SuSE Linux Firewall on CDbeta.redes-linux.com/manuales_english/SuSE/SuSE_firewall...(e-mail,chat, etc.) and information gathering offered by it seem to grow every day, and the number

MichaelCalmer, RebeccaEllis, Uwe Gansert,DennisGeider, VivianeGlanz,RolandHaidl, EdithParzefall, PeterReinhart,Ulrich Schairer,ThomasSchraitle,MariusTomaschewski, SteveTomlin

SuSELinux Fir ewall on CD

SuSEInc.5802ndStreet,#210Oakland,CA 94607USAToll freephonenumberwithin theUSandCanada: 1-888-UR-LINUX(1-888-875-4689)Phone: +1-510-628-3380Fax: +1-510-628-3381e-mail: [email protected]

[email protected]@suse.com

WWW: http://www.suse.com

Europe:

SuSELinux Ltd.TheKinetic CentreTheobaldStreetBorehamwood,WD6 4PJUKPhone: +44-20-8387-4088Fax: +44-20-8387-4010WWW: http://www.suse.co.uk

SuSEGmbHSchanzäckerstr. 10D-90443NürnbergGermanyTel.: +49-911-740-5331Fax: +49-911-741-7755e-mail: [email protected]: http://www.suse.de

Michael Calmer, RebeccaEllis, Uwe Gansert,DennisGeider, VivianeGlanz,Roland Haidl, Edith Parzefall, Peter Reinhart, Ulrich Schairer, ThomasSchraitle,Marius Tomaschewski,Steve Tomlin

SuSELinux Firewall on CD1stedition2001(c) SuSEGmbH

CopyrightThiswork is copyrightedby SuSEGmbH.You maycopy it in wholeor in partaslongasthecopiesretainthis copyright statement.

Registeredtrademarks:Linuxof LinusTorvalds, XFree86™ ofTheXFree86Project,Inc., MS-DOS, Windows, Windows95,Windows98andWindowsNT of theMicrosoftCorporation, UNIXof X/OpenCompanyLimited, T-Onlineof DeutscheTelekom,SuSEandYaST of SuSEGmbH. All tradenamesareusedwithout theguaranteefor their freeuseandmayberegisteredtrademarks.ThecorporationSuSEGmbHessentiallyfollows tothenotationsof themanufacturers.Otherproductsmentionedheremaybetrademarksof therespectivemanufacturer.

Contents

Contents

1 Preface 9

2 Intr oduction and General Overview 11

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2.2 An Overview of TypicalFirewall Setups. . . . . . . . . . . . . 14

3 Adminhost 17

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.2 Update. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

3.2.1 Updatewith YaST2. . . . . . . . . . . . . . . . . . . . 18

3.2.2 Updatewith YaST1. . . . . . . . . . . . . . . . . . . . 18

3.2.3 ClosingUpdate . . . . . . . . . . . . . . . . . . . . . . 19

3.3 New installationof theSuSELinux Firewall Adminhost . . . . 20

3.3.1 LanguageSelection. . . . . . . . . . . . . . . . . . . . 20

3.3.2 SelectingtheMouse . . . . . . . . . . . . . . . . . . . 21

3.3.3 KeyboardandTimeZone. . . . . . . . . . . . . . . . . 21

3.3.4 PreparingtheHardDisk . . . . . . . . . . . . . . . . . 22

3.3.5 Boot ManagerConfiguration. . . . . . . . . . . . . . . 23

3.3.6 Settingthe‘root’ Password . . . . . . . . . . . . . . 23

3.3.7 ConfirmingSettings– StartingtheInstallation. . . . . . 24

3.3.8 PreparingtheGraphicalInterface . . . . . . . . . . . . 25

3.3.9 ConfiguringtheNetwork with YaST2 . . . . . . . . . . 25

3.3.10 ManualNetwork Configuration . . . . . . . . . . . . . 25

3.3.11 Theuser‘fwadmin’ for theFAS . . . . . . . . . . . . 33

3.4 Firewall AdministrationSystem(FAS) . . . . . . . . . . . . . . 34

3.4.1 Loggingin asfwadmin . . . . . . . . . . . . . . . . . . 34

3.4.2 StartingtheFirewall AdministrationSystem. . . . . . . 34

3.4.3 Creatinga new firewall configuration . . . . . . . . . . 35

3.4.4 Editing anexistingfirewall configuration . . . . . . . . 59

3.4.5 Testingtheconfiguration . . . . . . . . . . . . . . . . . 59

3.4.6 Documentingtheconfiguration,thetestsandtheresults 60

3.5 Monitoring theFirewall . . . . . . . . . . . . . . . . . . . . . . 60

3

Contents

4 SuSE Lin ux Live CD for Firewall 63

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4.2 Descriptionof theSuSELinux LiveCD for Firewall . . . . . . 64

4.3 Serviceson theFirewall . . . . . . . . . . . . . . . . . . . . . . 64

4.3.1 IPCHAINS . . . . . . . . . . . . . . . . . . . . . . . . 64

4.3.2 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

4.3.3 MAIL . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

4.3.4 HTTP proxy . . . . . . . . . . . . . . . . . . . . . . . 77

4.3.5 FTPproxy . . . . . . . . . . . . . . . . . . . . . . . . 78

4.3.6 ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

4.3.7 chroot,secumod,compartment,kernelcapabilities . . . 79

4.4 TheConfigurationDisk . . . . . . . . . . . . . . . . . . . . . . 80

4.4.1 Creatingtheconfigurationdisk . . . . . . . . . . . . . . 80

4.4.2 Theconfigurationfiles . . . . . . . . . . . . . . . . . . 80

4.5 BootParameters. . . . . . . . . . . . . . . . . . . . . . . . . . 83

5 Implementing the Firewall 85

5.1 BootingtheFirewall Host . . . . . . . . . . . . . . . . . . . . . 85

5.2 TestingtheFirewall . . . . . . . . . . . . . . . . . . . . . . . . 86

5.3 Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

5.3.1 Internaltesting . . . . . . . . . . . . . . . . . . . . . . 86

5.3.2 Externaltesting . . . . . . . . . . . . . . . . . . . . . . 87

5.3.3 “Really” goingonline . . . . . . . . . . . . . . . . . . 87

6 Help 89

6.1 Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . 89

6.1.1 ProblemsInstallingtheAdminhost. . . . . . . . . . . . 89

6.1.2 ProblemsBootingtheLiveCD . . . . . . . . . . . . . . 89

6.2 SecurityPolicy andCommunicationAnalysis . . . . . . . . . . 90

6.2.1 SecurityPolicy . . . . . . . . . . . . . . . . . . . . . . 90

6.2.2 CommunicationAnalysis. . . . . . . . . . . . . . . . . 91

6.3 ServicesOfferedby SuSELinux SolutionsAG . . . . . . . . . 91

6.4 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

6.5 Whatto Do If . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

6.5.1 IntrusionDetectionandEventDisplay . . . . . . . . . . 93

6.5.2 ExternalAttacks . . . . . . . . . . . . . . . . . . . . . 95

6.5.3 Advantageof the Live Filesystemof the “SuSELinuxFirewall on CD” . . . . . . . . . . . . . . . . . . . . . 96

6.6 ProfessionalHelpandSupport . . . . . . . . . . . . . . . . . . 97

4

Contents

6.6.1 SupportRegulations . . . . . . . . . . . . . . . . . . . 97

6.6.2 ProfessionalServices. . . . . . . . . . . . . . . . . . . 98

6.6.3 Training . . . . . . . . . . . . . . . . . . . . . . . . . . 99

6.6.4 Feedback. . . . . . . . . . . . . . . . . . . . . . . . . 99

6.6.5 FurtherServices . . . . . . . . . . . . . . . . . . . . . 99

6.7 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

A DNS – Domain Name System 103

A.1 StartingtheNameServerBIND . . . . . . . . . . . . . . . . . 103

A.2 TheConfigurationFile /etc/named.conf . . . . . . . . . . . . . 104

A.2.1 Importantconfigurationoptionsin “options” . . . . . . 105

A.2.2 TheConfigurationSection“Logging” . . . . . . . . . . 106

A.2.3 TheStructureof ZoneEntry . . . . . . . . . . . . . . . 106

A.2.4 Structureof ZoneFiles . . . . . . . . . . . . . . . . . . 107

A.3 DNSSampleConfiguration. . . . . . . . . . . . . . . . . . . . 110

A.4 FurtherInformation . . . . . . . . . . . . . . . . . . . . . . . . 111

B DHCP 115

B.1 TheDHCPProtocol. . . . . . . . . . . . . . . . . . . . . . . . 115

B.2 DHCPSoftwarePackages . . . . . . . . . . . . . . . . . . . . 116

B.3 TheDHCPServerdhcpd . . . . . . . . . . . . . . . . . . . . . 116

B.4 AssigningFixedIP Addressesto Hosts. . . . . . . . . . . . . . 118

B.5 TheFinerPoints. . . . . . . . . . . . . . . . . . . . . . . . . . 119

C Proxy Server: Squid 121

C.1 Whatis a ProxyCache?. . . . . . . . . . . . . . . . . . . . . . 121

C.2 SomeFactsAbout CacheProxying . . . . . . . . . . . . . . . . 122

C.2.1 SquidandSecurity . . . . . . . . . . . . . . . . . . . . 122

C.2.2 Multiple Caches . . . . . . . . . . . . . . . . . . . . . 122

C.2.3 CachingInternetObjects . . . . . . . . . . . . . . . . . 123

C.3 SystemRequirements. . . . . . . . . . . . . . . . . . . . . . . 123

C.3.1 HardDisk . . . . . . . . . . . . . . . . . . . . . . . . . 123

C.3.2 RAM . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

C.3.3 CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

C.4 StartingSquid . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

C.5 TheConfigurationFile /etc/squid.conf. . . . . . . . . . . . . . 126

C.6 TransparentProxyConfiguration . . . . . . . . . . . . . . . . . 130

C.6.1 KernelConfiguration. . . . . . . . . . . . . . . . . . . 131

C.6.2 ConfigurationOptionsin /etc/squid.conf. . . . . . . . . 131

5

Contents

C.6.3 Firewall Configurationwith SuSEfirewall . . . . . . . . 131

C.7 SquidandOtherPrograms . . . . . . . . . . . . . . . . . . . . 133

C.7.1 cachemgr.cgi . . . . . . . . . . . . . . . . . . . . . . . 133

C.7.2 SquidGuard. . . . . . . . . . . . . . . . . . . . . . . . 135

C.7.3 CacheReportGenerationwith Calamaris . . . . . . . . 136

C.8 More InformationonSquid . . . . . . . . . . . . . . . . . . . . 137

D Network Security 139

D.1 MasqueradingandFirewalls . . . . . . . . . . . . . . . . . . . 139

D.1.1 MasqueradingBasics. . . . . . . . . . . . . . . . . . . 140

D.1.2 Firewalling Basics . . . . . . . . . . . . . . . . . . . . 141

D.1.3 Personal-firewall . . . . . . . . . . . . . . . . . . . . . 142

D.1.4 SuSEfirewall . . . . . . . . . . . . . . . . . . . . . . . 144

D.2 SSH– SecureShell,theSafeAlternative . . . . . . . . . . . . . 147

D.2.1 TheOpenSSHPackage. . . . . . . . . . . . . . . . . . 148

D.2.2 ThesshProgram . . . . . . . . . . . . . . . . . . . . . 148

D.2.3 scp– SecureCopy . . . . . . . . . . . . . . . . . . . . 148

D.2.4 sftp - SecureFile Transfer . . . . . . . . . . . . . . . . 149

D.2.5 TheSSHDaemon(sshd)– Server-Side . . . . . . . . . 149

D.2.6 SSHAuthenticationMechanisms . . . . . . . . . . . . 150

D.2.7 X, AuthenticationandotherForwardingMechanisms. . 151

D.3 Securityasa Matterof Confidence. . . . . . . . . . . . . . . . 152

D.3.1 BasicConsiderations. . . . . . . . . . . . . . . . . . . 152

D.3.2 LocalSecurityandNetwork Security . . . . . . . . . . 153

D.3.3 SomeGeneralSecurityTips andTricks . . . . . . . . . 161

D.3.4 UsingtheCentralSecurityReportingAddress. . . . . . 164

E YaST and SuSE Lin ux License Terms 165

6

Contents

7

1 Preface

1 Preface

Many thanksto: JürgenScheiderer, CarstenHöger, RemoBehn,ThomasBiege,RomanDrahtmüller, MarcHeuseandStephanMartin.

The SuSE Lin ux Firewall on CD

TheSuSELinux Firewall onCD is a tool packageallowing yousetupafirewallsolutionfor your network, andhelpsyou with the relatedconfiguration,moni-toringandadministrationchores.Thecompletefunctionalityof theSuSELinuxFirewall on CD is basedon OpenSourceprogramswhich have beenspeciallyselectedandenhancedfor thispurpose.

TheSuSELinux Firewall onCD protectsyour localnetwork from illegalaccess,managesauthorizedusageof your resourcesandprovidesa controlledchannelthroughwhichusersonyour localnetwork areenabledto communicatewith theInternet.

To reducethe likelihood of the firewall being misconfigured,we recommendusingtheFirewall AdministrationSystem(FAS), which correctsmostusermis-takesby performinga numberof sanitychecks.FAS ensuresa consistentcon-figurationwithout limiting theavailableoptions.

Pleaserememberthattotal securitycannotbeachievedby any firewall, andthuscan’t be achieved by the “SuSE Linux Firewall on CD” either. This packageis not intendedto serve asa substitutefor a propersecuritypolicy, anddoesn’teliminatetheneedto administer, maintainandmonitorthefirewall – althoughitprovidesyouwith anumberof toolsto makethesetasksmucheasierto perform.

Note:

Usethe“SuSELinux Firewall on CD” productsat your own risk. In particular,no claimscanbe madefor damagescausedby improperlyconfiguredserviceson thefirewall or any othersuchdamages.

9

1 Preface

10

2 Intr oduction and General Overview


2.1 Intr oduction

Theimportanceof theInternetandthepossibilitiesof communicationit provides(e-mail, chat,etc.) andinformationgatheringofferedby it seemto grow everyday, andthenumberof companiesandprivatepersonswhich have accessto theworldwidenetwork is on a steadyincrease.

But connectingto the Internetoften introducessomesecurityconcernswhichshouldnotbeunderestimated.Mostcompaniesrely ontheirown networksto ex-changeandprocessmission-criticalinformationfor in-housepurposes(Intranet,databases,email etc.). Without the properprotectionmechanismsin place,allthisdatawouldbewidely availableto theoutsideworld assoonasthelocalnet-work is hookedontheInternet– somethingwhichcouldobviouslycausea lot ofdamageespeciallyfor companies.

It’seasyto run asecurecomputersystem.You just have to disconnectall dial-up connectionsandpermit only direct-wiredterminals,put themachineand its terminalsin a shieldedroom, and posta guardat thedoor.

F.T. GramppandR.H.Morris

We all know that in the real world it’s impossibleto run a computersysteminthisway. If youareanadministrator, you’ll know all toowell abouttheproblemsarisingfrom the increasingnumberof networked machines.After all, you arethepersonwho hasto dealwith thesituationon a daily basis.Up to now, yournetwork may have beenquite manageable.You knew the userson it, you’vealwaysbeenpayinga lot of attentionto securityaspects,thoughthe network’sfunctionalityasprovidedto your userswasmainly basedon trust relationships.And in fact, it hadto be like that just to keepthe administrative overheadat areasonablelevel. But now afterconnectingto theInternet,thingshave changeddramatically, andsohave thedutiesof theadministrator. All at once,thereareuserswhoarecompletelyunknownwhocanuseresourcesonyournetwork (e.g.thewebserver).

Soyouareawarethattheseusersneedto behandledin atotally differentmannerthanyourcompany’s internalemployeesthatyou’vebeenworkingwith (thoughontheotherhandit hasbeenproventhat80%of all attacksoncorporatenetworksarenot carriedout from theInternet).And thereareotherreasonsto protectthecorporatenetwork andto restrictaccessto it: Hackers,or intruders,arealwayson thelookout for memoryto storehackedsoftware,or – worseeven– contentswhichareprohibitedby law. Not takingany measuresagainstthiscouldnotonly

11


meanthat thecompany couldopenitself up to legal prosecution,but couldalsoput yourcompany’sgoodreputationatstake.

Todaytherearea numberof differentmechanismsavailableto preventunautho-rizedaccessto corporatenetworksandresources(i. e.diskspace,CPUcapacity,etc.), from IP packet filters on routersto multiple-level firewall solutionscom-pletewith ademilitarizedzone(DMZ).

In a generalsense,of course,theword “firewall” is usedfor somekind of con-trivanceto prevent the spreadingof fires. Firewalls madeof bricks are foundin buildingswherethey areusedto isolatewholesectionsfrom eachother, andin carsa specialmetalplateshieldsthe cockpit from the enginecompartment.Similarly, thepurposeof Internetfirewalls is to fendoff attacksdirectedat yourIntranet,aswell asto regulateandprotectclientson your LAN by imposinganaccesspolicy.

Thefirst ever firewall wasa non-routingUNIX hostconnectedto two differentnetworks: Onenetwork interfacewasconnectedto the Internet,andthe otherone to a privateLAN. To reachthe Internetfrom within the privatenetwork,usershad to log on to the UNIX firewall server first beforethey could accessany outsidehost. To do so, they would start,for example,anX Window basedbrowseron thefirewall hostandthenexport thewindow to the displayof theirworkstation. With the browserbeing hostedon the firewall, usershadaccessto both systemsat the sametime. However, you shouldnot considerthis kindof setup(called“dual homedsystem”)for your own network unlessyou reallytrustall theuserson it. To understandwhy this is so,rememberthat99%of allbreak-inson computersystemsstartwith anattemptto obtaina useraccountonthetargetedsystem.

The scopeof your firewall solutionwill dependon the requireddegreeof pro-tection,which mayneedto be in line with legal regulationsin somecases,andwhich shouldbe determinedthrougha communicationanalysis. SuSELinuxSolutionsoffersa rangeof serviceswhich canhelp your company to carryoutsucha communicationanalysis.

Anotherfactoraffectingtheoperationof a firewall is thestateof its documenta-tion, meaningthat thereshouldbea way to determine“who haschangedwhat,whenandhow”, in order to be ableto tracebackwhetherchangesweremadeby anauthorizedparty(or not). This will alsobequitehelpful whenit comestodealingwith thingslikecertificationsandaudits.

The “SuSELinux Firewall CD” is a productcoveringthewhole rangeof theseissuesin all itsdetails,from packetfiltering to settingupamultiple-levelfirewall.And giventhat thepackageis basedon OpenSourceprogramsthroughout,it isalsopossibleto auditthesourcecodewithout too muchdifficulty.

12

2.1 Intr oduction

SuSE Lin ux Firewall on CD

The“SuSELinux Firewall on CD” consistsof thesetwo basicproductcompo-nents:

1. theSuSELinux Firewall Live-CDand

2. theSuSELinux Firewall Admin-CD.

