• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

Drucken über Netzwerk unter SUSE 9.2

c4fan

Newbie
Ich möchte von meinem Linux PC (Suse 9.2) über LPR Port auf einen PrintServer drucken. Hierbei habe ich das Problem sobald ich die Firewall einschalte funktioniert nichts mehr mit drucken. Schalte ich diese jedoch aus klappt alles wunderbar.

Gibt es eine Möglichketi irgendwie den Bereich für den LPR Port freizugeben oder so um nicht immer die Firewall ein und auschschalten zu müssen?
 

gaw

Hacker
Das Protokoll über den der Spooler lpr kommuniziert ist mit dem Port 515 assoziiert , cups arbeitet mit ipp und verwendet den Port 631. Damit der Rechner bei eingeschalteter Firewall als Druckserver arbeitet muss der entsprechende Port freigeschaltet werden.

In der Datei /etc/sysconfig/SuSEFirewall2 können in die Variablen FW_SERVICES_INT_TCP und FW_SERVICES_INT_UDP die Werte 515 bzw. 631 eingetragen werden.
Code:
FW_SERVICES_INT_TCP="631 515 "
...
FW_SERVICES_INT_UDP="631 515 "

mfG
gaw
 
OP
C

c4fan

Newbie
funtioniert leider immer noch nicht. Nur wenn die Firewall ganz ausgeschaltet ist.
 
Schau mal in den logs, welche Ports da geblockt werden. Ggfs. auch mit ethereal auf dem absendenden PC.

Grüße
 
OP
C

c4fan

Newbie
Ich weiß nich ob du mein Problem so richtig verstanden hast. Ich möchte von meinen Linux Pc auf einen Printserver(kleiner Kasten vor dem Drucker) im Netz drucken. Und müsste halt nur wissen wie ich da diese ausgehenden Ports freigeben kann. Das was du meintest funktioniert ja leider nicht.
 

gaw

Hacker
Das hatten wir offenbar falsch verstanden. Dann solltest du 515 und 631 in die Variable
FW_SERVICES_EXT_TCP bzw. FW_SERVICES_EXT_UDP eintragen. Sollte das auch nicht funktionieren solltest du tatsächlich folgendes machen. Bei eingeschalteter Firewall einen xterm (Konsole) öffnen und dort mit su als root anmelden sowie mit tail -f die Datei ständig offen halten:
user@linux:~>su
password:
linux:/home/user# tail -f /var/log/messages

Der Cursor bleibt am Ende der Datei stehen und wartet auf neue Einträge. Jetzt kannst du versuchen auf deinen printserver zuzugreifen. Abgewiesene Pakete erscheinen jetzt in der Log-Datei. Diese Einträge solltest du ins Forum stellen.

mfG
gaw
 
OP
C

c4fan

Newbie
:roll:

Also irgendwie funktioniert das nich so wirklich. Ein weiteres Problem was ich habe ist, dass ich über die Linux Netzwerkumgebung nicht auf das Netzwerk zugrreifen kann. Da heisst es immer dass keine Arbeitsgruppe verfügbar is. Über IP Adresse geht das. Schalte ich die Fiirewall aus funktioniert alles wunderbar.

