SuSEfirewall2 and dhcpd.conf configuration for wan, lan, dmz setup
From Docupedia
Date: 09/29/2005
Shout Out To: Ben Klang
Contents |
[edit]
Overview
The goal of this tutorial is to give you a working example of the full power of the default installation of SuSEfirewall2 on SuSE 9.3. It will take you through the firewall and dhcp configuration files necessary to get a working example.
[edit]
Specifics about the setup
This was done as a proof of concept experiment on getting a single firewall with 3 nics to listen on a single external network and two different and securely segragated internal networks.
[edit]
Expectations
This tutorial will guide through the configuration of both SuSEfirewall and dhcp. If you follow this tutorial carefully you should be left with a working setup having a single firewall dhcp seperate addresses to two distinct internal networks.
[edit]
Pre-Installation
[edit]
Checklist
- The box I'll be working with began life as most of my server's with a minimal install of SuSE 9.3. The only thing I've done after firstboot is run online_update. Configured a SuSE Software Mirror, and installed dhcp server packages through yast.
- The donor machine will need three network cards.
- WAN (eth0), LAN (eth1), DMZ(eth2)
- Note: as of SuSE 9.3 I've been noticing that the box will often change the way it refers to the nics on reboots. What I mean by this is you'll see eth0 become eth1 and eth2 become eth0 and eth0 become eth2. This really started to drive me nuts so I've opted to use the slightly longer notation of refering to my ethernet cards by their mac address.
[edit]
Config File Examples
[edit]
jsmith@repo:~> /sbin/ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:49:10:4C:42:48
inet addr:192.168.1.254 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6473038 errors:0 dropped:0 overruns:0 frame:0
TX packets:34284661 errors:0 dropped:0 overruns:20 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3422602102 (3264.0 Mb) TX bytes:1893200046 (1805.4 Mb)
Interrupt:10 Base address:0x6000
eth1 Link encap:Ethernet HWaddr 00:25:CA:D0:05:62
inet addr:192.168.2.254 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:82074052 errors:0 dropped:0 overruns:0 frame:0
TX packets:91316832 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1711439167 (1632.1 Mb) TX bytes:151929406 (144.8 Mb)
Interrupt:11
eth2 Link encap:Ethernet HWaddr 00:49:10:4C:42:48
inet addr:24.55.55.55 Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10621498 errors:0 dropped:0 overruns:0 frame:0
TX packets:10300846 errors:0 dropped:0 overruns:0 carrier:0
collisions:30628 txqueuelen:1000
RX bytes:162206613 (154.6 Mb) TX bytes:2048655543 (1953.7 Mb)
Interrupt:11 Base address:0xd000
[edit]
jsmith@repo:~> cat /etc/sysconfig/dhcp
DHCPD_INTERFACE="id-00:38:52:d1:48:62 id-00:25:ca:d0:05:ab" DHCPD_RUN_CHROOTED="yes" DHCPD_CONF_INCLUDE_FILES="" DHCPD_RUN_AS="dhcpd" DHCPD_OTHER_ARGS="" DHCPD_BINARY=""
[edit]
jsmith@repo:~> cat /etc/sysconfig/SuSEfirewall2
FW_QUICKMODE="no" #Modified from my own machine FW_DEV_EXT="eth-id-00:49:10:4c:42:48" FW_DEV_INT="eth-id-00:38:52:d1:48:62" FW_DEV_DMZ="eth-id-00:25:ca:d0:05:ab" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.2.0/24" FW_PROTECT_FROM_INT="no" FW_AUTOPROTECT_SERVICES="no" #These ports are for ssh, dns, and ftp FW_SERVICES_EXT_TCP="22 53 50000:50010" FW_SERVICES_EXT_UDP="53 ntp" FW_SERVICES_EXT_IP="ah gre" FW_SERVICES_DMZ_TCP="" #These ports are for dhcp on the dmz FW_SERVICES_DMZ_UDP="67 68" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="0/0,0/0" #WinXP Pro Remote Desktop Connection FW_FORWARD_MASQ="0/0,192.168.1.10,tcp,55555,3389" #Ports of Azureus bit-torrent client FW_FORWARD_MASQ="$FW_FORWARD_MASQ 0/0,192.168.1.10,tcp,6881,6881" FW_FORWARD_MASQ="$FW_FORWARD_MASQ 0/0,192.168.1.10,udp,6881,6881" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SFW:" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="yes" FW_ALLOW_FW_BROADCAST_DMZ="yes" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" # # AFTER THIS NOTHING ELSE WAS MODIFIED FROM DEFAULT # # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # #
[edit]
jsmith@repo:~> cat /etc/dhcpd.conf
#Notes: Lucid Interactive DHCP Config
authoritative;
ddns-update-style none;
ddns-updates off;
default-lease-time 600;
max-lease-time 7200;
log-facility local7;
option domain-name-servers 199.185.139.89, 154.5.79.29;
option domain-name "lucid.scan";
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.10 192.168.1.50;
option routers 192.168.1.254;
}
subnet 192.168.2.0 netmask 255.255.255.0 {
range 192.168.2.10 192.168.2.50;
option routers 192.168.2.254;
}