For thesake of simplicity, in this manualwe will mostlyrefer to theseas“Li veCD” and“Admin CD”. TheLive-CDcontainsthefirewall packageproper, whichin ourcaseis basedontheconceptof anapplicationlevelgatewaycombinedwithIP packetfiltering. Thefirewall’s routingandgatewaycapabilitiesareturnedoffby default, but canbeenabledasrequired.All requestsacceptedandprocessedby the firewall arehandledat the applicationlevel. The packagesupportsthemostimportantInternetprotocols:SMTP, FTP, HTTP, HTTPSandDNS.

With theAdmin CD, you areableto install theSuSELinux Adminhost,whichtakes careof the configuration,monitoring and administrationof the “SuSELinux Firewall”. To properly managethesetasks,the CD is includedwith aspecialselectionof softwarepackagesandthenecessaryinstallationroutines.

Connectinganinternalcompany network to theInternetwill certainlyrequireagooddealof planning,includinga securityconceptbasedon a communicationanalysisandademandanalysis.Furthermore,thereshouldbeaconceptdescrib-ing how to dealwith emergencies(break-in,dataloss etc.). You’ll also needto make surethat the firewall machineis protectedfrom unauthorizedphysicalaccess.Thebestway to achieve that is to lock themachineaway in a separateserver room.

SuSELinux SolutionsAG providesanumberof supportandconsultingservicesto help you with theseplanningtasks. In cooperationwith your staff, SuSE’expertscan:

• createasecurityconcept,

• performtheinstallationon yourpremises,

• training,

• providedocumentationand

• maintenace.

SuSELinux AG can also provide you andyour staff with training in its owntrainingcenter, which offersseveraltrainingcoursesspecificallyon thetopic ofnetworksandnetwork security.

13


2.2 An Overview of Typical Firewall Setups

In this section,we will give a brief overview of the most typical firewall se-tups.All theconfigurationspresentedbelow canbeimplementedwith the“SuSELinux Firewall on CD”.

FirewallSystem

Workstation(s)(HUB)(LAN)

(DMZ)(HUB)

Internet

Figure2.1: Verybasicsetup

Figure 2.1 shows a firewall with threenetwork interfaces: an external one toconnectwith the Internet,andtwo internalonesconnectingwith the corporatenetwork via LAN/HUB andwith the DMZ (demilitarizedzone)usinganotherHUB.

With this setup,thefirewall hasto performall the functionsof thedefault gate-way(router),thepacketfilter etc.Theinternalnetwork wouldbeleft completelyopenif thefirewall wereinfiltrated.

FirewallSystem

Workstation(s)(HUB) (HUB)(DMZ) (LAN)

(Outside)(Server)

Internet Screening−Router

Figure2.2: Simplesetup

Thesetupshown in figure2.2 is still a relatively simpleone. TheDMZ is onlyprotectedby apacketfilter on therouter(screeningrouter).

14

2.2 An Overview of Typical FirewallSetups

ScreeningRouter

IP−FilterInternet Firewall

System SystemFirewall

(HUB)

(DMZ) (Loghost/Adminhost)

(HUB) (LAN)

IP−Filter,Proxies

IP−Filter,

ProxiesIP−Filter,

Figure2.3: Effectivebut manageablesetup

Thesetupshown in figure2.3 is still not overly complicatedbut providesmuchbetterprotectionthanthepreviousones.

A “screeningrouter”stopsany illegal requestsat thepacketlevel. Packetswhichareallowedthrougharepassedon to thefirst firewall host,whichoperatesat theapplicationlevel andusespacketfiltering rulesto controlaccessto theDMZ andto thesecondfirewall host(andthusto theinternalnetwork beyond).Thissecondfirewall is a packet filtering proxy machineprotectingthe internalnetwork; inadditionto that it controlsaccessfrom the internalnetwork to the InternetandtheDMZ.

15


16

3 Adminhost

3 Adminhost

It is no easytaskto administer, maintainandmonitora firewall; aboveall, mon-itoring thefirewall shouldnot beunderestimated.This is why the“SuSELinuxFirewall on CD” includesthe“SuSELinux Firewall Adminhost”,which shouldhelp you in configuring,administratingandmaintainingthe SuSELinux Fire-wall.

3.1 Intr oduction

After installingtheSuSELinux Firewall Adminhost,theFirewall AdministrationSystem (FAS), a tool with a graphicaladministrationinterface,will be avail-ableto you, allowing you to carryout a menu-drivenconfigurationof theSuSEFirewall onCD.

Configurabletoolsareavailablefor monitoringthefirewall, which canperformtestsof the firewall, evaluationof the log files andmonitoringof network traf-fic. In the caseof an attack, thereis the possibility of informing systemad-ministrationby e-mail, pager, etc., so that suitablecountermeasuresmay betakenasquickly aspossible(e.g. cuttingoff thenetwork connectionto theInter-net/Intranet,etc.).

It canalreadybeseenherethatafirewall withoutany monitoringrunningcannotprovide any realprotection.Apart from this, all changesthatweremadeto thefirewall configurationshouldalwaysbe thoroughlydocumented.By meansofthis documentation,errorscanbe foundmoreeasily, or modificationsmadebyunauthorizedpartiescanbechangedbackagain.

After installing the “SuSE Linux Adminhostfor Firewall”, you will have thechoicebetweena new installationof the host reserved for this purposeor anupdateprovided that SuSELinux 7.2 is alreadyinstalledon this host. In thefollowing section,we will describeupdating,followed by instructionsfor thenew installationof the“SuSELinux Adminhostfor Firewall”.

3.2 Update

If you have alreadyinstalledSuSELinux 7.2 on thecomputerwhich is to serveastheadminhostfor thefirewall, youwill notneedto carryoutanew installation,but rather, only install the requiredpackagesat a laterpoint. While doing this,you canchoosebetweenthe graphicalinstallationprogramYaST2 or the text-basedYaST. Proceedin this asfollows:

17

3 Adminhost

3.2.1 Update with YaST2

1. Log in to thegraphicalconsoleasuser‘root’.

2. StarttheYaST2controlcenterandselectthemenu‘Software’ underYaST2Modules.

3. InserttheCD with thelabelSuSELinuxAdminhostfor Firewall.

4. Under‘Change Source Media’, select‘Install from CD’ for thesourcemedium.

5. Saveandclosethedialog.

6. Selectthe menuitem ‘Software’, activatethe checkbox‘Show packageseries’.

7. Selecttheserieszfw andthenthepackages:

• fas

• fas-flc-base

• fas-flc-dns

• fas-flc-ftp

• fas-flc-http

• fas-flc-ipchains

• fas-flc-mail

• fasd

• yast2-config-fwcdadmin

• yast2-trans-fwcdadmin

Thepackagedependencieswill beautomaticallyresolved.

8. If you want to utilize this host as a loghostas well, you must install thesyslog-ng from theseriesn.

3.2.2 Update with YaST1

1. Log in to a consoleasuser‘root’.

2. InserttheCD with thelabeledSuSELinuxAdminhostfor Firewall.

3. StartYaST.

4. In theYaSTmenu,selecttheitem ‘Package management’.

5. Select‘Change/create configuration’.

6. Switchto serieszfw1

18

3.2 Update

7. Here,selectinstallationof all packagesexceptfor packagefas-devel:

• fas

• fas-flc-base

• fas-flc-dns

• fas-flc-ftp

• fas-flc-http

• fas-flc-ipchains

• fas-flc-mail

• fasd

• yast2-config-fwcdadmin

• yast2-trans-fwcdadmin

8. The packagedependencieswill be shown. Resolve themby pressing��F10

insidethe‘Unresolved dependencies’ dialog.

3.2.3 Closing Update

Regardlessof whetheryou have installedthe packageswith YaST1or YaST2,youwill still needto starttheYaST2modulefor theSuSELinux AdminhostforFirewall by usingthefollowing command:

root@adminhost: # /sbin/yast2 fwcdadmin

Alternatively, youcanstarttheYaST2ControlCenterin KDE2 andunder‘Net-work/Base’, startthe“SuSEFirewall Adminhost”module(seeFigure3.1).

Figure3.1: YaST2 ControlCenter

19

3 Adminhost

Pleasenotethat theharden_suse scriptwill beautomaticallystartedon thead-minhostandthatthepacketfilter will besetup. Thefile permissionswill alsobesetto /etc/permissions.secure. Thatmeansthatyour systemwill behavecompletelydifferentlythanyouareaccustomedto following theupdate.

3.3 New installation of the SuSE Lin ux FirewallAdminhost

To install the“SuSELinux Firewall Adminhost” for thefirst time, pleaseinsertthe CD with the respective label into the CD drive of the computerand thenrebootthemachine.If thecomputerdoesnotbootfrom theCD,youmustchangethebootsequencein theBIOS accordingly.The linuxrc welcomescreenwill appear- simply press

��andthe automatic

hardwaredetectionwill start.YaST2 will now leadyou throughtherestof the installation. All thenecessaryprogramsfor administration,configurationandmaintenancewill beinstalled.

3.3.1 Langua ge Selection

Now youwill haveto makeyourfirst decisionsin theinstallationprocessbegin-ning with thelanguageselection.You caneitherusethemouseor thekeyboard.All entry fields, selectionlists and“buttons” or “switches” canbe selectedbyclicking with the mouse. If you want to usethe keyboard,the following rulesapply:

•��Tab movesthefocusto a field, anentry/selectionfield or a button;��

Shift +��Tab allowsyouto chooseotherselectiongroups.With

�� and��

you can– dependingon which areais activated– make a selectionor cyclethrougha list.

• With��

the selectedcommandis carriedout: asa rule this is the actionwhich is shown on theactivebuttonin question.

• With�� Space entriescanbemarked.

• In addition,mostactionscanbestartedwith thekey combinationof��Alt +

theunderlinedletter.

� �

� �

TipHere and in the following dialogs, YaST2 is just collecting information. LaterYaST2 will display the information it has collected; in Section 3.3.7 onpage 24 you still have the chance, by means of the ‘Back’ button, to re-turn to the previous dialogs, to correct details.

YaST2 would now like to know whatlanguageyou prefer. Whenyou havecho-sena language,select‘Apply’ to switchall texts to theselectedlanguage.

20

3.3 New installation of the SuSE Lin uxFirewall Adminhost

3.3.2 Selecting the Mouse

Thisdialogwill only appearif YaST2 wasnotableto detectthemouseautomat-ically. A dialogwindow with a long list of mousetypesappears,andyouwill beaskedto selecttheappropriatemousetype.

Onceyouhavefoundtheright mousetype,movewith�� Tab to the‘Test’ button

andpress��

. Now move the mouse. If the mousecursormovesnormally,everythingis working properlyandyou canclick with themouseon ‘Next’. Incasethe mousedoesn’t work, you canjust returnto the selectionlist usingthe��Tab key andchangethesettings.

If no mousetypefunctions,or if you don’t want to usea mouse,pleaseactivatetheentry ‘No mouse’. Therestof theinstallationwill becarriedout usingonlythekeyboard.

3.3.3 Keyboar d and Time Zone

Now selectthekeyboardlayoutandtimezone.

Figure3.2: YaST2: Keyboardlayoutandtimezone

• Now testyour keyboard.By clicking with themouseor using��Tab you can

activatethe entry line andtype in lettersthere. You shouldespeciallytest‘y’/‘z’ andspecialcharacters.

• Theseconditemisalist of countriesin atreestructure(continent/country/region).Selectyour countryor region from these;YaST2 will find the appropriatetimezone.

The‘Next’ buttontakesyou to thenext dialogwindow.

21

3 Adminhost

3.3.4 Preparing the Hard Disk

In thefollowing steps,youwill selecttheharddiskor disksandpreparethemforthe SuSELinux installation. – Dependingon your computer’s hardware,theremaybeslightdifferencesfrom thedialogswhich appearhere.

Step 1

Figure3.3: YaST2: Preparingtheharddisk (I)

If more than onehard disk exists, you must first decidewhich one you wantto usefor the installation. The disks which are found will be listed in turn;seeFigure3.3. Or you canselectthe last option (‘Custom Partitioning’)to “partition” themby hand. In this dialog it is alsopossibleto continueusingexistingpartitions,by specifyingformattingandallocatingmountpointsdirectly.

Normally you will chooseoneharddiskandthenclick on ‘Next’.

Step 2

Oneof thefollowing situationscouldoccur:

• If the hard disk is not empty, YaST2 will show all existing partitionsonthe hard disk, as well as the item ‘Use whole hard disk’. Free, non-partitionedstoragespaceat the“end” of theharddisk is alsodisplayedandis automaticallypre-selected.YaST2 canusefurtherspacefor SuSELinux,but only if it is contiguous,i.e. partitionscanonly bereleasedfor furtheruse“from behind”. For example,if threepartitionsexist, partitions1 and2 willremainandyou mustcheckpartition3 to bemadeavailable. If you wanttomake the entireharddisk availablefor SuSELinux, select‘Entire HardDisk’.

22


• For anemptyharddisk, theentireharddiskwill beusedfor SuSELinux.

If you have other requirements,press‘Back’ to return to the previous dialog,as mentionedon on the facingpage,for manualpartitioning with the help of‘Extended Settings’.

� �

� �NoteSince the partitions you have made available for SuSE Linux will be format-ted, all existing data there will be irretrievably lost!

Oncethe installationstartsandall requirementshave beenfulfilled, YaST2 willpartition andformat the necessaryharddisk spaceon its own. Theentireharddisk, or theavailablepartitions,will thenbesplit up for SuSELinux into the3standardpartitions(that is, a smallpartitionfor /boot (about16 MB), ascloseaspossibleto thebeginningof theharddisk,a partitionfor swap(128MB) andall therestfor / (rootpartition)).

3.3.5 Boot Manager Configuration

In orderfor Linux to bebootableafter the installation,a bootmechanismmustbe installed. You will needto specifyhow the systemthe boot managerLILO“LInux LOader”is to beinstalled,or if anotherbootprocedureshouldbeused.

3.3.6 Setting the ‘root’ Password

Theuser‘root’ hasspecialprivilegesin Linux. He can,for instance,startandstopsystemprocesses,createandremove users,manipulateimportantsystemfiles,etc.,in otherwords,performthedutiesof thesystemadministrator.

Figure3.4: YaST2: Enteringthe‘root’ password

23

3 Adminhost

To do this, you arerequestedto provide a password for the user‘root’; thesamerulesapplyasfor thenormaluserpassword.

� �

� �

NoteYou must remember the ‘root’ password very carefully, as you cannot callit up later to have a look at it. You will always need this password wheneveryou have to perform administrative tasks on the system.

If you press‘Next’, theinstallationwill start.

3.3.7 Confirming Settings – Star ting the Installation

In order to give you a chanceto checkyour configuration,you canreview allthe settingsmadeuntil now. In caseyou want to make changes,you cancyclethroughthewindowswith the‘Back’ button,all thewaybackto thefirstwindow.

If you press‘Next’, you areaskedagainfor confirmation(in green)to starttheinstallationwith thesettingsasshown:

• After confirming,with ‘Yes - install’, YaST2 will begin settingup thesystem.

• With ‘No’, you have theoptionof checkingdataagain,andchangingitemswherenecessary, by pressing‘Back’ to reachtherelevantwindow.

Younow still havetheoptionof abortingtheinstallationcompletely. All settingsmadeanddetailssuppliedwill be lost. If you select‘Abort installation’,yourcomputer, afteraskingfor confirmation,will shutdown,andyoucanswitchoff the computeror re-bootwithout any problem. Up to this point no changeshavebeenmadeto yourcomputer.

With theoption‘Save Settings to Floppy Disk’ you cansave all detailsto floppy disk andusethemagainfor other installations.This canonly be se-lectedif it is supportedby yourhardware,however.

As a rule,you will decideon ‘Yes - install’. Partitionswill now becreatedandformatted.Dependingon your system’s capacityandsizeof harddisk, thiscouldtakesometime. Youshouldavoid abortinghere,asthiswouldput theharddisk into anundefinedcondition.

Afterwardsthe packagesfrom the CD are readin, and the SuSELinux basesystemis installed; after you have confirmedthis with ‘OK’, the text-orientedbasesystemis started. YaST2 continuesthe installationof software and – ifnecessary– requestsadditionalCDs;if you‘Abort’ theinstallationat thisstage,thesystemwill bein anunusablecondition!

SuSELinux is now successfullyinstalledon yourcomputer!

All that is missingis the configurationof the graphicalinterface;thenyou cantry out SuSELinux for thefirst time.

24


3.3.8 Preparing the Graphical Interface

In orderto beableto provide you, evenat thefirst Login, with a graphicaluserinterface,YaST2 will now try to find out all the information it needsfor themonitorandgraphicscard.

If this is successful,a sensiblescreenresolution,color resolutionandrepetitionratefrequency will beselectedfor themonitor, anda testscreenis displayed.

� �

� �NotePlease check the settings before you give your “Ok”. If you are not sure,consult the documents for your graphics card and monitor.

If the monitor is not detected,pleaseselectyour modelfrom the list provided.If you have anunknown model,you mustenterthesettingsby handor have thedatareadfrom a ‘driver disk’, which might have beenprovidedwith yourmonitor; in this caseyoushouldconsultthedocumentationfor yourmonitor.

Setup the requiredscreenresolutionanda color depthof 16 bpp. Checkthesettingsby choosing‘Test’ andmakefineadjustmentsif necessary.

� �

� �TipIn rare cases it may be necessary for you to have to configure the X server“by hand”; to do this you should call up the program SaX at a later time.

3.3.9 Configuring the Network with YaST2

Have the following dataon handwhen configuringthe network: IP address,network mask,defaultgateway.

If you are managinga DHCP server, you can also configurethe SuSELinuxFirewall AdminhostasaDHCPclient. Here,it is to beurgentlystressedthatyouassigna staticIP addressto the SuSELinux Firewall Adminhost. You will beprovidedwith a selectionof thenetwork cardsdetectedby thehardwarerecog-nition. Activatethe network cardandenterthe IP addressandnetwork mask.Enterall the requiredinformationif a nameserver alreadyexists, asshown inFigure3.7on page31.

3.3.10 Manual Network Configuration

Manualconfigurationof thenetwork softwareshouldalwaysbe the last resort.We recommendthat you useYaST, althoughit cannotcover all aspectsof net-work configurationso that a bit of manualfine-tuning,in somecases,may benecessary.

25

3 Adminhost

Figure3.5: YaST2: Network configuration

Configuration Files

Thissectionprovidesanoverview of thenetwork configurationfilesandexplainstheir purposeaswell astheformatused.

/etc/rc.configThemajority of thenetwork configurationtakesplacein this centralconfig-urationfile. Whenmakingchangesvia YaST or whencallingupSuSEconfigafterthefile hasbeenmodifiedmanually, mostof thefollowing files will beautomaticallygeneratedfrom theseentries.Eventhebootscriptsareconfig-uredvia thesefile entries.

� �

� �

TipIf you modify this file by hand, you will always have to call up SuSEconfigseparately afterwards so that the modified configurations are automati-cally written into the correct files.