Hier erstmal die Log Datei:
Code:
linux:/home/c4fan # tail-f/var/log/messages
bash: tail-f/var/log/messages: Datei oder Verzeichnis nicht gefunden
linux:/home/c4fan # tail -f /var/log/messages
Dec 24 17:15:39 linux gconfd (c4fan-6929): Die Adresse »xml:readwrite:/home/c4fa
n/.gconf« wurde an der Position 1 zu einer schreibbaren Konfigurationsquelle auf
gelöst
Dec 24 17:15:39 linux gconfd (c4fan-6929): Die Adresse »xml:readonly:/etc/opt/gn
ome/gconf/gconf.xml.defaults« wurde an der Position 2 zu einer nur lesbaren Konf
igurationsquelle aufgelöst
Dec 24 17:15:43 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e
6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 P
REC=0x00 TTL=30 ID=19 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SY
N URGP=0 OPT (02040400)
Dec 24 17:15:46 linux kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=10.0.0.19 DST=130.
57.4.27 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=34737 DF PROTO=TCP SPT=32785 DPT=80
WINDOW=10920 RES=0x00 ACK PSH FIN URGP=0
Dec 24 17:16:04 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=20 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 24 17:16:09 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=10.0.0.19 DST=10.0.0.255 LEN=249 TOS=0x00 PREC=0x00 TTL=64 ID=13 DF PROTO=UDP SPT=138DPT=138 LEN=229
Dec 24 17:16:09 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=10.0.0.19 DST=10.0.0.255 LEN=234 TOS=0x00 PREC=0x00 TTL=64 ID=14 DF PROTO=UDP SPT=138DPT=138 LEN=214
Dec 24 17:16:22 linux su: (to root) c4fan on /dev/pts/1
Dec 24 17:16:22 linux su: pam_unix2: session started for user root, service su
Dec 24 17:16:31 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=23 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 24 17:16:49 linux su: (to nobody) root on none
Dec 24 17:16:49 linux su: pam_unix2: session started for user nobody, service su
linux:/home/c4fan # tail -f /var/log/messages
Dec 24 17:17:59 linux su: (to root) c4fan on /dev/pts/3
Dec 24 17:17:59 linux su: pam_unix2: session started for user root, service su
Dec 24 17:17:59 linux su: pam_unix2: session finished for user root, service su
Dec 24 17:17:59 linux su: (to root) c4fan on /dev/pts/3
Dec 24 17:17:59 linux su: pam_unix2: session started for user root, service su
Dec 24 17:18:16 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=44 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 24 17:18:30 linux kernel: parport0: PC-style at 0x378 [PCSPP,TRISTATE]
Dec 24 17:18:31 linux kernel: lp0: using parport0 (polling).
Dec 24 17:18:31 linux kernel: parport0: PC-style at 0x378 [PCSPP,TRISTATE]
Dec 24 17:18:37 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=45 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 24 17:18:53 linux kernel: lp0: using parport0 (polling).
Dec 24 17:18:58 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=46 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 24 17:19:14 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=51 PROTO=TCP SPT=515 DPT=1090 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
 

gaw

Hacker
Da haben wir schon den Fehler, die rücklaufenden Ports über 1024 werden geblockt. Die musst du dann für ankommende Pakete von aussen öffnen.
Code:
Dec 24 17:16:31 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=23 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)

Linux besitzt eigentlich keine Netzwerkumgebung. Die SuSE versucht für Newbies aus der Windowswelt so etwas ähnliches über netbios und samba zur Verfügung zu stellen das ist aber auch alles. Natürlich müssen dann die entprechenden Ports offen sein. Und aus deinem Log erkennt man, dass deine Firewall das abblockt. Solche Rundrufe sind typisch NetBios und Windows-like und belasten das Netz, das es sich um Broadcastrufe handelt. Man sollte sich also wirklich fragen ob man den Unsinn benötigt. Für zwei oder drei Rechner kann man besser entprechende Mountbefehle per Skript realisieren.
Code:
 Dec 24 17:16:09 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=10.0.0.19 DST=10.0.0.255 LEN=249 TOS=0x00 PREC=0x00 TTL=64 ID=13 DF PROTO=UDP SPT=138DPT=138 LEN=229

Auf jeden Fall müssen für einen reibunglosen Netbios Transport - auf dem "Netwerkumgebungen" beruhen - die UDP Ports 135, 137:139 und 445 sowie die TCP Ports 137:139 geöffnet werden.

mfG
gaw
 
OP
C

c4fan

Newbie
Also ich habe jetzt schon einige Ports geöffnet aber es geht imme rnoch nicht mit den Drucken. Das mit dem Netzwerkzugriff funktioniert.

