall2 manuellement et appeler
 /sbin/SuSEfirewall2

soit

Veuillez prendre en note que le YaST_Firewall actuel ne montre pas et ne vous permet pas de configurer tous les paramètres du pare-feu. Il peut au moins rejeter la configuration.

Fonctionnalités

Although SuSEfirewall2 has many features, YaST can't obviously configure all of them. Configuration file itself provides all needed documentation for every single feature.

If a particular variable allows to assign more entries, they are separated by space.

 Example:
 FW_VARIABLE="value1 value2 value3,with,more,parameters"

Firewall Zones

SuSEfirewall2 has three different zones by default:

  • EXT - External Zone (ie untrusted, Internet)
  • INT - Internal Zone (fully trusted, no filtering, LAN)
  • DMZ - Demilitarized Zone (for servers that should be reachable from the Internet)

Network interface can be assigned to zones by adding the interface name to the of the FW_DEV_zone variables where zone is one of the configured zones.

 Examples:
 FW_DEV_EXT="dsl0"
 FW_DEV_EXT="any wlan0"
 FW_DEV_INT="eth0 wlan1"

The special string any can be used to tell SuSEfirewall to assign all interfaces that are not listed anywhere to the specified zone. By default all unassigned interfaces are automatically assigned to the external zone.

The variable FW_ZONES can be used to define additional zones. For example, if you don't want the restrictive filtering of the external zone in your WLAN, but also don't fully trust the WLAN so you can't use the internal zone, you could define a new zone:

 FW_ZONES="wlan"
 FW_DEV_wlan="ra0"

Allowing Access to Services

Every firewall zone can allow four types of services

  • TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP
  • UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP
  • RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC
  • IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IP

TCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon inbetween.

 Examples:
 FW_SERVICES_EXT_TCP="ssh"
 FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514"
 FW_SERVICES_EXT_UDP="631 400:405"

Alternatively packages may provide a configuration file that describes which ports need to be opened to run a specific service, see SuSEfirewall2/Service_Definitions_Added_via_Packages. Using this method is especially convenient if a service needs multiple ports.

More Restricted Access to Services

The above mentioned way to allow access to services is not very restrictive, it allows or it does not allow. There is parameter that can be set to allow more restrictive access to a service. However the above definitions of allowed services take precedence over the definitions mentioned below when the same port is used. These are:

  • FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZ

For each service these parameters take 4 positional parameters and additional keyword parameters, also called flags.

So the format is a space separated list of net,protocol[,dport[,sport[,flags]]]

Example:
FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
# This 0.0.0.0/0 restricts access via IPv4 only

Supported flags are:

  • hitcount=NUMBER  : ipt_recent --hitcount parameter
  • blockseconds=NUMBER : ipt_recent --seconds parameter
  • recentname=NAME  : ipt_recent --name parameter
Example:
# Allow max three ssh connects per minute from the same IP address somewhere in the Internet:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
# This 0/0 allows access via both IPv4 and IPv6

Masquerading

... Example:

  • Allow the network on the internal interface full access to the net.
  • Allow the DMZ network full access to the net.
 FW_MASQ_NETS="10.1.1.0/24 192.168.1.0/24"

Forwarding to Masqueraded Hosts

...

Transparent Redirection

...

Logging

...

HTB - Tuning Maximum Upload Speed

...

IPv6

Internet Protocol version 6 (IPv6) configuration has the following items:

  • IPv6 support - FW_IPv6 (yes/no)
  • IPv6 outgoing configuration - FW_IPv6_REJECT_OUTGOING ([yes]/no/drop)
 Examples:
 FW_IPv6=""
 FW_IPv6_REJECT_OUTGOING="no"
  • FW_IPv6 defaults to the ipv6 support by the Kernel when the option is empty.
  • FW_IPv6_REJECT_OUTGOING default configuration is yes (rejecting).

Non-working items

  • SuSEfirewall2 does not support all its features on IPv6.
  • List of non-working keywords:
    • FW_TRUSTED_NETS
    • FW_SERVICES_ACCEPT_EXT
    • ... (Feel free to add more)