/etc/hostsIn this file (seefile contents3.3.1on the facingpage),IP addressesareas-signedto hostnames.If no nameserver is beingused,thenall hostswhichareto receive an IP connectionwill have to be listed here. A line consist-ing of the IP address,the fully qualifiedhostnameandthehostname(e.g.earth) is enteredinto thefile for eachhost.TheIP addresshasto beat thebeginningof theline, andentriesareseparatedby blanksor tabs.Commentsarealwayspreceededby the‘#’ sign.

/etc/networksHere, network namesareconvertedto network addresses.The format is

26


Figure3.6: YaST2: Configuringthenetwork address

## hosts This file describes a number of host name-to-address# mappings for the TCP/IP subsystem. It is mostly# used at boot time, when no name servers are running.# On small systems, this file can be used instead of a# "named" name server. Just add the names, addresses# and any aliases to this file...#127.0.0.1 localhost192.168.0.1 helios.cosmos.com helios192.168.0.20 earth.cosmos.com earth# End of hosts

File contents3.3.1:/etc/hosts

similar to thatof thehosts file, exceptfor the network namespreceedtheaddresses(seethefile contentsof 3.3.2on page30).

/etc/host.confNameresolution– i. e. thetranslationof hostandnetwork namesvia there-solver library – is controlledby this file. It is only usedfor programslinkedto the libc4 or the libc5; for currentglibc programs,refer to the settingsin/etc/nsswitch.conf! A parametermustalwaysstandalonein its ownline andany commentsarepreceededby a ‘#’ sign. Table3.1 on the fol-lowing pageshows theparametersavailable.

orderhosts, bind Specifiesin which order the servicesareto beaccessedfor thenameresolution.Availablear-gumentsare(separatedby blankspacesor com-mas):

Table3.1: continuedoverleaf...

27

3 Adminhost

hosts: Searchesthe/etc/hosts filebind: Accessesa nameservernis: Via NIS

multi on/off Definesif a host enteredin /etc/hosts canhavemultiple IP addresses.

nospoofonalerton/off

These parametersinfluence the name serverspoofingbut apartfrom that, do not exert anyinfluenceon thenetwork configuration.

trim � domainname� The specifieddomainnameis separatedfromthe host namefollowing the host namereso-lution (as long as the host nameincludesthedomainnamed). This option is useful if onlynamesfrom the local domainarein the/etc/hosts file but arestill to berecognizedwith theattacheddomainnames.

Table3.1: Parametersfor /etc/host.conf

An examplefor /etc/host.conf is shown in thefile 3.3.3onpage30.

/etc/nsswitch.confWith theadventof theGNUCLibrary2.0,the“NameServiceSwitch” (NSS)hassteppedto the forefront (seemanpagemanpagefor nsswitch.conf(man 5 nsswitch.conf), andfor moredetailedinformation,seeTheGNUC Library ReferenceManual, Chap."SystemDatabasesandNameServiceSwitch", referto packagelibcinfo, seriesdoc).

The /etc/nsswitch.conf file definesthe orderof datain which it is tobe queried. An exampleof nsswitch.conf is shown in the file 3.3.4onpage30. Commentsarepreceededby ‘#’ signs.Here,e.g.,theentryunder“database”hosts meansthata requestis sentto /etc/hosts (files) viaDNS (seeSectionA onpage103).

The“databases”availableoverNSSarelistedin Table3.2onthefacingpage.In addition,automount, bootparams, netmasks andpublickey areto beexpectedin thenearfuture.

aliases Mail aliasesimplementedby sendmail(8); see alsomanpagefor aliases (man 5 aliases).

ethers Ethernetaddresses.group For usergroups,usedbygetgrent(3); seealsomanpage

for group (man 5 group).hosts For host names and IP addresses, used by

gethostbyname(3) andsimilar functions.

Table3.2: continuedoverleaf...

28


netgroup Valid hostanduserlists in the network for the purposeof controlling accesspermissions;seealsomanpagefornetgroup (man 5 netgroup).

networks Network namesandaddresses,usedby getnetent(3).passwd Userpasswords,usedbygetpwent(3); seealsomanpage

for passwd (man 5 passwd).protocols Network protocols,usedby getprotoent(3); seealso

manpagefor protocols (man 5 protocols).rpc “RemoteProcedureCall” namesandaddresses,usedby

getrpcbyname(3) andsimilar functions.services Network services,usedby getservent(3).shadow “Shadow” user passwords, usedby getspnam(3); see

alsomanpagefor shadow (man 5 shadow).

Table3.2: Available“databases”via /etc/nsswitch.conf

Theconfigurationoptionsfor NSS“databases”arelistedin Table3.3.

files directlyaccessfiles, for example,to /etc/aliases.db accessvia adatabase.nis NIS;nisplusdns Only usableby hosts andnetworks asanextension.compat Only usableby passwd, shadow andgroup asan ex-

tension.also it is possibleto trigger various reactionswith certain

lookupresults;detailscanbe found in the manpagefornsswitch.conf (man 5 nsswitch.conf).

Table3.3: Configurationoptionsfor NSS“Databases”

/etc/nscd.confThenscd (NameServiceCacheDaemon)is configuredin this file(seemanpagefor nscd (man 8 nscd) andmanpagefor nscd.conf (man 5 nscd.conf)). Thisaffectsthedataresult-ing from passwd, groups andhosts. Thedaemonwill haveto berestartedoncethe nameresolution(DNS) hasbeenalteredby a modificationin the/etc/resolv.conf file. Thefollowing commandservesthis function:

earth: # rcnscd restart

29

3 Adminhost

## networks This file describes a number of netname-to-address# mappings for the TCP/IP subsystem. It is mostly# used at boot time, when no name servers are running.#loopback 127.0.0.0localnet 192.168.0.0# End of networks.

File contents3.3.2:/etc/networks

## /etc/host.conf## We have named runningorder hosts bind# Allow multiple addressesmulti on# End of host.conf

File contents3.3.3:/etc/host.conf

## /etc/nsswitch.conf#passwd: compatgroup: compat

hosts: files dnsnetworks: files dns

services: db filesprotocols: db files

netgroup: files

File contents3.3.4:/etc/nsswitch.conf

30


Figure3.7: YaST2: Configuringthenameserver

� �

� �

CautionIf, for example, the caching for passwd is activated, it will usually takeabout 15 seconds until a newly added user is recognized by the system.By restarting nscd, you can reduce this waiting period.

/etc/resolv.confAs is alreadythecasewith the/etc/host.conf file, thisfile likewiseplaysa role in hostnameresolution,by wayof theresolverlibrary.

The domain to which the host belongsis specifiedin this file (keywordsearch) andthestatusof thenameserveraddress(keywordname server)which is to beaccessed.Multiple domainnamescanbespecified.Whenre-solvinganamethatis not fully qualified,anattemptis madeto generateoneby attachingthe individual search entries. Multiple nameserverscanbemadeknown by enteringseveral lines,eachbeginningwith name server.Onceagain,commentsarepreceededby ‘#’ signs.

An exampleof /etc/resolv.conf is shown in the file contents3.3.5onthefollowing page.

YaST entersthegivennameserverhere!

/etc/HOSTNAMEHereis the hostnamewithout the domainnameattached.This file is readby several scriptswhile the machineis booting. It may only containoneline wherethehostnameis mentioned!This file will alsobeautomaticallygeneratedfrom thesettingsmadein /etc/rc.config.

31

3 Adminhost

# /etc/resolv.conf## Our domainsearch cosmos.com## We use helios (192.168.0.1) as name servername server 192.168.0.1# End of resolv.conf

File contents3.3.5:/etc/resolv.conf

Star t-Up Scripts

Apart from theconfigurationfilesdescribedabove,therearealsovariousscriptswhich loadthenetwork programswhile themachineis beingbooted.Thesearestartedassoonasthesystemis switchedto oneof themulti-userrunlevels(seealsoTable3.4).

/etc/init.d/network This script takes over the configurationforthenetwork hardwareandsoftwareduringthesystem’s start-upphase.During this process,theIP andnetwork address,netmaskandgate-way specificationsenteredby YaST in the/etc/rc.config file areevaluated.

/etc/init.d/route Servesthepurposeof settingstaticroutesoverthenetwork.

/etc/init.d/inetd Startsinetd, aslongasit is specifiedin /etc/rc.config. This is only necessaryif youwant to log in to this machinefrom the net-work.

/etc/init.d/portmap Starts the portmapperneededfor the RPCserversuchas,for example,anNFSserver.

/etc/init.d/nfsserver

StartstheNFSserver.

/etc/init.d/sendmail Controlsthe sendmail processdependingonthesettingsin /etc/rc.config.

/etc/init.d/ypserv StartstheNIS serverdependingonthesettingsin /etc/rc.config.

/etc/init.d/ypbind StartstheNIS clientdependingonthesettingsin /etc/rc.config.

Table3.4: Someof thestart-upscriptsfor thenetwork programs

Pleasenote that the hostnamewill only be written to the systemfollowing areboot.Someapplicationswill only functionwith a definitivehostname.

32


3.3.11 The user ‘fwadmin’ for the Firewall AdministrationSystem (FAS)

Figure3.8: Theuserfor theFirewall AdministrationSystem(FAS)

In the ‘fwcdadmin’ configurationmask(seeFigure3.8), you cansetup a userto with which you can carry out the configurationof the SuSEFirewall CD.Entera username– the default nameis ‘fwadmin’. You canalsospecifyahomedirectoryfor theuser. Thedefault for this is /var/lib/fwadmin. In thisconfigurationmask,you shouldassigna password for the firewall adminuser.This password mustbeat leastfive characterslong. In additionyou mustdefinea “passphrase”andrepeatthis in thenext field to confirmit.

Selectinga good,securepassword will finally concludethebasicinstallationoftheSuSEFirewall Adminhost.

33

3 Adminhost

3.4 Firewall Administration System (FAS)

Following installation,thesystemwill bootto thegraphicallogin. Log in hereasuser‘fwadmin’ with your password. In all cases,FAS will only functiononcethesystemhasbeenrebooted.

3.4.1 Log ging in as fwadmin

You will arrive at theuserdesktopfor ‘fwadmin’ whereyou will find an iconwhich startsthe administrationsdesktopfor direct configurationof the firewallCD just by clicking on it (seeFigure3.9).

Figure3.9: Desktopwith FAS icon

3.4.2 Star ting the Firewall Administration System

FAS is thegraphicaladministrationinterfacefor creatingtheconfigurationdiskfor the“SuSEFirewall CD”. FAS supportsmultiple usersandis ableto manageseveralconfigurations.

FAS is a client/server systemmadeup of theGUI andthe fasd server daemon.Thefasd(fasdaemon)managesthedifferentconfigurations,makeschanges,andcheckstheentriesfor accuracy. Thefront-endreceivestheuserdataandforwardsit to theserver. In thisversion,communicationbetweenthefront- andback-endstakesplaceoverUnix domainsockets.

Thereareseveralwaysto starttheFirewall AdministrationSystem:

1. Iconon desktop(seeFigure3.9)

2. Menuselection(seeFigure3.10on thenext page)

3. EnterthecommandFAS at thecommandline (e.g.xterm).

34

3.4 Firewall Administration System(FAS)

Figure3.10:K menuwith menuitemFAS

3.4.3 Creating a new fire wall configuration

Onceyou have startedthe configurationprogramFAS, you will have to createa new useraccountin FAS. To do this, selectthe item ‘Create Login’ in the‘File’ menu. A dialog will emergewhereyou canentera new usernameandpassword. The usernamemustbe at leastfive characterslong. The passwordmustbebetweenfiveandeightcharacterslong. This passwordprotectsthecon-figurationof the“SuSEFirewall on CD”, sothepassword will beauthenticatedby theprogramcracklib.

A rule of thumb:goodpasswordsshouldnot beableto beguessedby others,sopleasedonotuseyourown birth date,streetaddressor thenameof your favoritecelebrityetc. They shouldnot be too shortbut still shouldbe ableto be typedquickly sothatnoonecanseewhatyouaretyping. Useamixtureof numbersaswell asupper- andlower-caseletters.Of course,in any case,it is importantthatyou canalsorememberyour password andnot have to write it down. Tested-and-truemethodsof comingup with a password arethereforeabbreviationsofsentencesor expressionswhich areeasyto memorize.Herearesomeexamples:

• NE14TenS(anyonefor tennis?)

• AuaEGC(all UNIX-adminseatgreencheese)

• Me1st(Me first)

• IwIhagp(I wish I hadagoodpassword)

Theconfigurationof the“SuSEFirewall on CD” is savedto a.tar.gz archive.To be able to edit a configurationalreadycreated,you will have to give thispassword again.

After loggingin, select‘New Config’ underthemenuitem‘Configuration’.A new window will appearwhereyoucandefineanamefor theconfiguration.In

35

3 Adminhost

addition,you will have to entera descriptionof theconfiguration.This descrip-tion canalsobeusedto explainthepurposeof theconfigurationandto documentwho whenandwhathaschangedor hasbeenchangedin theconfiguration.Thedescriptionof the configurationcanbe addedto later or changedat any time.Usethis option,sincegooddocumentationis essential.

Confirmwith ‘OK’.

You will now seethenameof your new configurationin theleft window panel.If you click on the nameonce,the configurationdescriptionwill appearto theright. Now youcanedit yourdescription.To save changesto yourconfigurationdescription,click on ‘Save the changes’. Double-clickon theconfigurationnameor on thebutton‘Open Configuration’ to begin creatingyourconfigu-ration.

In the left window panel,a list will appearwith theconfigurationmodules,i.e.with the serviceswhich you canalsouseto configureyour firewall alongwiththe statusof eachmodule. The first thing you needto do is configurethe basemodule(‘Base module’ and‘Syslog Module’). As longasthesemodulesarein “not configured”status(symbolizedby across),youcannotchooseany of theothermodules.

Configuration of the base module

Thebaseconfigurationtakesplacein threesteps:

1. ‘root’ password for thefirewall:

Figure3.11:Definerootpassword

In this dialog(seeFigure3.11),the‘root’ password is setfor thefirewall.If you do not give a ‘root’ password (deactivatecheckbox),nobodywillbeableto directly log in to thefirewall hostas‘root’ during futureoper-ation. Accessis only possiblevia ssh andRSA key providedthatyou haveconfiguredssh.

36


The checkbox‘enable serial console’ activatesthe connectionof aserialconsolewhichcanbeusedto controlthefirewall.

2. Setupof the(optional)harddisk (seeFigure3.12):

Figure3.12:Harddisk setup

If youactivate‘Use hard disk’, you canmakethefollowing settings:

Disk Device: Statesthe harddisk to be integrated:e.g.: /dev/hda (firstharddiskon thefirst IDE controller)

Disk Swap Space: Sizeof theSwappartition: e.g. 128MB or 64 MB

Checkbo x use /var on Disk: Shouldthedirectory/var be locatedon theharddiskdevice?

Enable IDE DMA: activatesDMA for IDE

If you usethe e-mail proxy and/orenablethe cachingfor the HTTP proxyand/oryouwantto save log messagesto theharddisk, theharddiskmustbeconfiguredand/varactivated.

3. Network interfaces(seeFigure3.13on thefollowing page):

In thisdialog,youwill find alist with network interfacesalreadycreated.Upto ten interfacescanbe given, wherebyyou mustentera minimum of oneinternalandoneexternal.

‘New’ addsa new network interface. A window will appearwith the ‘In-terface Dialog’. Thefollowing datais required:

Network Type: ethernetis the “default” (this versiononly supportsether-net).

Device Name: to begivenin consecutiveorder

IP Address: IP addressesto beassignedto theinterface

Netmask: thenetmaskof theIP address

37

3 Adminhost

Figure3.13:Network interfaces

Figure3.14:Addinga new network interface

Purpose: internal/external;is theinterfaceconnectedto theIntranet,to theDMZ or to theInternet?

‘OK’ confirmsthesettings,‘Cancel’ abortsthedialog.Thenewly configuredinterfacewill now appearin the list. ‘Edit’ reconfiguresan alreadyexist-ing interface. Selectan interfacefrom the list andchoose‘Edit’ to makechanges.‘Delete’ deletestheselectedinterface.

4. Routing(seeFigure3.15on thenext page)

Here,you cansetspecificroutes.‘New’ createsa new route,‘Edit’ editsanalreadyexistingone.

In the dialog box ‘Configure Routing’ (seeFigure 3.16 on the facingpage),thefollowing settingscanbemade:

Destination: Which network or which hostshouldbe the routing destina-tion? Enterthenetwork address(e.g.192.168.0.0).

Gateway: If agateway is necessary, which IP addressdoesit have?

38


Figure3.15:Routingconfiguration

Figure3.16:Routing

Genmask: Thecorrespondingnetwork mask.

Interface: Overwhich interfaceshouldtherouterun?

Savethesettingswith ‘OK’ asyoudid beforeandaborttheconfigurationwith‘Cancel’. With ‘Delete’, youcandeleteanexisting route.

5. Hostanddomainconfiguration(seeFigure3.17on thenext page):

Firewall Hostname: Specify the nameof the firewall host. Avoid namessuchasgatewayor firewall.

Firewall Domain: Specifythenameof thedomainwherethefirewall is.

Nameser ver: For properconfigurationof the resolver, specify the nameserverandthesearchlists,e.g.your-company-inc.com.

39

3 Adminhost

Figure3.17:Hostanddomainconfiguration

DNS configuration

In this menu,thenameserver bind8 will beconfigured.DetaileddescriptionsofDNS andbind8 canbefoundin theappendixof this manual.

Figure3.18:DNSconfiguration

Forwar der IP Addresses: Here,specifywhetheryouwantto forwardDNSre-queststo oneor moredifferentnameservers.To dothis,enablethecheckbox‘DNS Forwarder IP Addresses’. This will activatethe ListBox. Nowyou canspecifya list of nameserversto which DNS requestsshouldbefor-warded. If you activate the checkbox‘forward only’, the nameserverrequestswill only be forwardedto the nameserver you state. If it is dis-

40


abled,theotherso-called“root” nameserverswill becontacted(commonlyrecognizednameserversin theInternet)(seeFigure3.18onthefacingpage).

Listen to selected IP Address(es): Normally, the bind8 nameserver acceptsrequestsfrom all availablenetwork interfaces,that is, from the internalaswell asfrom theexternalnetwork interfaces,andthe loopbackinterface.IntheListBox, selecttheinterfacesonwhich DNS requestscanbeaccepted.

IP filter configuration with ipc hains

In theFAS-ipchainsmodule(seeFigure3.19),specifyafile to whichyousavedapacketfilter configurationusingipchains-save (seealsoman ipchains(8)).This file will bereadandsubsequentlywritten to theconfigurationdisk.This configurationcanbeadoptedin this mannerby thefirewall.

Figure3.19: IP packetfilter configurationwith ipchains

Configuration of the SuSE fire wall module

This moduleallowsyou to configuretheSuSEFirewall Scriptstepby step.

1. First, specify which of the network interfacesyou configuredin the basemoduleis to be designatedfor the DMZ (DemilitarizedZone)or for yourinternalnetwork. Theinterfacesyou specifiedasinternalin thebaseconfig-urationwill appearhere.Selectfrom thelist by clicking with themouse(seeFigure3.20on the following page). The interfacesyou specifiedasexter-nal in thebasemodulewill automaticallyshow up in thetext field “InternetDevice”.