Code:
linux:~ # tail -f /var/log/messages
Dec 28 14:04:55 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=243 PROTO=TCP SPT=515 DPT=1138 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:17 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=246 PROTO=TCP SPT=515 DPT=1138 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:38 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=249 PROTO=TCP SPT=515 DPT=1138 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:39 linux SuSEfirewall2: Firewall rules unloaded.
Dec 28 14:05:42 linux SuSEfirewall2: Firewall rules successfully set from /etc/sysconfig/SuSEfirewall2
Dec 28 14:05:45 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=250 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:48 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=251 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:51 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=252 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:51 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=253 PROTO=TCP SPT=515 DPT=1183 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:05:54 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=254 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:06:27 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=271 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:06:48 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=279 PROTO=TCP SPT=515 DPT=1145 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
Dec 28 14:07:11 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=283 PROTO=TCP SPT=515 DPT=1244 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)

Habe jetzt folgende Ports offen:

Code:
FW_SERVICES_EXT_TCP=" 1145 1024 1044 1183 1122 137:139 515 631"

FW_SERVICES_EXT_UDP=" 1145 1024 1044 1183 1122 135 137:139 445 ipp 515 631"

FW_SERVICES_INT_TCP=" 1024 1145 1044 1183 1122 631 515 ipp microsoft-ds

FW_SERVICES_INT_UDP=" 1024 1145 1183 1044 1183 1122 515 631 ipp"
 

gaw

Hacker
Die Ports > 1023 musst du bei deiner Konfiguration nicht einzeln wählen, diese Ports werden von deinem Rechner freigewählt und liegen zwischen 1024:65535. Es kann sein dass dein Rechner für dieses Protokoll die entprechenden Ports öffnen muss.

Teste einmal folgende Konfiguration FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
in /etc/sysconfig/SuSEfirewall2

mag sein, dass der Printingdaemon das benötigt.

Die Ports > 1023 kannst du aus den Variabeln wieder entfernen

mfG
gaw
 

gaw

Hacker
Das ist wohl das Problem mit Standard-Firewalls und festen Regeln. Du könntest noch FW_SERVICES_INT_TCP="1024:65535" testen.

Klappt das auch nicht solltest du mal deine Firewallkonfigurationsdatei komplett posten. Vielleicht findet sich dann ein Fehler.

mfG
gaw
 
OP
C

c4fan

Newbie
:cry: Hat leider auch nicht funktioniert

# Usually for VPN/Routing which END at the firewall
#
# Example: "esp"
#
FW_SERVICES_EXT_IP=""

## Type: string
#
# Which RPC services _on the firewall_ should be accessible from
# untrusted networks?
#
# Port numbers of RPC services are dynamically assigned by the
# portmapper. Therefore "rpcinfo -p localhost" has to be used to
# automatically determine the currently assigned port for the
# services specified here.
#
# USE WITH CAUTION!
# regular users can register rpc services and therefore could have
# SuSEfirewall2 open arbitrary ports
#
# Example: "mountd nfs"
FW_SERVICES_EXT_RPC=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_DMZ_TCP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_DMZ_UDP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_DMZ_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_DMZ_RPC=""

## Type: string
#
# see comments for FW_SERVICES_EXT_TCP
FW_SERVICES_INT_TCP=" 1024:65535 631 515 ipp microsoft-ds netbios-dgm netbios-ns netbios-ssn"

## Type: string
#
# see comments for FW_SERVICES_EXT_UDP
FW_SERVICES_INT_UDP=" 515 631 ipp"

## Type: string
#
# see comments for FW_SERVICES_EXT_IP
FW_SERVICES_INT_IP=""

## Type: string
#
# see comments for FW_SERVICES_EXT_RPC
FW_SERVICES_INT_RPC=""

## Type: string
#
# Packets to silently drop without log message
#
# Format: space separated list of net,protocol[,port]
# Example: "0/0,tcp,445 0/0,udp,4662"
#
FW_SERVICES_DROP_EXT=""

## Type: string
## Default: 0/0,tcp,113
#
# Packets to silently reject without log message. Common usage is
# TCP port 113 which if dropped would cause long timeouts when
# sending mail or connecting to IRC servers.
#
# Format: space separated list of net,protocol[,port]
# Example: "0/0,tcp,113"
#
FW_SERVICES_REJECT_EXT="0/0,tcp,113"

