Table of Contents
Advertisement
A more effective but more complex mechanism is the combination of several types of
systems, such as a packet filter interacting with an application gateway or proxy. In
this case, the packet filter rejects any packets destined for disabled ports. Only packets
directed to the application gateway are accepted. This gateway or proxy pretends to be
the actual client of the server. In a sense, such a proxy could be considered a masquerad-
ing host on the protocol level used by the application. One example for such a proxy
is Squid, an HTTP proxy server. To use Squid, the browser must be configured to
communicate via the proxy. Any HTTP pages requested are served from the proxy
cache and pages not found in the cache are fetched from the Internet by the proxy. As
another example, the SUSE proxy suite (proxy-suite) provides a proxy for the FTP
protocol.
The following section focuses on the packet filter that comes with SUSE Linux Enter-
prise. For further information about packet filtering and firewalling, read the Firewall
HOWTO included in the howto package. If this package is installed, read the HOWTO
with less /usr/share/doc/howto/en/txt/Firewall-HOWTO.gz.
43.4 SuSEfirewall2
SuSEfirewall2 is a script that reads the variables set in /etc/sysconfig/
SuSEfirewall2 to generate a set of iptables rules. It defines three security zones,
although only the first and the second one are considered in the following sample con-
figuration:
External Zone
Given that there is no way to control what is happening on the external network,
the host needs to be protected from it. In most cases, the external network is the
Internet, but it could be another insecure network, such as a WLAN.
Internal Zone
This refers to the private network, in most cases the LAN. If the hosts on this net-
work use IP addresses from the private range (see
Routing"
(page 547)), enable network address translation (NAT), so hosts on the
internal network can access the external one.
Demilitarized Zone (DMZ)
While hosts located in this zone can be reached both from the external and the in-
ternal network, they cannot access the internal network themselves. This setup can
Section 30.1.2, "Netmasks and
Masquerading and Firewalls
821
Advertisement
Table of Contents
Troubleshooting