2. Routingfilter: here,you canenabledirect routingfrom IP packetsby spec-ifying a sourceanddestinationaddressa well asa destinationport (seeFig-ure3.21on thenext page).Youwill needthis for yourserviceswhichdonothaveproxies.

41

3 Adminhost

Figure3.20:Selectingdevices

Figure3.21:Routingfilter

42


3. Rerouting: To enabletransparent“proxying”, you will needto reroutethepackets. For example,if you want to carry out transparentconfigurationsof the internalHTTP proxy. The IP packetshave an internal IP addressassourceaddressand as destinationaddress,an Internet IP address. TheseIP packetshave port 80 (www) asthe destinationport. Your HTTP proxy,however, waitson port 3128for thepacketson your firewall. This reroutingprocedure,from adestinationaddresswith destinationport80to therequiredlocalhostport 3128canbeconfiguredin this screen(seeFigure3.22).

Figure3.22:Packet rerouting

4. If youwantto implementmasquerading,activatethecheckbox‘Masquerad-ing’, otherwise,simplyclick onnext (seeFigure3.23).

Figure3.23:Masquerading

In this window, you canspecifywhich internalnetworksareto bemasked,

43

3 Adminhost

e.g. 192.168.10.0/24

5. Releaseof portsfor internalaccessto the firewall. Which firewall servicesdo you wantto make availablefor theinternalnetwork? Selectfrom thelistprovided(seeFigure3.24).

Figure3.24:Releasinginternalportsto thefirewall

6. Releaseof externalportsto thefirewall: Selectfrom thelist of portsyouwantto releasefor this purpose,i.e. which canbeaccessedfrom theInternet(seeFigure3.25).

Figure3.25:Releasingexternalportsto thefirewall

7. Releasetheportswhichareto accessthefirewall from theDMZ by selecting,onceagain,from the list provided(seeFigure3.26on the facingpage). Ifyoudid notchooseany DMZ interface(if in 1.), thisscreenwill bedisabled.

44


Figure3.26:Releasingportsfrom theDMZ to thefirewall

8. Protocolandkernelmodules.

Figure3.27:Selectionof protocolandkernelmodules

• Selectthe“log level” for thepacket filters from theseriesof checkboxes.In doingso,pleasebeawarethatthelog filescangrow veryquickly if youareloggingall thepacketstogether.

• In theselectionfield pertainingto thekernelmodules,choosethemodulesyouwill needif youareusingcertainapplicationswhichoperateindepen-dentlyof thefirewall (seeFigure3.27).

45

3 Adminhost

Configuring the mail relay (Postfix)

Figure3.28:Configurationof themail relays– Dialog 1

Internal mail server: SpecifytheIP addressor thenameof your internalmailserver (seeFigure3.28).

Checkbo x ISP relay: Activatethischeckboxif youforwardall outgoinge-mailto theSMTPserverof yourInternetServiceProvider(ISP).Specifythename(FQHN)or theIP addressof theSMTPserverof yourprovider.

Relay the follo wing domains: Can be usedto specify the domainnamestoreceiveany relayedmail andto forwardmail to yourmail server.

46


Local networks: List of yournetworks.Postfixdecidesby meansof this list ifanetwork cansende-mailsover thefirewall. Enteryournetworkshere(e.g.192.168.0.0/24) (seeFigure3.29).

Listen to IP: Here, enter the IP addresseswhere the mail relay receives re-quests.

Figure3.29:Configurationof themail relays– Dialog 2

47

3 Adminhost

SSH configuration:

Figure3.30:AddinganddeletingSSHkeys

SSH keys: Here,you have the option of saving your “ssh public key” for ac-cessingthe firewall as‘root’ so that you can, if necessary, log on to thefirewall host.You havetwo optionshere(seeFigure3.30):

• Youcanimportakey. An “sshkey” normallyis locatedin theuser’shomedirectoryin the.ssh/ directoryasidentity.pub. Selectthis file. Thekey will thenappearin thelist (seeFigure3.31).

Figure3.31: Importingthekey

• You canalsoentera key by way of “copy&paste”. If you click on ‘addkey’, a dialogwill openup (seeFigure3.32on the facingpage). In thetext field, you canspecifyyour “ssh public key” andconfirm with ‘OK’.This key will now appearin thelist below.

Delete key: Selectthekey to bedeleted.Click on‘delete key’. Theselectedkey will bedeleted.

48


Figure3.32:Adding thekey

Checkbo x pass word authentication: If thischeckbox(seeFigure3.33)is ac-tivated,youwould beableto log on to thefirewall usingyour password. Donot do this! We adviseyou to only allow accessvia RSAkeys.

Listen to selected IP address: Onwhichnetwork interfaceshouldssh acceptrequests?EntertheIP addressesin thelist field.

Figure3.33:SSHconfiguration

49

3 Adminhost

Syslog configuration:

In this dialog (seeFigure3.34), you canconfigurethe behavior of the syslogdaemon.

You have the option of directing the outputof the syslogd(8)to the harddiskand/orto a log host.Specifya list of IP hostaddresseswhereyou wantthelogsto bewritten. Thesehostsmustalsobeconfiguredto beableto receive thelogs.TheSuSE Linux Firewall Adminhost is alreadygearedtowardthesetasks.

Figure3.34:Syslogconfiguration

Theconfigurationof thesyslog-ngon theSuSEFirewall Adminhostwill beex-plainedmorethoroughlybelow.

50


FTP access – external to internal:

If you areadministratingyour own FTP server, you will have to make the fol-lowing settingshere(seeFigure3.35):

Figure3.35:Configurationof theFTPserver

FTP Server IP: TheIP addressof your Intranetor DMZ FTPserver

Por t: Theport whereyour FTPserver is listening,normallyport 21. With this,your firewall is seenexternallyasan FTP server. Requestan aliasentry intheDNS for yourfirewall from yourprovider, e.g.: ftp.mycompany.com.

Maximal Clients: Maximum numberof FTP clientswhich canbe simultane-ouslyconnectedto theFTPserver

Listen to IP: IP addressof the interfacewheretheFTPserver acceptsconnec-tions

51

3 Adminhost

Configuration of the FTP proxy: internal to external:

Figure3.36:Configurationof theFTPproxy

FTP Proxy Por t: 10021Portto which theFTPproxy responds.

MagicUser: This parameterallows you to specify the destinationFTP serveryou selectedin the username:user[@host[:port]].This may appearasfol-lows:> ftp [email protected]:21

Magic Char: The MagicCharcharacteris normally set to “%”. If the option‘Magic User’ is enabled,any charactercanbeusedfor this.

Maximal Clients: Maximumnumberof openconnectionson theFTPproxy.

Listen to selected IP address: IP addressoverwhichtheFTPproxyresponds.

52


Configuration of the HTTP proxy for internal to external connections

In this module,you canmake settingsfor the HTTP proxy. This modulepro-cessesHTTP requestsby internalnetwork users(seeFigure3.37).

Figure3.37:Configurationof theHTTPproxy – Startscreen

HTTP proxyThefollowing entriesarerequiredfor theconfigurationof theHTTPproxy:

Figure3.38:Configurationof theHTTPproxy – Dialog 1

HTTP Proxy Por t Statetheport wheretheproxy shouldacceptinternalHTTPrequests.Default settingis port3128 (seeFigure3.38).

Listen to selected IP addresses Here, define the IP addressof the firewallfrom which HTTP requestscanbe received. In the selectionlist, you will

53

3 Adminhost

find the interfacesspecifiedin the baseconfigurationas internal. 0.0.0.0standsfor all firewall interfaces.

Transparent Proxy Basically, this only monitorsthe proxy on port 3128. Ifan HTTP requestis submitted,this will run over port 80 and will not beprocessed.Theoption‘Transparent Proxy’ mustbeactivatedin ordertoprocessthis request.In conjunctionwith this, a “redirect” rule (rerouting)mustexist, which will reroutetherequestinsidethefirewall to port 3128. Ifthis optionis not enabled,all clients,or theinternalproxy, will have to havethefirewall enteredasproxy.

Caching For repeatedHTTPrequests,youcanalsoactivatetheoption‘Caching?’to preventvalid pagesfrom beingreprocessed.Thesizeof thecachecanbedefinedin theentryfield providedandshouldnot belessthan100MB.

� �

� �

CautionThe firewall should not be used as a buffering HTTP proxy, since thisis not the actual purpose of the firewall. A better solution is utilizinganother independent host.

If youhavemadeall thechangesyouwant,confirmthesettingswith ‘Next’.

Defining ACLs


ACL (Access Contr ol List) Definewhocanusetheproxyandwhattheseusersareableto accessin theInternet(seeFigure3.39).

Name for ACL Here,youcannamethelist to beadded.

54


Next, selecta ‘Type’ for yourACL. You havethechoicebetween:

dest (destination) Specificationof destinationaddresses.

proto (protocol) Here,youcandefinetherespectiveprotocols.

src (sour ce) Definitionof thesourceaddresses.

url_reg ex Specificationof URL addresses.

Add Add thenew ACL from to thelist of alreadyexistingACLs.

Delete You canalsodeleteACLsusingthisbutton.

Edit ACL In this window, you canenteror changevalueswhich areto be at-tributedto anACL youselected.Youcaninsertnew valuesor editanddeletealreadyexistingonesin theentryfield.


Arrange ACLs


Youwill find variousoptionsfor settinguptherules(ACL) onthismodulepage.The selectedsettingsfor ‘ACL’ and ‘Negate ACL’ are linked by the logical“AND” (seeFigure3.40).

• In the‘Action’ selectionfield, choosebetween‘allow’ to permitor ‘deny’to prohibit Internetaccesswhich youwill definebelow.

• Specifyvia ‘ACL’ analreadyexisting list to which thesettingswill apply.

• Specifyan ACL which shouldbe negatedvia ‘Negate ACL’. In this man-ner, you can, for instance,allow retrieval of Internet sites (selectionun-der ‘ACL’), which will, however, not run over SSL ports (selectionunder‘Negate ACL’).

• A new rule canbeintegratedvia ‘Add’.

55

3 Adminhost

• Click ontherespectiverulein thelist field to edit it. At thispoint,thesettingsin theaboveportionwill beapplied.Youcannow modify themandsave thechangeswith ‘Edit’.

• Click on ‘Delete’ to removerulesandselecttherespective item.

• In thelowerpartof thewindow, youwill find a list field with entriespertain-ing to all actionsandtheirACL settings.

� �

� �

CautionThe order of rules in the list field is very important, since the list you setup will be processed from top to bottom. According to the first match,access to the requested URL will either be accepted or denied.

• To movearuleupor downonenotch,click ontheruleandactivatethebuttonin the right window margin andmove up or down with the correspondingarrows.

• If youhavemadeall thechangesyouwant,confirmthesettingswith ‘Next’.

Content filter


To filter or searchfor certainHTML pagecontentsand,if needed,to blockcon-tents,activatethecheckboxnext to ‘Content Filter’ (seeFigure3.41).

� �

� �

NoteYou should be able to program HTML in order to configure this filter. The“tags” and “attributes” discussed in the following are HTML components, theprogramming language in which web sites are written.

56


All theaddedfilter settingscanbefoundin thelowerwindow panel.There,youwill seenamesattributed to types,actionsdefinedandsubstitutionsspecified.Pleasenotethatall undefinedHTML tagsor attributeswill bedenied.

Proceedasfollows:

• To adda filter rule, selectthe respective type from the selectionfield withthesamename.You canchoosebetween‘tag’ and‘attr’ for anattribute.In the‘Name’ entryfield, specifythetext of the“tag” or “attribute” andthenselectanaction.Multiple labelsfor actionsarealsopossible.Youcanchoosefrom:

allo w permitstheselectedtag/attribute.

log setsanentryinto theso-called“log file” andcanbeusedlaterfor settingup filter strategies.

replcont replacesthetag/attributeandcontinuesevaluatingtheattribute.

replabor t replacesthetag/attributeandstopsevaluatingtheattribute.

• Bothof thefollowing actionsserve to removeentirecodedsectionsfrom therequesteddocuments:

replskip shows thebeginningof anomission,which will not beforwardedto theuser.

replendskip shows theendof theomission.

• In theentryfield next to ‘Replace by’, enterthestringwhich will beusedinsteadof thefirst one.No blanksspacesarepermitted.Instead,use to inserta blankspace.Here,of course,it only makessenseto insertsome-thing if you have selected‘replcont’, ‘replabort’, ‘replskip’ or ‘re-plendskip’ asanaction.

• To edit a filter rule, selectit from the list field. You will thenseethevaluesin theentryandselectionfields locatedin theupperportionof thewindow.Modify thevaluesandconfirmby clicking on ‘Edit’.

• To removefilter rules,selectthemfrom thelist field andclick on ‘Delete’.

Parent proxy configuration

If your provider suppliesspecificproxy for HTTP requests,the IP addressofthe proxy can be enteredin the field next to ‘IP address of the parentproxy’. Theprovider’sHTTPportis thenenteredunder‘Parent Proxy Port’(seeFigure3.42on thenext page).

If the ‘Content Filter’ is disabled,you canspecifyunder‘Parent ProxyICP Port’ (ICP = internetcachingprotocol) the provider’s ICP port if theirproxy supportsICP.


57

3 Adminhost


Configuration of the HTTP proxy for external to internal connections

If you arenot managingyour own web server, you will not have to configureanything here. Otherwise,pleasemake the following settings(seeFigure3.43on thefacingpage):

Web Server IP: TheIP addressof yourwebserver locatedon your Intranet.

Web Server Por t: Normallyport 80.

Proxy Por t: Theport listenson theproxy, normallyport 80. In this way, yourfirewall becomesthewebserver asviewedfrom theoutside.Therefore,re-questanaliasfor yourfirewall from yourprovider, e.g.: www.my-company.com

Listen to IP: IP addressof theinterfacewheretheproxyacceptsconnections.

Saving the configuration

A configurationcan be saved by clicking on ‘Save configuration’ in the‘Configuration’ menu.Onceyou haveexited theconfigurationandmodifiedthesettings,youwill beaskedif youwantto savethechanges.Theconfigurationis archived with tar andcompressedwith gzip andsaved to the harddisk inthefile

/var/lib/fas/<username>/configs/<configurationname>.tar.gz.

No normaluseron theadminhostcanreadthis configuration.Only ‘root’ hasthenecessarypermissionsfor this.

In orderto createa floppy disk, insertit into the drive, selectthe configurationyou wantto have savedto disk andthenclick in themenus,first on ‘Configu-ration’ andthenon ‘write to floppy’. Now, thedisk will bewritten. The

58


Figure3.43:Configurationof theexternalHTTPproxy

configurationmusthavepreviouslybeenrecognizedas“properlyconfigured”,inwhich case,a greencheckmarkwill appearin theleft portionof thedialog.

3.4.4 Editing an existing fire wall configuration

To edit anexisting firewall configuration,starttheFirewall AdministrationSys-temFAS. Log on astheuseryou usedto createtheconfigurationvia themenu‘FAS’ � ‘Login’, andthenenteryour password. Now you will obtaina list oftheconfigurationspreviouslycreatedby thisuser.

Selecttheconfigurationfrom thelist whichyouwantto edit. Double-clickingontheconfigurationnamein the list locatedin the left window panelletsyou editoneof theservicesin its respectivemodule.

3.4.5 Testing the configuration

The configurationcreatedusing the administrationapplicationstill has to betestedbeforeit canbeput to productiveuse.

To do this, thefirewall is startedoffline (connectedneitherto theInternetnor toyour Intranet).To carryout the testing,thefirewall is connecteddirectly to theadminhost(crossovercable).

Testingfor thepacket filter caneasilybedonewith a port scanner. To this end,the programnmap is installedon the adminhost. If you carry out a portscanfrom the adminhost,pleasebe awarethat you mustdisablethe packet filter ofthe adminhost.Log in asuser‘root’ andenterthe following commandin aconsole:

root@adminhost: # SuSEfirewall stop

59

3 Adminhost

In this way, you canensurethatall returningIP packetsareableto bereceivedby theadminhost.Do not forget to reactivatethe packet filter aftercompletingthetest:root@adminhost: # SuSEfirewall start

Following the port scan,the scanningresultsand the log file shouldbe docu-mentedon thefirewall andretained.

Makesurethatthefollowing servicesarerunningproperly:

• Nameserver test:e.g. with nslookup plusnameof thefirewall. Checkthelog file, e.g. via grep named /var/log/messages. Thereshouldnot beany messagescontaining“error”.

• Mail relay test: by sendingan e-mail and checkingthe log files /var/log/mail and /var/log/messages. Searchthe log files for “postfix”(grep postfix /var/log/mail

• FTPproxy test:e.g.via telnet to yourfirewall.

• TesttheHTTPproxy by attemptingto accesstheInternetfrom aclient.

• Testssh by loggingon to thefirewall from a client.

Alwaysverify all processesby referringto thelog files.

3.4.6 Documenting the configuration, the tests and theresults

It is essentialthat you documentthe configuration,any testsperformed,andtheir results. Record,in other words, what is permittedor prohibitedby theconfiguration,andhow this is guaranteed.

By meansof suchdocumentation,youmaybeableto detectconfigurationerrorsandremedythem.Thisdocumentationis alsonecessaryfor auditingthefirewall.

3.5 Monitoring the Firewall

As alreadymentionedseveraltimes,afirewall’sfunctionalityis quitelimited if isnotaccompaniedby constantmonitoring.Sometoolsfor monitoringthefirewallarelocatedontheadminhost.Themostimportantsourcesof informationarethelog files, which arewritten eitherto the loghostor theharddisk, dependingontheconfiguration.

Thefollowing programsareavailableastoolsfor analyzinglog files.

• xlogmaster

• logsurfer

• sylog-ng

Thefollowing network or packetsnifferscanbeusedto monitoryourfirewall:

60

3.5 Monitoring the Firewall

• ntop

• tcpdump

• ethereal

With thefollowing portscanners,youcanexaminethefirewall onopenportsandmonitorthepacketfilter configuration:

• nmap

• nessus

In addition,you can,of course,useshell or perl scriptsthat you have writtenyourself.

Configuration of syslog-ng

In order to configurethe login daemonsyslog-ng(8) on the loghost,log into a consoleasuser‘root’ or enterthecommandsu - root in anxterm. Ifthe SuSELinux Adminhostfor Firewall is not your loghost,copy the program/opt/fas/sbin/fas_syslogng_config.pl to your loghost.

Starttheprogramas‘root’ with thefollowing command:root@loghost: # /opt/fas/sbin/fas_syslogng_config.pl

Specifythehostnameof yourfirewall. Definewhethersyslog-ng is to bestartedwhenthesystemis booted.Thedefaultsettingis "yes".