## Type: string
#
# WARNING: Quickmode is DEPRECATED and will be removed in the future!
#
# 9a.)
# External services in QUICKMODE.
# This is only used for QUICKMODE (see 1.)!
# (The settings here are similar to section 9.)
# Which services ON THE FIREWALL should be accessible from either the
# internet (or other untrusted networks), i.e. the external interface(s)
# $FW_DEV_EXT
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_QUICK_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_QUICK_UDP.
# e.g. if a secure shell daemon on the firewall should be accessible from
# the internet:
# FW_SERVICES_QUICK_TCP="ssh"
# e.g. if the firewall should receive isakmp (IPsec) internet:
# FW_SERVICES_QUICK_UDP="isakmp"
# For IP protocols (like IPsec) you need to set
# FW_SERVICES_QUICK_IP="50"
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# QUICKMODE: TCP services open to external networks (InterNet)
# (Common: ssh smtp)
FW_SERVICES_QUICK_TCP=""

## Type: string
# QUICKMODE: UDP services open to external networks (InterNet)
# (Common: isakmp)
FW_SERVICES_QUICK_UDP=""

## Type: string
# QUICKMODE: IP protocols unconditionally open to external networks (InterNet)
# (For VPN firewall that is VPN gateway: 50)
FW_SERVICES_QUICK_IP=""

## Type: string
#
# 10.)
# Which services should be accessible from 'trusted' hosts or nets?
#
# Define trusted hosts or networks (doesn't matter whether they are internal or
# external) and the services (tcp,udp,icmp) they are allowed to use. This can
# be used instead of FW_SERVICES_* for further access restriction. Please note
# that this is no replacement for authentication since IP addresses can be
# spoofed. Also note that trusted hosts/nets are not allowed to ping the
# firewall until you also permit icmp.
#
# Format: space separated list of network[,protocol[,port]]
# in case of icmp, port means the icmp type
#
# Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

## Type: string
## Default:
#
# 11.)
# Specify which ports are allowed to access unprivileged ports (>1023)
#
# Format: yes, no or space separated list of ports
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname). Note that this is easy to circumvent! The best choice is to
# keep this option unset or set to 'no'
#
# defaults to "no" if not set (good choice)
#
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

## Type: string
## Default:
#
# See FW_ALLOW_INCOMING_HIGHPORTS_TCP
#
# defaults to "no" if not set (good choice)
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""

## Type: string
#
# 13.)
# Which services or networks are allowed to be routed through the
# firewall, no matter which zone they are in?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were
# assigned to you by your ISP. This opens a direct link to the
# specified network, so please think twice befor using this option!
#
# Format: space separated list of
# <source network>,<destination network>[,protocol[,port[,flags]]]
#
# If the protocol is icmp then port is interpreted as icmp type
#
# The only flag currently supported is 'ipsec' which means to only
# match packets that originate from an IPsec tunnel
#
# Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
# service on the host 2.2.2.2
# - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
# to access any service in the network 4.4.4.4/24
# - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
# from 5.5.5.5 to 6.6.6.6
# - "0/0,0/0,udp,514" always permit udp port 514 to pass
# the firewall
# - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
# 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
# from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
# provided that both networks are connected via an
# IPsec tunnel.
FW_FORWARD=""

## Type: string
#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# Requires: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public
# IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
# you have to set FW_FORWARD from internal to DMZ for the service as
# well to allow access from internal!
#
# Please note that this should *not* be used for security reasons!
# You are opening a hole to your precious internal network. If e.g.
# the webserver there is compromised - your full internal network is
# compromised!
#
# Format: space separated list of
# <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
#
# Protocol must be either tcp or udp
#
# Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 1.1.1.1
# - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
# port 80 coming from the 4.0.0.0/8 network to the
# internal server 1.1.1.1 on port 81
# - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
# the network 200.200.200.0/24 trying to access the
# address 202.202.202.202 on port 80 will be forwarded
# to the internal server 10.0.0.10 on port 81
#
FW_FORWARD_MASQ=""

## Type: string
#
# 15.)
# Which accesses to services should be redirected to a local port on
# the firewall machine?
#
# This option can be used to force all internal users to surf via
# your squid proxy, or transparently redirect incoming webtraffic to
# a secure webserver.
#
# Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
# Where protocol is either tcp or udp. dport is the original
# destination port and lport the port on the local machine to
# redirect the traffic to
#
# An exclamation mark in front of source or destination network
# means everything EXCEPT the specified network
#
# Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
# Please note that you still have to open the local port in
# FW_SERVICES_* or FW_TRUSTED_NETS to actually permit access
FW_REDIRECT=""