Thehostnameof thefirewall mustbeableto beresolvedto anIP address.Youcandetermineif this is thecaseby referringto anentry in the/etc/hosts fileon your loghost.For this, referto theexample3.5

# Firewall logging entry# IP address of firewall hostname.mydomain.com hostname# e.g.192.168.0.1 stargate.mydomain.com stargate

File contents3.5.1:Sampleentryin the/etc/hostsfile

61

3 Adminhost

62

4 SuSE Lin ux Live CD for Firewall


4.1 Intr oduction

The “Li ve CD” for SuSE Linux Firewall on CD is the “executive branch” ofthe firewall. The Live CD is a minimal SuSELinux equippedto meetsecurityneeds.This appliesto the availableapplicationsaswell asto the kernelitself.The “SuSEFirewall on CD” is, in addition,an “Application Level Gateway”,thatmeans,dueto securityreasons,IP packet routingshouldnot setbeup. For-wardingrequeststo servicesis managedby applications(= proxies).

Proxiesandnon-forwardingIP packetsare not enoughto prevent (undesired)InternetIP packetsfrom reachingthe Intranetor viseversa.This firewall func-tionality is adoptedby thekernelpacketfilter whichis configuredby ipchains(8).This is wheretheideaof theLiveCD comesinto play. Thatis, theoperatingsys-tem andall the applicationsarelocatedon a CD, on a read-onlyfilesystem.ARAM disk,wheretheLiveCD is mounted,is generatedwhenbooting.The“sta-tus quo ante” cansimply be restoredby rebootingthe machine. Updatingthe“SuSELinux Firewall onCD” is likewiseverysimplebecauseof this: JustswaptheLiveCD for thecurrentupdateCD andrestartyourfirewall host.

Configuringthesystemandtheservicesis doneby disk,whereall thenecessaryconfigurationfiles aresaved. This disk is mounted“read only” whenbooting.Justto beon thesafeside,thedisk shouldalsobewrite-protected.Thedataontheconfigurationdiskwill becopiedto theRAM diskandthediskitself removedfrom thefilesystem.

Hardwarerequirements:

• The “SuSELinux Live CD for Firewall” is executableon any ix86, wherex=5. At leastaPentium II is recommended.

• At least128 MB RAM is required,

• a3,5-inchfloppy diskdrive

• abootableCD-ROM driveand

• at leasttwo network interfaces

This chapterdoesnot provide any instructionson how to configurefirewall ser-vices,but rather, technicaldocumentationfor thewell-versedadministratorwill-ing to grapplewith the internal aspectsof the system. We will also describedetailsrelatingto theconfigurationfilesof theservicesprovidedontheLiveCD.For configurationpurposes,the Firewall AdministrationSystem(FAS) on theSuSEFirewall AdministrationHostshouldbeused.

63


4.2 Description of the SuSE Lin ux Live CD forFirewall

The“SuSELinux LiveCD for Firewall” is aLiveFile SystemCD from whichalltheapplicationswill rundirectly. Theoretically, thefirewall hostcouldbedrivenwithoutaharddisk. However, youshouldnotethataharddisk for thecacheandspooldirectoriesis requiredby proxy servicessuchasSquid or postfix. A harddisk is likewise requiredif you want to save the syslogdlog messageslocally.In orderto setup the firewall system,insert the CD andthe configurationdiskcreatedby theSuSEFirewall Adminhostandbootthehost.

4.3 Services on the Firewall

“Application level gateways”, or proxies,arelocatedon the “SuSELinux LiveCD for Firewall” for themostcommonandessentialInternetprotocols:

DNS (engl. Domain Name System): IP addressescanbeconvertedinto “FullyQualifiedDomainNames”andviceversawith bind8

SMTP postfix managesthetransportationof e-mailmessages,

HTTP/HTTPS – the WWW Protocol: Squid, httpf, transproxy, tinyproxy

FTP ftp-proxy-suite is usedfor transmittingfiles from onehostto another.

SSH “Remotelogins” with encryptedtransferstake placevia openssh, theau-thenticationprogramfor RSAkey pairs.

All theseapplicationsinvolve opensourcesoftware.All theseprocessesrun onthe“SuSELinux LiveCD for Firewall” in chrootenvironments.

In orderto raisethesecuritylevel of thesystemevenhigher, thefollowing pro-gramsandkernelmodulesareusedfor theLinux Kernel(2.2.19)implementedby theLiveCD: secumod, compartment, OpenWall-Patches.

4.3.1 IPCHAINS

Thepacketfilter of theLinux kernel2.2.xxisconfiguredusingtheipchains appli-cation. ipchains allows for extremelyflexible configurationof thekernelpacketfilter. To do this, referto themanpagefor ipchains(8).

Normally, ipchains(8) recognizesthreepacketfilters-“Chains”: input-chain,forward-chainandoutput-chain.

Thesethreefiltersdeterminethefateof anIP packetarriving ataninterface.It isadvisableto determineapolicy for these“chains”whichdeniesall packets.Thiswill thenbethedefaultbehavior of thechain:Everythingwhich is not expresslypermittedwill bedenied.

IP packetscycle throughthechainsandwill betreatedin respectto theiraddressof origination,destinationandport, i.e. forwarded,discardedor rejected.There

64


arebasicallytwo optionsprovidedby the “SuSELinux Live CD for Firewall”for configuringipchains filter rules. Thefirst andratherconvenientoption is toutilize theSuSEFirewall Script.TheSuSEFirewall Scriptis configureddepend-ing on the configuredandactivatedservices.With its Firewall AdministrationSystem(FAS), theSuSEFirewall Adminhostprovideseasyaccessto theSuSEFirewall Script.Thesecondavailableoptionis configuringyourownpacketfilterwith ipchains. First, we will give you anoverview of theSuSEFirewall Scriptandsubsequently, instructionsfor settingup yourown packetfilter.

The SuSE Firewall Script and configuration

Below is a technicaldescriptionof how filter rulesaregeneratedaswell assomebackgroundon the new SuSEFirewall Script design. However, this documen-tation doesnot offer instructionson how to configurethe firewall – the con-figurationfile /etc/rc.config.d/firewall.rc.config containssufficientcommentswhich simplify the process.Furthermore,you will find somesam-ple configurationsin theEXAMPLES file in the/usr/share/doc/packages/SuSEfirewall directory. Recently, anFAQ list hasbeenaddedto thesamedi-rectory. Pleasebeawarethat “firewall” is referredto throughoutthis documen-tation,eventhoughthis script is technicallynot a firewall itself. This packageisa so-called“packet filter” which acceptsor deniesdataon theTCP/IPlevel. Inotherwords:if youareoperatingaWWW serverandyouwantto opencommu-nicationbetweenit andtheInternet,this scriptwill not provideany protectionifthewebserver assuchwereto exhibit a securityproblem.However, it will en-ableyouto protectserviceswhichshouldnotbeaccessed,keeppotentialhackersin thedarkaboutyourconfiguration,aswell asrecognizeintrusionsby detectingfilter violations.

Thedesignof theSuSEFirewall Scriptsatisfiesthefollowing demands:

• Aboveall, security

Thoseinstalling andconfiguringthis packageexpectthat the script will doeverythingpossibleto securethe system. A usermust,however, take intoaccountthatsomethingsaremoredifficult or perhaps(in rarecases)not atall configurablein thispackage.Also,settingupsuchasfirewall is associatedwith sometime investment.

• No compromisesto the systemin caseof errors

An errorin thescriptor in theconfigurationfile shouldnot leadto openfilterrules.However, this goalis, in certainareas,difficult to realize.In any case,SuSEhasmadea strongeffort to achievethis goal.

• SimpleconfigurationSimplequestionsareasked– but also,only somany areaskedasabsolutelynecessary. This is, of course,thegreatestchallenge– but you will still needto have prior TCP/IP knowledge,administratorskills, a knack for systemsecurityandpatience.. .

65


• Automatedconfiguration

Tosimplify theconfigurationandalso,for bettersupportof dynamicsystems,theSuSETeamhastried to determineasmuchinformationaspossibleat theverymomentthefirewall scriptstarts.

• Support of dynamic IP addresses+ networks

Not only a dynamicIP address,but alsoseveral network cards(an infiniteamount)for theInternetaswell asfor theinternalnetwork aresupported.

The following sectioncontainsfrequentreferencesto filter rulesandnetworks.Filter rules,which apply to internalinterfacesor networks, is only processedifthey areconfiguredandavailableimmediatelywhenthefirewall scriptstarts.(Ifthey wereonly accessibleafter startingthe script, for instance,if the interfacewere"down", network communicationwould no longerbepossible!)

TheSuSEFirewall Scriptprocedurewhich is locatedin /sbin, canbeoutlinedasfollows:

a) First, theconfigurationfile, /etc/rc.config.d/firewall.rc.config,is read. Beforeanything can happen,the userwill first have to configure/etc/rc.firewall. Thesefiles will be createdautomaticallyif you areusingFAS.

b) A searchis thenconductedfor auxiliary programssuchassed, awk, grep,ifconfig, netstat and,of course,ipchains. If any oneof theseprogramscannotbedetected,anerrormessagewill abortthescript.Next, thekernelversionisverifiedto determinewhetheripchains is supported.Thescriptwill likewisebe terminatedif a 2.0 kernelis identified,or a warningissuedif the kernelversioncannotbeidentifiedat all.

c) Now, theinterpretationof theconfigurationfile follows,alongwith theevalu-ationof theimportantdataathand.In thisway, datafor all thenetwork cardsconfiguredin thescript,suchasIP addressandnetmask,will bescanned.Ifaninterfaceis not"up" (e.g.anISDN or aPPPinterface),filter ruleswill stillbegeneratedlater in thescriptprocedure,but only a few rudimentarysecu-rity mechanismswill be in place.After settingup a connectionwith ISDN,for example,theSuSEFirewall Scriptshouldbestartedagain.

d) Now you canbegin! First, the rulesareresetandthe default for incomingpacketsaswell asfor packetsfor routingthefirewall setto "discard".If, forsomereason,a packet in thescriptdoesnot have any rules,this packet willalwaysbe discarded.Packetswantingto exit the firewall will be setto thetargetvalue"allow".

e) If thefirewall is setto "route", this will activaterouting.

f) The/proc systemallowsyouto easilyconfigurethekernelwhile thesystemis running.Thescriptmakesuseof thisfor thepurposeof activatingsomese-curityoptions.Formany of theseoptions,theoptionFW_KERNEL_SECURITYin the configurationfile mustfirst be set to "yes", sinceit could otherwisehaverathercomplex consequences.

66


g) Then– mostimportantly– all traffic via theinterface"localhost"is released.

h) Now, thescriptwill handletherulespertainingto "IP spoofing"and"bypassprevention". Theserulesensurethatexternal/internalattackswhich pretendto be from anothernetwork segementare recognizedand refused. At thesametime,attemptsto directlybreakinto thenetwork will beimpeded.

i) Theredirectingruleswhich follow canbeusedto rerouteattackson the in-ternalnetwork or localportsto aspecialfirewall port.

j) A userconnectedto an internalandtrustworthy network canspecifyin theconfigurationfile whetherthe firewall shouldbe protectedagainstinternalattacksor not. If not, from this point on, any kind of traffic on the internalnetwork will bereleasedto thefirewall.Theoptionfor this is FW_PROTECT_FROM_INTERNAL.

Then,rulesfor ICMP, TCPandUDP aregenerated.

k) ICMP rulesaregeneratedin two phases.First, specialICMP packagesareallowedor deniedaccordingto theconfiguration:Packagessuchas"ping" tothe firewall, "sourcequench"messagesof the next front-endrouteraswellasresponsepackagesfor similar programssuchas traceroute. The secondphaseis comprisedof generalconfigurationsprohibiting dangerousICMPpackagesandallowing theessentialones.The internalnetwork canalwaysaccessthefirewall with "ping".

l) For TCPrules,theconfiguredservicesarefirst releasedto theoutside,thentotrustworthy networks,andfinally, to thoseservicesdesignatedfor the inter-nalnetwork. Subsequently, port113will beconfiguredto senda connectionresetin orderto preventunnecessarywait times(e.g. whensendinge-mails).Now, a noteworthyautomaticprocesscomesinto play:If FW_AUTOPROTECT_GLOBAL_SERVICES hasbeensetto "yes", theseser-viceswill be protectedby filter ruleswhich do not listen to any specialin-terfaces(to 0.0.0.0 or INADDR_ANY). In this way, all high ports for in-comingconnectionscanbereleased,if necessary, but with theassurancethatyour databasesetc.which mayberunning(on port 4545, for instance)willstill be protected.In conclusion,ruleswill be generatedasto whetherandhow unprivilegedports (between1024 and65535) can be accessed:Notat all; only nameserversasdefinedin /etc/resolv.conf; only connec-tions originatingfrom a given port (not recommendedsincethis safeguardis easyto circumvent);all connections.Internalsystemscanalwaysaccessunprivilegedports– with the exceptionof services,which areall protectedby AUTOPROTECT.

m) Thesameis donefor UDP, exceptthata connectionresetfor port113 is notrequired.

n) Next, thescripthandlestheroutingrulesfor definingon which outsidesys-temsaccesscanbemadeto aninternalnetwork. Theseroutingrulesshould,of course,not beusedfor obviousreasons!

o) Now themasqueradingrulesareconfigured.

67


p) The configurationof additionallog mechanismsfor specialpacketsis veryimportant,e.g. forbiddenTCPpacketsattemptingto establisha connection,etc. If LOG_*_ALL is set,everypacket reallywill belogged,whichwill gen-eratequitea few log entries,andshouldthusonly beusedfor troubleshoot-ing.

q) Lastbut not least,a few optimizationrulesfor SSH,FTP, WWW, SyslogandSNMP, for makingthesefasterandmoresecure(in termsof transferoverthenetwork).

Thiscompletesthescript. If thereis anerror, thereturnvalueis 1, otherwise,thereturnvalueis 0.

Now it isnecessaryto initialize thefirewall duringthebootingprocess.Thenameof theactualrc script is /sbin/init.d/firewall. It is calledup in runlevel2 with S04firewall_init and S99firewall_setup. S04 only generatesrudimentaryrulesanddoesnot returnany errors. This is only donewhen theS99 scriptis run,onceall servicesandinterfaceshavebeenproperlyconfigured.K51firewall removesall filter rulesat ("shutdown") andallowsany packet,whiledisablingtherouting.

Thefirewall shouldalwaysbestarteddynamicallyas

/sbin/init.d/rc2.d/S99firewall_setup start

usingdialupscripts,sothatfilter ruleswill only begeneratedif it is configuredto doso.

TRACEROUTE

To activatetraceroute andothersimilarapplications,thefollowing mustbecon-figuredfor themto functionproperly.FW_ALLOW_FW_TRACEROUTE=yes (at the very end of the expert-config)FW_ALLOW_FW_PING=yesFW_ALLOW_INCOMING_HIGHPORTS_UDP=yes

If youonly makethesesettingsandareusingtheSuSEFirewall, yoursystemis,however, in still notsecureasit is!

To furtherincreasethesecuritylevel of afirewall server, you should:

• Minimize any servicesto insecurenetworks(suchasthe Internet),only useapplicationswhich areconsideredsafe(e.g. postfix, ssh etc.) andconfigurethesecarefully. In addition,youwill needto ascertainthattheseapplicationsarenot, in fact,exhibiting any securitygaps.If at all possible,do NOT runany servicesas‘root’ anddo not run any servicesin a "chroot" environ-ment.

• Do not rely onany softwarewhichyou havenot testedyourselffirst.

• Checkyourserver’s integrity on a regularbasis.

• If you wantto usethefirewall/bastionserverasa masqueradingor a routingserver, which is not recommended,youshouldcheckto seeif proxyservicescanbeimplementedinstead,suchasSquid for theWWW, smtpd for e-mail

68


etc. Also, bewareof "chroot" hereaswell. Do not let any processesrun as‘root’. Disablethismachine’s routing.

Below, you will find explanationson theSuSEFirewall Scriptconfigurationfile/etc/rc.config.d/firewall.rc.config.

As alreadymentioned,you will not have to set up this file by hand. Use theFirewall AdministrationSystemon theSuSEFirewall Adminhost. However, ifyou want to edit this file for your own purposes,by all meansreadtheFirewallScript documentationandreview your script thoroughlybeforerunningit. Noguaranteeor supportcanbeofferedfor self-madeconfigurations.

� �

� �

NotePlease observe the following note:Configuring these settings and using the SuSE Firewall Script will not, on itsown, make your system secure on its own. There is NOTHING which cansimply be installed all at once and guarantee full protection against securityleaks.

For a “secure”system,you shouldalsokeepin mind thefollowing:

Backupany servicesprovidedfor unreliablenetworks(suchastheInternet)withsoftwarewhichhasbeendevelopedto accommodatesecurityrequirements(e.g.postfix and ssh). Do not implementany softwareoriginating from unreliablesources.Moreover, youshouldregularlycheckthesecurityof yourserver.

In orderto beableto startthefirewall script,thevariableSTART_FW in the/etc/rc.config file mustbesetto "yes". If theSuSEFirewall Adminhostis beingimplemented,this will takeplaceautomatically.

If this server is a firewall functioningasa proxy (no routingbetweennetworks),or if you arean end-userconnectedsimultaneouslyto the Internetandthe In-tranet,you will needto configurethe items2), 3), 9) andpossibly7), 10), 11),12),14) and18) aswell.

If the machineis functioningasa firewall and is to provide routing andmas-queradingfunctionality, you will thenneedto changetheitems2), 3), 5), 6), 9),andpossibly7), 10),11),12),15),18).

If you know exactly whatyou wantto do,you canreconfiguretheitems8), 16),17), 18) andthe expert options20) 21) and22) in the outermostmargin of thefile. However, SuSErecommendsthatyou refrainfrom doingthis.

If you wish to implement“diald” or “ISDN dial-on-demand”,you will want toedit theitem18).

To useapplicationssuchastraceroute togetherwith your firewall, you willhave to setthefollowing options:11) (only UDP),19)and20) to “yes”.

If you want to startall thepacket filter rulesyourself,configurea staticIP andnetmaskfor theseif they do not alreadyexist. Notetheexamples2), 3) and4).

Pleasebe aware that if you useservicenames,they will be locatedin /etc/services. Notethat thereis no service“DNS”, thecorrectnameis “domain”;for e-mail,“smtp” etc.

69


Every time routing takesplacebetweeninterfaces,with the exceptionof mas-querading,FW_ROUTE will have to be setto yes. Otherwise,usethe variablesFW_FORWARD_TCP and/orFW_FORWARD_UDP.

1. Shouldthefirewall scriptbestartedat thesystemboot?

For this, thevariableSTART_FW in /etc/rc.config mustbesetto "yes".

2. Which network interfacesareconnectedto theInternetor to unreliablenet-works?

Specifyall unreliablenetworkshere.You canenteranunlimitednumberofinterfaces,eachseparatedby a blankspace,e.g. "eth0"or "ippp0 ippp1".

FW_DEV_WORLD=""

You canspecifya staticIP addressanda network maskaddressandtherebyforcea packet filter rule to beloadedfor aninterfacewhich is not yet avail-able.

FW_DEV_WORLD_[device]="IP_ADDRESS NETMASK"

Youwill still haveto defineFW_DEV_WORLD first! Theentrywill thenappearasfollows:

FW_DEV_WORLD_ippp0="10.0.0.1 255.255.255.0"

3. Which network interfacesareassociatedwith theinternalnetwork? Specifyall trustworthynetwork deviceshere.If youarenot connectedto a trustwor-thy network (e.g. if you only have a dialup connection)then leave the listblank. You canenteran unlimited numberof network devices,eachsepa-ratedby a blankspace,e.g. "eth0"or "eth0eth1ippp0".

FW_DEV_INT=""

You canspecifya staticIP addressanda network maskaddressandtherebyforcea packetfilter rule to startfor aninterfacewhich is notyet available:

FW_DEV_INT_[device]="IP_ADDRESS NETMASK"

You will still have to defineFW_DEV_INT first! Seethe following examplefor theinternalinterface"eth0":

FW_DEV_INT_eth0="192.168.1.1 255.255.255.0"

4. Which interfaceis linkedto theDMZ?

Specifyall network deviceslinkedto theDMZ. Caution:Configurethevari-ablesFW_FORWARD_TCP andFW_FORWARD_UDP which specifythe servicesto beprovidedfor theInternet,andsetthevariableFW_ROUTE to "yes". Youhavethechoiceof: "tr0", "eth0eth1"or "".

FW_DEV_DMZ=""

You canspecifya staticIP addressanda network maskaddressandtherebyforcea packetfilter rule to startfor aninterfacewhich is notyet available:

FW_DEV_DMZ_[device]="IP_ADDRESS NETMASK"

You will still have to defineFW_DEV_DMZ first! Seethe following examplefor theDMZ interface"eth1":

FW_DEV_DMZ_eth1="192.168.1.1 255.255.255.0"

70


5. Should“routing” beactivatedbetweentheInternet,theDMZ andtheinternalnetwork?For this,youwill needFW_DEV_INT or FW_DEV_DMZ.

You will only needto set the variableto "yes" if you eitherwant to maskinternalmachinesor allow accessto the DMZ. This option overwritesthevariableIP_FORWARD in /etc/rc.config.

If you set this option, nothing will happenyet. Either activate the mas-queradingwith the variableFW_MASQUERADE further below, or configureFW_FORWARD_TCP and/orFW_FORWARD_UDP to definewhat is to berouted.Youcanonly specify"yes"or "no" here,thedefault being"no".

FW_ROUTE="no"

6. Doyouwanttomaskoutgoinginternalnetworks?Todothis,useFW_DEV_INTandFW_ROUTE.

“Masquerading”meansthat all your internal machineswhich useInternetservices,will appearas if they were originating from the firewall. Pleasenote that it is more secureto communicateover proxieswith the Internetthanto implementmasquerading.

Options:"yes" or "no", default: "no"

FW_MASQUERADE="no"

Whichinternalhosts/networksshouldhaveaccessto theInternet?Only thesenetworkscango on theInternetandwill bemasked. Leave the list blankorspecifyany numberof networks/hosts,eachseparatedby a blank space,aprotocoltypeandservicecanbeaddedto eachnetwork/host,separatedby acomma.

FW_MASQ_NETS=""

In addition, specify the interfacewherethe maskingis to take place,e.g."ippp0" or "$FW_DEV_WORLD"FW_MASQ_DEV="$FW_DEV_WORLD"

7. Do you want to protectthe firewall from internal networks? This can beaccomplishedwith thevariableFW_DEV_INT. If this variableis setto "yes",internalcomputerscanonly usetheservicesyouprovided.

Options:"yes" or "no", basicsetting:"yes"

FW_PROTECT_FROM_INTERNAL="yes"

8. Do youwantto protectall globally runningservices?

If you specify"yes" here,all network accessattemptsto TCPandUDP, notassociatedwith a particularIP addressor not otherwiseexplicitly permitted,will beprohibitedonthismachine.SeeFW_*SERVICES_*. "0.0.0.0:23"willbeprotected,for example,but "10.0.0.1:53"will not. Options:"yes"or "no",default is "yes".

FW_AUTOPROTECT_GLOBAL_SERVICES="yes"

9. Which serviceson theFir ewall host areto beopenedto theInternetor anyotherunreliablenetwork, to theDMZ, or to theinternalnetwork?(SeeNr.13& 14, if you want to routeyour network traffic over the firewall.) Specifyall portnumbersor portnames,eachseparatedby ablankspace.TCP-based

71


services(e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP– andUDP services(syslog)in FW_SERVICES_*_UDP. For IP protocols(suchasGREfor PPTPor OSPFfor routing),FW_SERVICES_*_IP mustbespecifiedby theprotocol’snameor number(seealso/etc/protocols).

Options:blanklist or portnumber, portname(see/etc/services) or portzones(e.g. 1024:2000),eachseparatedby a blankspace,or services(TCP)whichwill bevisible from theoutside,normally“smtpdomain”.

FW_SERVICES_EXTERNAL_TCP=""

Services(UDP)whichareto bevisiblefrom theoutside,normally“domain”:

FW_SERVICES_EXTERNAL_UDP=""

Services(all other)which areto bevisible for theDMZ, e.g. VPN/routing,terminatingat thefirewall:

FW_SERVICES_EXTERNAL_IP=""

Services(TCP) which are to be visible for the DMZ, normally “smtp do-main”:

FW_SERVICES_DMZ_TCP=""

Services(UDP)whichareto bevisible for theDMZ, normally“domainsys-log”:

FW_SERVICES_DMZ_UDP=""


FW_SERVICES_DMZ_IP=""

Services(TCP) which are to be visible for the internalnetwork, normally“sshsmtpdomain”:

FW_SERVICES_INTERNAL_TCP=""

Services(UDP) which are to be visible for the internalnetwork, normally“domainsyslog”:

FW_SERVICES_INTERNAL_UDP=""


FW_SERVICES_INTERNAL_IP=""

10. Which servicesshouldbereachablefrom trustworthy networksin theInter-net?

Specifythetrustworthy networks in the InternetandtheTCP/UDPservicesthey canuse.

Options:blank lists or any IP addressand/ornetworks,eachseparatedby ablankspace.

FW_TRUSTED_NETS=""

Specifyablanklist next to FW_SERVICES_TRUSTED_*, or theportnumbersandthe known port names(see/etc/services), or the port zones,eachseparatedby ablankspace,e.g. "25", "ssh","1:65535","1 3:5"

72


Services(TCP)whicharetobemadeavailableto trustworthynetworks/hosts,normally“ssh”:

FW_SERVICES_TRUSTED_TCP=""

Services(UDP)whicharetobemadeavailableto trustworthynetworks/hosts,normally“syslogtimentp”:

FW_SERVICES_TRUSTED_UDP=""

Services(all other)whicharetobevisibleto trustworthyhosts,e.g.VPN/routing,terminatingat thefirewall:

FW_SERVICES_TRUSTED_IP=""

Sometimes,sometrustworthy hostsare to have accessto certainservices,andothertrustworthyhoststo otherservices.Here,youwill havethechanceto setup this optionaccordingto thepattern:"trusted_net,protocol,port",sofor example,"10.0.1.0/24,tcp,8010.0.1.6,tcp,21":

FW_SERVICES_TRUSTED_ACL=""

11. Is accessto high,unprivileged(>1023)portsallowed?

You canallow ("yes") or deny ("no") all accessto the high ports; or allowany accessoriginating from a given port (specificationof port numberorservicename,which can,however, be easilycircumvented)or allow onlynameservers(DNS)– which youauthorize– to haveaccess.

If you want to enableactive FTP, you will have to set the TCP variableto"ftp-data".For passiveFTP, this is not necessary. Still keepin mind thatyoucannotuseany rpc requests.If you want to allow this, you will have to settheport zone"600:1023"in FW_SERVICES_EXTERNAL_UDP.

Options:"yes","no", "DNS", portnumberor portname,Default is "no".

Incomingconnectionsto port numbers>= 1024,TCP, normally: "ftp-data"(unfortunately!):

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

Incomingconnectionsto port numbers>= 1024,UDP, normally: "DNS" or"domainntp":

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

12. Do youhaveoneor moreof thefollowing servicesrunning?Theserequireabit of caution,otherwisethey will not function.For serviceswhichyouwantto provide,setthevariableto "yes"andtheothersto "no". Defaultvaluesare"no".

FW_SERVICE_DNS="no"If "yes",port (or domain)53musthaveFW_SERVICES_*_TCP. ThevariableFW_ALLOW_INCOMING_HIGHPORTS_UDP mustbesetto "yes".

FW_SERVICE_DHCLIENT="no"If youareusingdhclientto obtainanIP address,FW_SERVICE_DHCPD mustbesetto "yes".

FW_SERVICE_DHCPD="no"If thishostis aDHCPserver, setFW_SERVICE_DHCPD to "yes".

73


FW_SERVICE_SAMBA="no"If youwantto implementSambaasa clientor serveron this host,setFW_SERVICE_SAMBA to "yes".

For aSambaserver,FW_SERVICES_{WORLD,DMZ,INT}_TCP="139" will still have to be set.Overall, it is a badideato useSambaon afirewall host.

13. Which servicesto be accessiblefrom the Internetmay accessthe DMZ orinternalnetwork?

With this option, you can allow accessfor your mail server, for instance.This hostmustpossessa valid IP address.If an openconnectionis to beestablishedto your network, thenjust usethis option to accessyour DMZ.Thefollowingvaluesarepossible:Leavethevariableempty(thebestchoice)or usethe following syntaxfor the forwarding rules. The rules are to beseparatedby blankspaces.

A forwardingrule consistsof:

a) SourceIP/network,

b) DestinationIP (dmz/internal),

c) Destinationport (or IP protocol),separatedby a comma

# Forward TCP connections# Beware of using this!FW_FORWARD_TCP=""# Forward UDP connections# Beware of using this!FW_FORWARD_UDP=""# Forward other IP protocol connections (for VPN setups)# Beware of using this!FW_FORWARD_IP=""

14. Which servicescanbeusedon maskedhosts(in your DMZ or internalnet-work)?

REQUIRES: FW_ROUTE, FW_MASQUERADE

With thesevariables,you canallow accessto your mail server, for instance.Thehostmustbe locatedin a maskednetwork segmentandcannothave anofficial IP address.

If FW_DEV_MASQ is setto your externalinterface,you will likewisehave tosetthevariablesFW_FORWARD_* from your internalnetwork to theDMZ fortheseservices.

� �

� �

CautionDue to security reasons, you should not use this feature, as it opensa security gap in your internal network. If your web server were to becompromised, so too would your entire network become vulnerable toattack.

74


Options:Leave theentryblank(bestchoice)or usethefollowing syntaxfortheforwardmasqueraderules.Therulesareto beseparatedby blankspaces.


b) DestinationIP (dmz/internal)

c) Destinationport,separatedby commas,e.g.: "4.4.4.4/12,20.20.20.20,2212.12.12.12/12,20.20.20.20,22"

# Forward TCP connections to masqueraded host# Beware of using this!FW_FORWARD_MASQ_TCP=""# Forward UDP connections to masqueraded host# Beware of using this!FW_FORWARD_MASQ_UDP=""# it is not possible to masquerade other IP protocols,# hence no _IP variable

15. Whichservicesshouldbereroutedto a localporton thefirewall host?

This canbe usedto relay all your internalusersover your HTTP proxy orto forward all incoming requeststransparentlyto port 80 on a securewebserver.

Option:Leavethelist blankor usethefollowing syntaxfor redirectingrules:


b) DestinationIP/network,

c) original specificationport,

d) localport to which thenetwork traffic is to bererouted,e.g.: "10.0.0.0/8,0/0,80,31280/0,172.20.1.1,80,8080"

Redirect TCP connectionsFW_REDIRECT_TCP=""Redirect UDP connectionsFW_REDIRECT_UDP=""

16. Which log level shouldbeforced?

You can decideif acceptedor deniedpackets are to be logged. You canalsospecifythe log level, "critical", or all. Note that*_ALL shouldonly beactivatedfor debuggingpurposes.

Optionsfor thevariable:"yes"or "no", FW_LOG_*_CRIT default is "yes".

17. Do youwantadditionalkernelTCP/IPsecurityfeatures?If yousetthisvari-ableto "yes", thefollowing kerneloptionswill beset:

75


# Log critical denied network packetsFW_LOG_DENY_CRIT="yes"# Log all denied packetsFW_LOG_DENY_ALL="no"# Log critical accepted packetsFW_LOG_ACCEPT_CRIT="yes"# Log all accepted packetsFW_LOG_ACCEPT_ALL="no"

icmp_ignore_bogus_error_responses,icmp_echoreply_rate,icmp_destunreach_rate,icmp_paramprob_rate,icmp_timeexeed_rate,ip_local_port_range,log_martians,mc_forwarding,rp_filter,routing flush

Options:"yes"or "no", default is "yes":FW_KERNEL_SECURITY="yes"

18. Shouldtheroutingremainactive if thepacket filter rulesarereset?For this,youwill needFW_ROUTE.

If you use“diald” or “dial-on-demand”via ISDN andIP packetsareto besentover the Internet,you will have to activate this function. Then,mas-queradingand routing will not be deactivatedwhen the script terminates.Youmightneedthis functionalityif youhaveDMZ. Note,however, thatthisis not secure!If you unloadthe IP filter rulesbut still have theconnection,yournetwork couldbevulnerableto attacks.

Options:"yes"or "no", defaultsetting:"no"

FW_STOP_KEEP_ROUTING_STATE="no"

19. ShouldICMP echopingsto thefirewall hostor to theDMZ beallowed?TheFW_ROUTE is requiredfor FW_ALLOW_PING_DMZ

Option: "yes"or "no", default is "no"

# Allow ping to firewallFW_ALLOW_PING_FW="yes"# Allow ping to DMZ host.FW_ALLOW_PING_DMZ="yes"

Creating your own packet filter with ipc hains

If youdonotwantto usetheSuSEFirewall Script,youwill alsohavetheoptionof configuringyour own packet filter with ipchains. You canadjustthe filterruless to meetyour particularneedon a Linux hostsuchastheSuSEFirewallAdminhostandsave this packetfilter setupwith ipchains-save to a file.

76


root@adminhost # ipchains-save > myfiltersetup 2>/dev/null

UsingFAS,youcanthenloadthisfile alongwith yourpacketfilter configurationto the“SuSELinux Live CD for Firewall” configuration.Thesefilter ruleswillbesavedto the/etc/ipchainsrc file on theconfigurationdisk andloadedbythe/sbin/init.d/ipchains scriptwhenbootingthefirewall host.

4.3.2 DNS

The nameserver BIND Version8 is usedto enablenameresolutionover thefirewall. If you wish to learnmoreaboutDNS, pleasereadthe chapterin theappendixof thismanual.BIND is configuredasforwarding/caching-onlyserver.Thatmeans,all requestswill bepassedon to theforwarders.

4.3.3 MAIL

postfix

A moresecure,quickerandmoreflexible modularmail transportagentwhich isutilized on theLiveCD asmail relay. Notethatabuilt-in harddisk is absolutelyessentialfor usingthemail relay function,becausepostfix first hasto routetheincominge-mailsto a buffer.

4.3.4 HTTP proxy

The“SuSELinux LiveCD for Firewall” utilizesamultitudeof proxiesto enablethemostrefinedaccesscontrolto HTTP/HTTPSservicesaspossible.Two sepa-rateproxybranchesareusedto governinternalaccessto theoutsideandexternalaccessto insidenetworks,respectively.

squid

Squid is the “http-proxy” per seandoffers extensive configurationoptionsaswell asaccesscontrolsfor clientsto the WWW by way of ACLs (engl.accesscontrol lists).

TheinternalHTTPproxySquid canbeconfiguredto bebothtransparentaswellasnon-transparent.In non-transparent mode,the following protocolsaresup-ported:

• http

• https

• FTP

Theprerequisitefor this is that theclients(webbrowser)likewiseentersthis asa proxy in its settings.

77


� �

� �

NoteSquid can, however, only process HTTP transparently! Transparent HTTPSor FTP do not function with Squid.There is currently no solution available for transparent HTTPS apart frombeing guided straight through the firewall.The proxy suite can be used for transparent FTP (internal FTP in the FAS).

More exactinformationon Squid canbefoundin theappendix.

httpf , tinypr oxy

The applicationhttpf is responsiblefor "contentfiltering". It is not actuallyaproxy, asproxy functionalityis furnishedby theprogramtinyproxy.

It is morespecificallya filtering proxy which canpreventdownloadingandex-ecutingprogramcode. This occursin that only known and benignlanguageelementsareforwardedto thewebbrowser. EventheHTTP headerentriescanbefilteredsothat,for instance,noinformationcanbepostedto theservervia theclient host’soperatingsystem.

TheconfigurationcanbegeneratedusingFAS on theadminhost.

transpr oxy

transproxy governsexternalaccessto aninternalwebserver.

Altogether, theseapplicationsoffer the option of multi-facetedfiltering: ACLsfor clients,servers,banlists,contentfiltering, webcaching.

4.3.5 FTP proxy

suse-ftp-proxy

FTP serviceis split up into two channels. First: settingup the internal con-nectionto the outsideandsecondly:settingup the externalconnectionto theinside/DMZ.

Internal to external:

magic user

Enablesthe username,the host, and the destinationFTP server’s port to beprovided(e.g. [email protected]:2345). So,automaticexecutionof theUSERcommand.

default-ftp-server

78


External to internal:

default-ftp-server

4.3.6 ssh

openssh enablesusageof a shell on a remotehostwheretheconnectionis en-crypted.

4.3.7 chroot, secumod, compar tment, kernel capabilities

To raisethe security level on the firewall, run the serviceson the SuSELiveCD for Firewall in a chroot environment. The “secumod”kernelmoduleand“compartment”will alsobe implemented.Settingcapabilitybits in the kernelincreasesthesecurityof thesystemapplications.

chroot With chroot,anapplicationcanchangeits view to thefilesystemirrevo-cablyby defininganew "root" for thefilesystem.As soonastheapplicationhasapplieditself to this segmentof the filesystem,this segmentwill adopttheroleof theentirefilesystemfor thisapplication.Therestof thefilesystemno longerexistsasfar asthis applicationis concerned.Evenif theprogramhassomehow crashed,thehackerwould remainin this chroot()environmentandthusnot beableto damagetheactualsystem.

secumod Specialkernelmodulewhich raisedthe systemsecuritylevel. Thisinvolvesdefining

• thetrustedpath,

• addinga banon hardlinks to filesnot belongingto theuser,

• protectingtheprocfilesystem,

• not tracing symlinks if they do not correspondto the processcurrentlyrunning(exception:theprocessis runningunder‘root’ permissions).

• protectingfifos,

• syscalltablechecking,

• logging,

• settingcapabilities.

compar tment Enablesexecutionof applications/servicesin chroot jails, withunprivilegedusers/groups.It supportsscriptswhich are called up beforetheprogramactuallystarts(e.g. in orderto setup a chroot()environment.)Supportstheusageof kernelcapabilities.

kernel caps KernelcapabilitybitsIncreasingsecurityby limiting thecapabilitiesof executableprograms.Thecapabilitiesaredocumentedin/usr/include/linux/capability.h

Using the applicationcompartmentis anotherrelatively simply option forspecifyingthecapabilitiesfor anapplication.