## Type: yesno
## Default: yes
#
# 16.)
# Which kind of packets should be logged?
#
# When set to "yes", packages that got dropped and are considered
# 'critical' will be logged. Such packets include for example
# spoofed packets, tcp connection requests and certain icmp types.
#
# defaults to "yes" if not set
#
FW_LOG_DROP_CRIT="yes"

## Type: yesno
## Default: no
#
# whether all dropped packets should be logged
#
# Note: for broadcasts to be logged you also need to set
# FW_IGNORE_BROADCAST_* to 'no'
#
# defaults to "no" if not set
#
FW_LOG_DROP_ALL="no"

## Type: yesno
## Default: yes
#
# When set to "yes", packages that got accepted and are considered
# 'critical' will be logged. Such packets include for example tcp
# connection requests, rpc connection requests, access to high
# udp/tcp port and forwarded pakets.
#
# defaults to "yes" if not set
#
FW_LOG_ACCEPT_CRIT="yes"

## Type: yesno
## Default: no
#
# whether all accepted packets should be logged
#
# Note: setting this to 'yes' causes _LOTS_ of log entries and may
# fill your disk quickly. It also disables FW_LOG_LIMIT
#
# defaults to "no" if not set
#
FW_LOG_ACCEPT_ALL="no"

## Type: string
#
# How many packets per time unit get logged for each logging rule.
# When empty a default of 3/minute is used to prevent port scans
# flooding your log files. For desktop usage it's a good idea to
# have the limit, if you are using logfile analysis tools however
# you might want to disable it.
#
# Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
# to 'yes' disables this option as well.
#
# Format: a digit and suffix /second, /minute, /hour or /day
FW_LOG_LIMIT=""

## Type: string
#
# iptables logging option. Must end with --log-prefix and some prefix
# characters
#
# only change this if you know what you are doing!
FW_LOG=""

## Type: yesno
## Default: yes
#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Warning: do not set FW_KERNEL_SECURITY and FW_ANTISPOOF to "no" at the same
# time, otherwise you won't have any spoof protection!
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

## Type: yesno
## Default: no
#
# 17a.)
#
# Setup anti-spoofing rules?
# Anti-Spoofing rules shouldn't be necessary with rp_filter set. They only
# cause headaches with dynamic interfaces.
#
# Warning: do not set FW_KERNEL_SECURITY and FW_ANTISPOOF to "no" at the same
# time, otherwise you won't have any spoof protection!
#
FW_ANTISPOOF="no"

## Type: yesno
## Default: no
#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", if not set defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

## Type: yesno
## Default: yes
#
# 19.)
# Allow the firewall to reply to icmp echo requests
#
# defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"

## Type: yesno
## Default: no
#
# 19a.)
# Allow hosts in the dmz to be pinged by internal and external hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_DMZ="no"

## Type: yesno
## Default: no
#
# 19b.)
# Allow external hosts to be pinged from internal or dmz hosts
# REQUIRES: FW_ROUTE
#
# defaults to "no" if not set
#
FW_ALLOW_PING_EXT="no"

##
# END of /etc/sysconfig/SuSEfirewall2
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

## Type: yesno
## Default: yes
#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes (or traceroute like tools) through your
# firewall.
#
# Please note that setting this option is not sufficient if your firewall is
# the destination of the traceroute. The Un*x traceroute only works if you also
# open about 100 UDP ports starting from 33434. Windows(TM) traceroutes needs
# FW_ALLOW_PING_FW set to "yes"
#
# defaults to "no" if not set
#
FW_ALLOW_FW_TRACEROUTE="yes"

## Type: yesno
## Default: yes
#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# defaults to "yes" if not set
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

## Type: string(yes,no,int,ext,dmz)
## Default: int
#
# 22.)
# Allow IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Format: "yes" or "no", any combination of "int", "ext" and "dmz" and/or list
# of udp ports
#
# Example: "int 631"
#
# set defaults to "no" if not set
#
FW_ALLOW_FW_BROADCAST="int ipp"