79


4.4 The Configuration Disk

Theconfigurationdisk containsthecompletesystemandapplicationlevel gate-way configurations.Theconfigurationdisk mustbeaccommodatedwith anext2 filesystemandob-tain thelabel"SuSE-FWFloppy" via thefollowing command:Inserta disk formattedwith anext2 filesystem.

/sbin/e2label/dev/fd0SuSE-FWFloppy

Theconfigurationdiskwill notberecognizedwithout this label.TheFAS (Fire-wall AdministrationSystem)on theSuSELinux Firewall Adminhostwill auto-maticallygeneratethefilesystemandthelabel.

Theconfigurationdiskwill bereadastheLiveCD is beingbooted.

4.4.1 Creating the configuration disk

Theconfigurationdiskcanbegeneratedon theSuSELinux Firewall Adminhostusing the administrationdesktopFAS. The FAS on the SuSELinux FirewallAdminhostwill generatea tar archive which will thenbe decompressedon thedisk. This is therecommendedprocedure.Changingtheconfigurationfileswithaneditorshouldonly beleft to expertswhoreallyknow whatthey aredoing.Nosupportis offeredfor manualconfiguration.

4.4.2 The configuration files

Thefollowing overview of theconfigurationfiles locatedonthedisk is for infor-mationpurposesonly; thefileswill alreadybegeneratedby theadmindesktop:

/etc/hosts(seemanhosts)/etc/hosts.allow (seeman5 hosts_access)/etc/hosts.deny (seeman5 hosts_access)/etc/inittab(maninittab)/etc/isdn//etc/cipe//etc/live-setup.conf/etc/passwd/etc/ppp//etc/localtime/etc/modules.boot

In the/etc/modules.boot file, youcanspecifyloadablekernelmodulesto bestartedalongwith thesystem.They will be listedwith their relative pathnamesin the/lib/modules/<kernelversion>/ directory. If necessary, additionaloptionscanbepostedto themodulesuchasirq or theIO addressesof thehard-wareused. Lines which begin with "#" will be ignored. If a "-" precedesthemodulename,anattemptwill bemadeto unloadthemodule(this maybenec-essaryif the automatichardware recognitiontries to load the wrong networkmodule,for instance).

80

4.4 The Configuration Disk

Example:

# In this file you can provide a list of modules# and options, that have to be loaded on system boot.# Module name can be used relative, i.e. net/ppp.o.## Module name [options]## z. B.:#misc/cipcb.o#net/slhc.o#net/ppp.o#net/ppp_deflate.o#net/ppp_mppe.o-net/de4x5.o # This module will be removednet/tulip.o # This module will be loaded

/etc/named/ containsthezonefiles of thenameserver.

/etc/named/master/ containsthemasterzonefiles.

/etc/named/sla ve/ containstheslave zonefiles.

/etc/named/r oot.hint containstheaddressesof theroot nameserver.

/etc/named.conf responsiblefor theconfigurationof named.

/etc/pam.d/ this directorycontainsthe PAM (PluggableAuthenticationMod-ule) configurationfiles

/etc/permissions.local setstheaccesspermissionof andto applications,filesetc.

/etc/postfix configurationdirectoryfor postfix; themajorconfigurationfile are:

• /etc/postfix/master.cf,

• /etc/postfix/main.cf,

• /etc/postfix/virtual,

• /etc/postfix/transport,

• /etc/postfix/access.

/etc/pr oxy-suite/ configurationdirectoryfor FTPproxies,

/etc/rc.config SuSELinux centralconfigurationfile;

/etc/rc.config.d/ containsfurtherconfigurationfiles which arereadby SuSEc-onfig;

/etc/rc.config.d/fire wall.r c.config configurationfile for theSuSEFirewallScript. It is generatedby theFAS ontheSuSELinux Adminhostfor Firewall.

/etc/resolv .conf configurationfor the resolver library, list of nameserver aswell assearchlist.

81


/etc/route .conf file containingthe informationrelatedto generatingthe statickernelroutingtable.

/etc/runle vel.fire wall Thisfile is responsiblefor consigningscripts/applicationsto firewall runlevels.If ascriptis to bestartedin acertainrunlevel, it is to beenteredin thecorrespondingcolumnin this file.

/etc/securetty list of thettys wheretheuser‘root’ canlog on

/etc/shado w Containsthe encryptedpasswords. Normally, thesearelisted intheform of a “*” for eachuser, that is, no login is possible.Thedecipheredpasswordsareonly availablefor user‘root’ to see. In FAS, you do notevenneedto giveapassword for ‘root’ in whichcaseaccessto thefirewallwouldonly bepossiblevia sshandRSA key.

/etc/squid.conf configurationfile for theHTTP proxySquid

/etc/ssh/ Containstheconfigurationfilesfor openssh: ssh_config andsshd_config.

/etc/su1.priv Configurationfile for thesu1 commandthatpermitsselectedusersto run programswith underuid=0(i.e. as‘root’).

/etc/syslog.conf Configurationof the syslogdaemon. To this end, readthefollowing manpages:man 5 syslog.conf, man 8 syslogd andman 3 syslog.Theloghostandthemessagesto beloggedareenteredin this file. Theentryfor theloghostshouldappearasfollows:*.* @hostname.domain.tl (or the IP address)

/etc/syslog.soc ks The log daemonsyslogn hasto createa writable socketfor all servicesstartedin thechroot environment;thisprocessis associatedwith thefollowing files:/var/named/dev/log,/var/squid/dev/log,/var/chroot/rinetd/dev/log,/var/chroot/ftp-intern/dev/log,/var/chroot/ftp-extern/dev/log

/sbin/, /sbin/init.d/ This directorycontainsself-written init scriptssuchas IPpacketfilter scripts.

/root/, /root/.ssh/, /root/.ssh/authoriz ed_keys This file containsthe rsapub-lic key of thefwadminuseron theSuSELinux Firewall Adminhost.This enablestheuser‘fwadmin’ to log in on thefirewall as‘root’. RSAkeys, which areprotectedby yet an additionalpassphrase,handleuserau-thentication.This passphraseis generatedduring the installationof thead-minhostby wayof theYaST2module“Firewall Admin Host”.YoucanalsogeneratetheRSAkeysat thecommandline usingthecommandssh-keygen(1). You canreadmoreaboutit in themanpage(man ssh-keygen).

It is highly recommendedto usethe administrationdesktopFAS on the SuSEFirewall Adminhost for creatingconfigurationfiles.

82

4.5 Boot Parameter s

4.5 Boot� Parameter s

You cangive bootparametersat thelinuxrc bootpromptasusual(seereferencemanual,kernelbootparameters).

Thefollowing restrictionsapply:

Due to securityreasons,init=/bin/bash or the like cannotbeenteredat thebootpromptfor obtainingprivilegedpermissionsin a shell.

Bootparametersbeginningwith "init=" will beignored.

83


84

5 Implementing the Firewall


Requirements for successful implementation:

You havemanuallycreateda configurationfor theSuSE Linux Live CD for Fire-wall by way of theSuSE Firewall Adminhost, or a configurationfloppy. Or youhave enlistedtheservicesof theSuSELinux SolutionsAG for settingup a fire-wall and you now want to begin operatingthe firewall host. Startingup thefirewall shouldproceedin several steps.First, checkto seeif your hostbootsusingtheconfigurationyou have setup, andalsoto seeif theselectedservicesstartandareavailablefor use.Next, checkto seeif theIP filter of thekernelisworking thewayyou haveconfiguredit.

5.1 Booting the Firewall Host

1. StartthehostandthenopentheBIOS setupprogram.Checkthesettingsforthetimeanddate.

2. Configurethe boot sequenceso that the host bootsfrom the CD first – ifpossible,only from theCD.

3. You mustassigna BIOS password in orderto prevent,for instance,changesto thebootsequence,or to preventthefirewall from beingbootedfrom disk.

4. Save theBIOS configuration.

5. InserttheSuSELinux LiveCD for Firewall.

6. Inserttheconfigurationfloppy.

7. Rebootthehost.

8. Note any errorswhich may appearwhenbootingandrevise the respectiveconfigurationfiles if needbe. If servicesdo not start (message:"<Servicexyz> failed/skipped"),the correspondingconfigurationfile for the service<xyz> containsan error. If this is the case,recreatethe configurationdiskusingtheFAS tool on theadminhostor revisetheconfigurationsavedthereandrewrite this to theconfigurationdisk.

You have, of course,alreadydefinedthe configurationof the hard disk usingFAS, but if thepartitions1 (swap)and2 (var) of thefirewall hostdo not corre-spondto thesettingsin the/etc/live-setup.conf file, a dialogscreenwillappear. If you wantto reconfiguretheharddisk,answer‘yes’.

85


5.2 Testing the Firewall

Beforeemploying thefirewall for daily use,testingshouldbedoneto ensurethat,first of all, thepacketfilter is configuredcorrectlyandthatsecondof all, the(con-figured)proxiesall startandrequestsareprocessedproperly. AdminhosttoolsareavailableontheSuSEFirewall for thesepurposes(see3 onpage17),suchasnmap,nessus,xlogmaster, logsurfer, httpclientsetc.Detaileddocumentationfortheseprogramsis availablein the/usr/share/doc/packages/ directoryontheSuSEFirewall Adminhost.Manpagesarealsoavailablefor eachprogram.

Only wheneverysingletesthasbeensuccessfullycompletedwill youbeabletostartup thefirewall. Pleasedocumentall testsyou carryout.

5.3 Operation

To operateyour SuSELinux firewall, first connectthe internal network onlyto the firewall andfurnish yourselfa laptopto be usedasan externalnetwork.Then,closetheconnectionto theinternalnetwork andestablisha connectiontotheInternet.If possible,testyourfirewall externally.

Checkyoursetup.TestEVERYTHING!

5.3.1 Internal testing

Testsyou shouldcarryout:

• Are all servicesavailable?

• Testif thepermittedservicesareworking from theinternalclients.Canyouaccesshttp/s,sende-mails,transferdatavia FTP?

• Are your restrictionseffective?

• Testyour packet filter. You cando this with a port scannersuchasnmap.Follow the log messagesof your firewall on the loghostor on your firewallitself. Let a packet sniffer run simultaneouslyto detectrestrictedpacketsorto seeif responsepacketsarenot beingsent.

• Are thelog filesbeingwritten to theloghost?

Fixing errors:

Determinethesourceof theproblem.Searchfor thelogfilesaccordingto processname,e.g. postfixor named:# grep postfix /var/log/messages

or# grep named /var/log/messages

Many programscanbeswitchedto “verbosemode”. In thisway, youcanobtaindetailedinformation(whichcan,however, bequiteextensive . . . ).

86

5.3 Operation

5.3.2 External testing

Testexternally to seeif the availableservicesareworking. For instance,youcansende-mailsto the internalnetwork. You shouldbe ableto seethe postfixmessagesin /var/log/mail onthefirewall host,astowhetherthee-mailswereacceptedandwereableto bedeliveredto theinternalmail server. Checkto seeif thepacketfilter is working. Thiscanbeverifiedby aportscanner. At thesametime,youwill find thekernelpacketfilter messagesin /var/log/messages aswell asin thelog directoriesof theloghost.Thesemessageswill bereflectedinthe "DENY" and"ACCEPT"messages.Try to setup connectionsto explicitlyrestrictedportsandattemptto find thecorrespondinglog entriesandmatchthemto theircorrespondingevents.

If youareusinga loghost,checkto seeif thelog messagesarebeingtransmittedin theirentirety.

5.3.3 “Reall y” going online

Only after you have completedall thesetests,connectthe firewall host to theInternetandto your Intranetandbegin productiveoperation.

� �

� �

NoteConstantly monitor your log files. This is the only way you can ensure atimely response to attacks or failures. If unusual events occur, react imme-diately. Raise the log level (if possible) and refine your log analysis.

87


88

6 Help

6 Help

In this chapter, you will find informationasto how you cancreatea setupcon-ceptfor a firewall solutionin your network usingthe “SuSELinux Firewall onCD”. You alsohave theoptionof makinguseof theservicesof theSuSELinuxSolutionsAG to havea plandrawn up which is tailoredto yourspecificneeds.

6.1 Troub leshooting

You will find helphereif theadminhostis not ableto beinstalledor if theSuSELinux LiveCD for Firewall is not booting.

6.1.1 Problems Installing the Adminhost

If you have troubleinstallingtheSuSELinux Firewall Adminhost,SuSELinuxInstallationSupportis available to you free of charge. First, it is worth yourwhile to take a glanceat the supportdatabase.Here,you will find a realmofinformationon a variety of installationproblems– a keyword searchwill helpyouhere:

http://sdb.suse.de

6.1.2 Problems Booting the Live CD

To simplify your troubleshooting,youshouldobserveandnotethefollowing:

• Whathappenswhenyouboot?

• Are servicesnot beingstartedwhich havealreadybeenconfigured(skipped/failedmessages)?

• Do errormessagesappearon theconsole?

• Are there kernel error messageson tty9/tty12? To seethesemessages,changeto this consoleusing �� Alt + �� F9 or �� Alt + �� F12 .

Problems integrating the network:

Observe andnotethenatureof theproblems.For example,on thefirewall, testwhetherthenetwork interfacesareconfiguredcorrectly(log in to thefirewall asuser‘root’):

89

6 Help

root@firewall: # ifconfig

This commandwill show you which interfacesareconfiguredandwhich IP ad-dresses,network masks,etc. are set up. If necessary, correct the configura-tion usingFAS andcreatea new configurationfloppy. Thehostwill have to berestartedto committhenew configuration.

• Whichservicesfunctionfrom theclientside(Intranet)?Shouldthey befunc-tioning?Thelog filescanhelpyoudeterminewhetherit is aprobleminvolv-ing unauthorizedaccess.Try reproducingtheerrors.

• Is externalaccessto availableresourcesnot functioning?Whichservicesareaffected?Shouldtheresourcesreally beaccessible?

Testusingps(1)whethertheprocessis available;thatis, whethertheprocessis accessible.If servicesarenot accessible,checkyour logfiles. Hereyouwill find messagesaboutwhy a particularservicewasnot startedor whetheranunauthorizedreally hasbeenattemptingto makeuseof theservice.

Testfrom severalclientswhetherthefirewall hostis accessibleandwhethertheproxiesareresponding.

6.2 Security Polic y and Comm unication Anal ysis

To ensurethat the internalnetwork’s connectionto theInternet(or to any other“unprotected”network) is secure,afew thingswill needto beclarifiedfirst. Thisincludesoutliningasecuritypolicy for yourown network aswell asundertakinga communicationanalysis.

6.2.1 Security Polic y

Thesecuritypolicy providesthebasisfor working with all programs,hostsanddata.In addition,it outlineshow to guaranteethemonitoringof securityguide-linesandhow (internalor external)breachesof this policy areto behandled.Inorderto draft a securitypolicy, it is bestto producea communicationanalysis.To thisend,thefollowing topicsareof utmostimportance:

• An analysisof your securityrequirementsis necessary. What needsto beprotected?

• Are thereareasof the Intranetwhich containespeciallysensitive data(e.g.personelldepartment,datacritical of thecompany etc.). Whereis this datalocated?

• Whocanaccessthedata?Are therevariouslevelsof authorization?

• Shoulddatabeavailableover thenetwork?

• Which servicesshouldbe accessibleinternally? Which servicesshouldbeaccessiblefrom internalto external(e-mail,surfing,datatransfer)andwhichservices,externalto internal(e-mail,webservices,datatransfer)?

90

6.3 Services Offered by SuSE Lin uxSolutions AG

Thelist of questionsto beclarifiedfor a securitypolicy mustbedrawn up indi-vidually andanswered.

6.2.2 Communication Anal ysis

Themostimportantaid for carryingout a communicationanalysisis a commu-nicationmatrix.

The servicesavailablefor client hostsandusersarerepresentedherein a tableformat.Thismatrix is thenmappedto theproxies/IPfilter rules.

Setting up a comm unication matrix:

Make a list of all clients/serverson your network. Thendefinewhich protocolsmaybeusedby which clients.Also, statein which directioneachpacketcanbesentor received.

An examplefor HTTP protocol: The client host1needsto accessa webserverin the internalnetwork, but shouldnot be ableto establisha connectionto anexternalwebserver. Theentryin thecommunicationmatrix will thenappearasdepictedin theexampleshown below.

Exampleof a communicationmatrix:

Protocol icmp ftp ssh smtp http https . . .Client internal external i. e. i. e. i. e. i. e. i. e.

host1 x – x – – – x – x – –host2 x – – – x – x – – – – –host3. . .hostn

With thehelpof suchacommunicationmatrix,youwill alwaysobtainanoverviewof thecommunicationconstellationswithin thenetwork. Thiswill notonly sim-plify theconfigurationof yournetwork, but alsoerroranalysis.

6.3 Services Offered by SuSE Lin ux Solutions AG

SuSELinux SolutionsAG offersits servicesto you in theareasof:

• Consulting:

Clarificationof securityneeds,communicationanalysis

• Planning:

– Hardwarerequirements

– Network planning/integration

91

6 Help

• Installation:

– On-siteinstallationof thefirewall solution

– Conductingtestson-site/remote

– Documentation

• Maintenance:

– Businesssupport(availableatcost)

– Online maintenancevia modem/call-back(by consulting/businesssup-port)

6.4 Updates

One of the most importantaspectsof operatinga firewall is constantmainte-nanceof theimplementedsoftware.As soonasa securitygapis discoveredandremedied,therespectivesoftwaremustbeupdated.

If sucha securityupdateaffectsthe"SuSELinux Live CD for Firewall", a newLiveCD will besentto you. ThisupdateCD cansimplybeinsertedinto theCDdriveof thefirewall hostandthefirewall thenrestarted.

Security-relatedupdatesfor the SuSELinux Adminhost for Firewall will bemadeavailable on the SuSEFTP server. This packagecan be loadedto theadminhostandinstalledby giving a commandasexemplifiedbelow:root@adminhost:# rpm -Uhv newpackage.rpm

Also, pleasefollow the instructionspostedon thesecuritymailing lists andtheSuSEwebserver:

http://lists2.suse.com/archive/suse-security

http://www.suse.de/de/support/security/index.html

————————————————–

92

6.5 What to Do If . . .

6.5 What� to Do If . . .

6.5.1 Intrusion Detection and Event Displa y

A “properly” configuredLinux/UNIX systemcan,in andof itself, beconsideredquite secure. System-immanenthazardswhich areassociatedwith a complexsystemsuchasLinux or UNIX aremoreeasilyrecognizedthanon otheroper-ating systemsbecauseUNIX hasbeenusedandfurther developedfor over 30years.UNIX alsoformsthebasisof theInternet.Nevertheless,configurationer-rorscanoccurandsecurityholescanturn up time andagain.Therewill alwaysbesecurityflaws. Securityexpertsandhackersarein perpetual“competition” tobe onestepaheadof the other. What qualifiestodayassecuremay alreadybevulnerabletomorrow.