## Type: string(yes,no,int,ext,dmz)
## Default: ext
#
# set to yes to suppress log messages for dropped broadcast packets
#
FW_IGNORE_FW_BROADCAST="no"

## Type: yesno
## Default: no
#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"

## Type: string
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_REJECT="no"

## Type: string
#
# 27.)
# Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
# for more information about HTB see http://www.lartc.org
#
# If your download collapses while you have a parallel upload,
# this parameter might be an option for you. It manages your
# upload stream and reserves bandwidth for special packets like
# TCP ACK packets or interactive SSH.
# It's a list of devices and maximum bandwidth in kbit.
# For example, the german TDSL account, provides 128kbit/s upstream
# and 768kbit/s downstream. We can only tune the upstream.
#
# Example:
# If you want to tune a 128kbit/s upstream DSL device like german TDSL set
# the following values:
# FW_HTB_TUNE_DEV="ppp0,125"
# where ppp0 is your pppoe device and 125 stands for 125kbit/s upstream
#
# you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
# get a better performance if you keep the value a few percent under your
# real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
# it's own buffers because queing is done by us now.
# So for a 256kbit upstream
# FW_HTB_TUNE_DEV="ppp0,250"
# might be a better value than "ppp0,256". There is no perfect value for a
# special kind of modem. The perfect value depends on what kind of traffic you
# have on your line but 5% under your maximum upstream might be a good start.
# Everthing else is special fine tuning.
# If you want to know more about the technical background,
# http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
# is a good start
#
FW_HTB_TUNE_DEV=""

## Type: list(no,drop,reject)
## Default: drop
#
# 28.)
# What to do with IPv6 Packets?
#
# ip6tables is currently not stateful so it's not possible to implement the
# same features as for IPv4. We currently offer three choices:
#
# - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
# traffic unless you setup your own rules.
#
# - drop: drop all IPv6 packets. This is the default.
#
# - reject: reject all IPv6 packets
#
# Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
# Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
#
FW_IPv6=""

## Type: yesno
## Default: yes
#
# 28a.)
# Reject outgoing IPv6 Packets?
#
# Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
# does only make sense with FW_IPv6 != no
#
FW_IPv6_REJECT_OUTGOING="yes"

## Type: list(yes,no,int,ext,dmz)
## Default: no
#
# 29.)
# Trust level of IPsec packets.
#
# The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
# are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
# packets belong to the same zone as the interface they arrive on.
#
# Note: you still need to explicitely allow IPsec traffic.
# Example:
# FW_IPSEC_TRUST="int"
# FW_SERVICES_INT_IP="esp"
# FW_SERVICES_EXT_UDP="isakmp"
# FW_PROTECT_FROM_INTERNAL="no"
#
FW_IPSEC_TRUST="no"
 

gaw

Hacker
Wo sind denn die FW_SERVICES_EXT Einträge geblieben? Ich sehe nur FW_SERVICES_INT Einträge...

mfG
gaw
 

gaw

Hacker
Wie du weißt das nicht? Die solltest du doch eintragen, also

FW_SERVICES_EXT_TCP="137:139 445 515"

und

FW_SERVICES_EXT_UDP="135 137:139 445"

Ich versteh das nicht, du hast doch geschrieben du hättest das eingetragen? Hast du die Datei im Editor nicht abgespeichert?

mfG
gaw
 
OP
C

c4fan

Newbie
War irgendwie doch drin. Hab das alles nochmal ein wenig gekürzt
FW_QUICKMODE="no"


FW_DEV_EXT="eth-id-00:0a:e6:2d:62:a6"


FW_DEV_INT="eth-id-00:0a:e6:2d:62:a6"


FW_DEV_DMZ=""


FW_ROUTE="yes"


FW_MASQUERADE="yes"


FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="0/0"


FW_PROTECT_FROM_INTERNAL="no"


FW_AUTOPROTECT_SERVICES="yes"


FW_SERVICES_EXT_TCP=" 1024:65535 137:139 445 515 631"


FW_SERVICES_EXT_UDP=" 135 137:139 445 515 631 ipp"


FW_SERVICES_EXT_IP=""


FW_SERVICES_EXT_RPC=""


FW_SERVICES_DMZ_TCP=""


FW_SERVICES_DMZ_UDP=""


FW_SERVICES_DMZ_IP=""


FW_SERVICES_DMZ_RPC=""


FW_SERVICES_INT_TCP=" 1024:65535 631 515 ipp microsoft-ds netbios-dgm netbios-ns netbios-ssn"


FW_SERVICES_INT_UDP=" 515 631 ipp"


FW_SERVICES_INT_IP=""


FW_SERVICES_INT_RPC=""


FW_SERVICES_DROP_EXT=""

FW_SERVICES_REJECT_EXT="0/0,tcp,113"


FW_SERVICES_QUICK_TCP=""


FW_SERVICES_QUICK_UDP=""


FW_SERVICES_QUICK_IP=""


FW_TRUSTED_NETS=""


FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"


FW_ALLOW_INCOMING_HIGHPORTS_UDP=""


FW_FORWARD=""


FW_FORWARD_MASQ=""


FW_REDIRECT=""


FW_LOG_DROP_CRIT="yes"


FW_LOG_DROP_ALL="no"


FW_LOG_ACCEPT_CRIT="yes"


FW_LOG_ACCEPT_ALL="no"


FW_LOG_LIMIT=""


FW_LOG=""


FW_KERNEL_SECURITY="yes"

FW_ANTISPOOF="no"


FW_STOP_KEEP_ROUTING_STATE="no"


FW_ALLOW_PING_FW="yes"


FW_ALLOW_PING_DMZ="no"


FW_ALLOW_PING_EXT="no"


FW_ALLOW_FW_TRACEROUTE="yes"


FW_ALLOW_FW_SOURCEQUENCH="yes"


FW_ALLOW_FW_BROADCAST="int ipp"


FW_IGNORE_FW_BROADCAST="no"


FW_ALLOW_CLASS_ROUTING="no"


FW_CUSTOMRULES=""


FW_REJECT="no"


FW_HTB_TUNE_DEV=""


FW_IPv6=""


FW_IPv6_REJECT_OUTGOING="yes"


FW_IPSEC_TRUST="no"
 

gaw

Hacker
Manche Einträge sind doppelt ipp und 631 sind zum Beispiel das gleiche. Ich würde entweder nur Portnummern oder nur Kurzbezeichnungen wählen. Die Kurzbezeichnungen, also ftp ipp net-bios etc findest du in /etc/services. Die Einträge 1024:65535 in FW_SERVICES_EXT_* sind nicht nur überflüssig sie erlauben das du von der Firewall auf alle Zielports anerer Server zugreifen kannst. Deine Firewall blockt aber die Pakete die auf deinen Rechner zugreifen auf Zielports > 1024.

Warum ist das Masquerading eingeschaltet?
Das schaltet man nur dann ein wenn man mit einer offiziellen IP im Internet hängt.

Code:
## Type:        string
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"

So wie ich dich verstanden habe ist dein Linux-PC kein Router und auch nicht direkt ans Internet angeschlossen sondern hängt im LAN. FW_Masquerading kannst du dann auf No stellen und FW_DEV_EXT auf eine leere Zeichenkette stellen. Dann starte noch mal nach dem Abspeichern und achte darauf was geblockt wird.


mfG
gaw
 
OP
C

c4fan

Newbie
Also ich hab das gemacht was du gesagt hast, aber funktioniert leider immer noch nicht

Dec 29 20:37:28 linux kernel: SFW2-INext-DROP-DEFLT-INV IN=eth0 OUT= MAC=00:0a:e6:2d:62:a6:00:c0:02:a2:11:21:08:00 SRC=10.0.0.50 DST=10.0.0.19 LEN=44 TOS=0x00 PREC=0x00 TTL=30 ID=355 PROTO=TCP SPT=515 DPT=1044 WINDOW=1024 RES=0x00 ACK PSH SYN URGP=0 OPT (02040400)
 

gaw

Hacker
Im Moment kann ich es von hier aus nicht nachvollziehen, aber ich sitze auch nicht vor deinem Rechner.

Vielleicht solltest du für deine Konfiguration ein iptables Skript aufsetzen, dass scheint einfacher.

mfG
gaw
 
Oben