Signs of intrusion into your system

Any abnormalbehavior on your firewall systemcanbeconsidereda signthatayousystemis beingcompromised,e.g.:

• increasedprocessorload,

• unusuallyheavy network traffic,

• unusualprocessesor

• processesarebeingstartedby non-existentusers.

Indications in the system logfiles, in the system configuration – How canan intrusion be recogniz ed?

First, you shouldbe clearas to which actionsare to be definedas intrusions.Unfortunately, it is normalthesedaysthata hostconnectedto the Internetwillbescannedfor openandvulnerableports.It is justascommonthatportshavingbeenrecognized,somewherealongtheway, asbeingvulnerable(pop3/qpopper,rpc-mountd,smtp/sendmail)areattacked. Most of theseattacksarecarriedoutby “script kids”. Pre-fabricated“exploits” which arepublishedon relevantwebsites(e.g. http://www.rootshell.com) areused.Thesewebpagesalsoex-ist asvaluableinformationsourcesfor network andsystemadministrators.Theycanusuallybeidentifiedby thefactthatthehackis only carriedout onceandisnot repeatedif theactionfails in thefirst attempt.Thefirst measureyou shouldtake in caseof suchanevent is to checkthata break-inreally did happen.Fur-thermore,youshouldraisethelog levelandrefinetheevaluation(e.g.aselectivesearchaimedat anintrudingIP addressin thelogfilesor any unusualport num-bers).

Whatyou considerto bea dangerousattackon your systemremainsup to yourdiscretion.But at leastyou shoulddeterminehow you aregoingto reactto suchanevent.

Whatto doif yoususpectanintrusion?Thefollowing literatureis recommendedfor suchcases:

93

6 Help

“Stepsfor Recovering from a Unix Root Compromise”(http://www.cert.org/tech_tips/root_compromise.html)

RFC2196

SiteSecurityHandbook

Bothpublicationsdescribeprocedureswhichshouldfollow any successfulbreak-in. Thedocumentsprovidea formal startingpoint asto how a company, agencyor educationalinstitutionmayreact.Theprocedurediscussedtherenecessitatesa certainamountof memoryto be able to take “snapshots”of the system,aswell asrequirescolleaguesto carryout theanalysisandto examinethesecurityproblem.Situationsaredescribedwhich maynecessitatethatpunitiveactionbetaken.

Whatto do if you suspecta successfulattack:

• It is importantto staycalm.Hastyactionscandestroy importantinformation(e.g. processesinitiatedby thehacker).

• The courseof action as well as who to inform shouldbe outlined in thesecuritypolicy. Thecommunicationshouldnot take placeby e-mail,but bytelephoneor by fax.

• Physicallycut thenetwork connectionto thefirewall. It is not agoodideatoshutdown thecomputer. Importantinformationcouldbelost,e.g. programswhichweremanuallystartedby thehacker.

• List all running processeswith ps and searchfor processeswhich do nottypically occurin normalfirewall operation.

• Draw upaprocesstablewhensettingup thefirewall whichcanlaterserveasabasisfor comparison.

• Checktherunningprocessesfor tiesto unusualTCPor UDP ports.

• Werethepacketfilter ruleschanged?

• Compareall configurationfiles with theoriginal configuration.This is veryeasywith the “SuSELinux Firewall on CD”, sincethe configurationis al-readysaved on the adminhost. In doing so, however, it is essentialnot torestartthefirewall host,sinceotherwise,any changesto thefilter rulescouldbelost!

• Also backup all logfiles. Thelogfilescouldbelegally admissibleevidence.Documentall stepsyou have taken. If you save the logfiles locally to theharddisk, you shouldmake a 1:1 copy of the harddisk for documentationpurposes.

• Saveyourdatato CD or to anothermedium(tapedrive,ZIP drive).

• Analyzethe logfiles: Who tried whenandfrom where(IP address,domainname,possiblyeven username)to accesswhich services/ports?Wasan at-temptmadeto uncover passwords (multiple failed login attemptswith thesameusername)?

94

6.5 What to Do If . . .

• Makesurethatyouareusingauniformandexacttimesource.It is importantthatthehardwareclock of thefirewall hostandthelog hostareascloselyinsyncaspossible.Usea commontime sourcefor all your serverswheneverpossible.Only in this waycaneventsbekepttrackof accurately.

• Whichpartsof thesecuritypolicy wereviolated?Thisis especiallyimportantin regardto internalintrusions.

• You may want to deactivatethe useraccountin your network, the accountwhich carriedout the attack. The relevant procedurepertainingto internalviolationsshouldalsoberegulated(securityor company policy).

6.5.2 External Attac ks

Inform thesystemadministratorresponsiblefor theaddressblock (via postmas-teror thedomain’sabuseaddress).

Thequestionis raisedasto what informationneedsto bepassedon. Thereportof an incident or attackshouldcontainenoughinformation to ensurethat theother party can investigatethe problem. However, considerthat your contactpersoncouldbetheonewho hascarriedout theattack.Hereis a list of possibleinformationyou canprovide. You candecidewhich of the following piecesofinformationyouwantto give:

• Youre-mailaddress,

• Telephonenumber

• Your IP address,hostname,domainname,

• theIP addresses,hostnames,domainnamesaffectedby thehackingincident

• thedateandtime of theintrusion,preferably, with thetime zonesin relationto theGMT,

• adescriptionof theattack,

• how theattackwasrecognized,

• excerptsof thelogfilesrelatingto theattack,

• adescriptionof thelogfile format,

• statementof advisoriesandsecurityinformationwhich describesthenatureandseverity of theattack,

• whatyou want the contactpersonto do: Closean account,confirm the oc-curenceof anattack,issueareportfor informationpurposesonly, requestforfurtherobservation.

Onceyouhavegonethroughall thedatasecurityanddocumentationprocedures,setupyourfirewall again.Raisethelog level of eachapplicationif possible.Youcanbequitesurethatthehackerwill try to infiltrateyoursystemagain.Thiswillbetheopportunityto catchtheintruderred-handed.

95

6 Help

Examples:

Log in to theconsole.

Examinethelogfiles.

For example:

# grep DENY /var/log/messages | less

With this commandyou will seeall the lines containedin a DENY, that is, thelineswhich werelistedby thekernel’s packet filter. For instance,you cannowsearchfor certainunusualIP addresses(frequentlyoccurringDENY messageswhich correspondto IP addresseson oneor moreport numbers).Find out ex-actlywhathappened.Usingthetoolspreviouslymentioned,examinethelogfilesaccordingto definablecriteria. Problem:Sometimesit is unclearwhat to lookfor until you find it . . . It is alsopossiblethat a systemadministratorfrom an-other network is reportinga complaint,via postmasteror abusemail address,thatattackshave beenoccurringfrom your network to remotehosts.Take suchcomplaintsseriously. Requestthatlogsof all intrusionsaresentsothatyoumayhaveaclueasto thedateandtimeaswell asthemethodof attackontheexternalsystem.Attemptto verify thecircumstancessurroundingtheincident.A hacker,intruderor attacker may have alreadyoversteppedthe securityboundariesandmisusedyournetwork for his intentions.In respectto this,thereputationof yourbusinesslikewisehangsin thebalance.

Onceyou have backed everythingup anddocumentedit, review your firewallconfiguration.After remedyingpossibleerrorsor after shuttingdown servicesyou deemat risk, restartyour firewall. This shows the clearadvantageof the“SuSELinux Firewall onCD”: Theoriginalstatusof thefirewall will berestoredsimply by rebootingthefirewall host,makingacomplicatedreinstallationof theoperatingsystemandbringingin thebackupswholly unnecessary.

6.5.3 Advantage of the Live Filesystem of the “SuSE Lin uxFirewall on CD”

Oneof thegreatestadvantagesof theSuSEFirewall is thatits initial statecanberestoredsimply by bootingit. In any case,you should,of course,keepin mindthatany possibleconfigurationerrorsmayreappear.

If thefirewall hasbeenbreached,themethodof intrusionshouldbeinvestigatedin order to be able to correctconfigurationerrors. If securityholesare foundin applications,SuSELinux AG providesupdatesfor theaffectedapplications–meaningin thecaseof the“SuSELinux LiveCD for Firewall”, a new CD.

You canfind moreinformationhere:

http://www.cert.org and

http://www.first.org

96

6.6 Professional Help and Suppor t

6.6 Pr ofessional Help and Suppor t

If you suspectan attack,but areuncertainas to whetherthe attackhasled todamageto your network, despitehaving carriedout the review proceduresasdescribedabove,you shoulddefinitely introduceinitial securitymeasures.Thatmeans,first andforemost,physicallydisconnectingthenetwork .

Direct your inquiriesto the vendorwhereyou purchasedthe SuSEFirewall onCD or consultSuSEdirectly. In suchcases,you canalsocall the professionalsupportat SuSELinux GmbH or enlist the servicesof SuSELinux SolutionsAG.

6.6.1 Suppor t Regulations

Installation suppor t coverage

Theinstallationsupportis thereto assistyou in installingyourSuSELinux Sys-tem, readyfor operation. This also appliesto the centralsystemcomponentswhich allow for fundamentaloperation.It includes:

• Supportrangingfrom the installationof the SuSELinux basesystemon ahostfrom the“Admin CD for Firewall” to thesuccessfulstartupof the“Fire-wall AdministrationSystems”(FAS).

• Theconfigurationof thebasishardwareof thishostwith thegraphicalinstal-lation tool YaST2,i.e. thecentralcomponentsof thePC,excludingperiph-eraldevicesbut includingtheconfigurationof anethernetcard.

All thetopicsnot mentionedherearenot coveredby installationsupport.

Time period of installation suppor t

The installationsupportfor theAdmin CD for Firewall lastsfor a periodof 30daysfollowing theregistrationdate.

How do I reach the SuSE Suppor t Team?

You canreachour supportteamby e-mail,faxor postalmail:

• E-mail:

Address: [email protected]

Processing: weekdays

• Fax:

Faxnumber: (09 11) 74 05 34 77


97

6 Help

• Postal mail:Address: SuSEGmbH

– Support–Schanzäckerstr. 10D-90443Nürnberg


6.6.2 Professional Services

Evenif anoperatingsystemcomeswith all thenecessaryfacilities: it will onlybea viablealternative for usein thecorporateenvironmentin combinationwithprofessionalandqualifiedsupportservices.SuSEguaranteesthiskind of servicefor Linux. All informationon this canbefoundat thecentralsupportportal forSuSELinux:

http://www.suse.de/en/support/

Individual Projects and Consulting

You’d like to useSuSELinux at your placeof business.We offer competentconsultationandsolutionsenablingyouto optimizetheperformanceof Linux inyourfield of computing.We have a large amountof experiencein the deploymentof Linux serversbe-causewe’ve beendealingwith Linux sincethe early days. This is wheretheexperienceof ourconsultantscomesinto play;youcanusetheknow-how of ourexpertsto successfullyrealizeyour projects. Our strengthlies in our versatil-ity; Databases,securityissues,Internetconnectionor company-wide networks,Linux is, with theright software,a powerful platformfor yourapplications.Our servicesrangefrom the conception,implementationandconfigurationofserversystemsto acompleteinfrastructureconsultation.You may want, for instance,to implementyour Internetpresenceon a SuSELinux basisandarethereforelooking for web server, e-mail andsecureserversolutions? Our consultantscan help you to conceptualizeand implementtheright solution.Are you managinga complex heterogenousnetwork in which you’d like to in-tegrateLinux? We offer consultationandsupportfor the designandrollout ofcomplex serversolutions.Do you have specialrequirementsor needsthataren’t fulfilled by standardsoft-ware?We canassistyou furtherin individualizedsystemdevelopment.On-sitesupportis providedby thecompany SuSELinux SolutionsAG:

SuSELinux SolutionsAGMergenthalerallee45-47D-65760EschbornTel: + 49/ 6196/ 509510Fax: + 49/ 6196/ 409607E-Mail: [email protected]

98

6.6 Professional Help and Suppor t

RepresentedbyourRegionalServiceCentersin Hamburg,Berlin,Bonn,Stuttgart,Frankfurt, Munich and Nuremberg, as well as our Supportand DevelopmentCenterin Nuremberg.

• Rollout andImplementationServices

• InfrastructureConsultation

• IntranetServerSolutions

• InternetServerSolutions

• Developmentof Client-specificRequirements

• CompleteSolutions

• E-Commerce

6.6.3 Training

Our specialiststrain systemadministratorsandprogrammersin sucha way thatthey areableto make useof thewide rangeof possibilitiesin Linux asquicklyas possible– and thus be able to work productively. For more informationon a training courses,have a look at http://www.suse.de/en/support/training/.

6.6.4 Feedbac k

We alwaysappreciateyour tips, hints andproblemdescriptions.We will helpyou if your problemis a straightforwardone,or if we alreadyhave thesolutionat hand.Your feedbackmayprovideuswith usefulinformationto helpusavoidthis problemin our next release,thushelpingotherSuSELinux customersviaour WWW serveror theSupportDataBase.

We makeeveryeffort to constructaSuSELinux systemwhichmeetsthewishesof our customersascloselyaspossible.We thereforemuchappreciateany crit-icism of our CD or of this book. We think that this the bestway to correctsignificanterrorsandto maintainourhighstandardof quality.

Sendfeedbackany time to [email protected] electronicmail, or you cansendusa letteror fax.

6.6.5 Fur ther Services

We would also like to draw your attentionto our servicesthat are availablearoundtheclock, freeof charge:

• SuSEWWW Serverhttp://www.suse.com

Up-to-dateinformation, catalogs,orderingservice,supportform, supportdatabase

99

6 Help

• SuSEMailing Lists (informationanddiscussionsvia electronicmail):

– [email protected]– announcementsconcerningSuSEGmbH(German)

– [email protected]– announcementsconcerningSuSEGmbH(English)

– [email protected]– Discussionsconcerningthe SuSELinux Distri-bution (German)

– [email protected]– Discussionsall aboutSuSELinux (English)

– [email protected]– DiscussionconcerningtheSuSEproxysuite(En-glish)

– [email protected]– InformationanddiscussionconcerningAdabas-D in SuSELinux (German)

– [email protected]– Discussionsconcerningthe Applixwar e pack-ageof SuSEGmbH(German)

– [email protected]– SuSELinux on alphaprocessors(English)

– [email protected]– InformationanddiscussionconcerningSuSELinux andLotusDomino(German)

– [email protected]– SuSELinux andamateurradio(German)

– [email protected]– SuSELinux andamateurradio(English)

– [email protected]– SuSELinux andIBM DB2 (English)

– [email protected]– ISDN with SuSELinux (German)

– [email protected]– Information and discussionconcerningIn-formix in SuSELinux (English)

– [email protected]– SuSELinux on laptops(German)

– [email protected]– SuSELinux on Motif (English)

– [email protected]– Information anddiscussionconcerningOraclein SuSELinux (English)

– [email protected]– SuSELinux on PowerPCprocessors(English)

– [email protected]– Discussionof securityissuesin SuSELinux(English)

– [email protected]– Announcementof security-relatederrorsandupdates(English)

– [email protected]– SuSELinux on Sparcprocessors(English)

To subscribeto a list, sendanelectronicmail messageto:! LISTNAME " [email protected] automaticresponsewill besentbackwhich youwill needto confirm.

For ! LISTNAME " , substitutethe nameof the mailing list you want tosubscribeto; [email protected],to receiveregularan-nouncements.

Theprocedureis similar for unsubscribingfrom a list:

100

6.7 Bib liograph y

! LISTNAME " [email protected] sendtheunsubscribemail with theproperelectronicmailaddress.

• SuSEFTP Serverftp://ftp.suse.com

currentinformation,updatesandbug fixes

Log in to thesystemasuser‘ftp’.

6.7 Bib liograph y

• D. BrentChapman& ElizabethD. Zwicky: EinrichtenvonInternet-Firewalls,O’Reilly 2000.

• WolfgangBarth: SuSEFirewall Book, SuSEPress2001.

• MaximumLinuxSecurity, SAMS 1999.

• RobertL. Ziegler: LinuxFirewalls, New Riders1999.

101

6 Help

102

A DNS – Domain Name System


DNS (DomainNameSystem)is neededto resolve the domainandhostnamesinto IP addresses.In this way, theIP address192.168.0.20 is assignedto thehostnameearth, for example.

A.1 Star ting the Name Server BIND

The nameserver BIND8, as well as the new versionBIND9, is alreadypre-configuredin SuSELinux, so that you can easilystart it right after you haveinstalledtheLinux distribution.

If you alreadyhave a functionalInternetconnectionandhave entered127.0.0.1asnameserver for the localhostin /etc/resolv.conf, you shouldnormallyalreadyhavea workingnameresolutionwithouthaving to know theDNSof theprovider. BIND thuscarriesout the nameresolutionvia the root nameserver,a notablyslower process.Normally, theDNS of theprovider shouldbeenteredwith its IP addressin theconfigurationfile /etc/named.confunderforwardersin order to ensureeffective and securenameresolution. If this works so far,thenameserver will run asa pure“caching-only”nameserver. Only whenyouconfigureits own zoneswill it becomea properDNS.A simpleexampleof thiscanbefoundin thedocdirectoryunder/usr/share/doc/packages/bind8/sample-config. However, youshouldnotsetupany official domainsuntil youhaveactuallybeenassignedonefrom theinstitutionresponsiblefor ’.de’ it is theDENIC eG,for instance.Evenif you have your own domainandit is managedby the provider, you arebetteroff not to useit, asBIND would otherwisenotforward any morerequestsfor this domainandthus the provider’s webserver,for example,would not beaccessiblefor thisdomain.

In orderto startthe nameserver, the following is enteredat the commandline(asroot):rcnamed start

If “done” appearsto the right in green,this meansnamed, as the nameserverprocessis called,hasbeenstartedsuccessfully. You can immediatelytest thefunctionalityof thenameserveronthelocalsystemwith thenslookup program.Thelocalhostshouldshow upasthedefaultserverwith theaddress127.0.0.1.Ifthis is not thecase,thewrongnameserver hasprobablybeenenteredin /etc/resolv.conf or this file doesnot exist. For the first test, you shouldenternslookup “localhost”or “127.0.0.1”at theprompt,whichshouldalwayswork.If you receiveanerrormessageinstead,suchas“No responsefrom server”, youshouldcheckto seeif named is actuallyrunningusingthefollowing commandrcnamed status

103


If thenameserverdoesnotstartor is exhibiting faultybehavior, youcanfind thepossiblecausesof this loggedin “/var/log/messages”.

If you have a dial-upconnection,you will have to be surethatBIND8, onceitstartsup,will checktheroot nameserver. If it doesnot managethis,becauseanInternetconnectionhasnot beenmade,this cancausethe DNS requestsnot toberesolvedotherthanfor locally definedzones.BIND9 behavesdifferently, butrequiresquiteconsiderablymoreresourcesthanBIND8.

In orderto implementthe nameserver of the provider, or onethat you alreadyhave runningon your network as“forwarder”, you mustenteroneor moreofthesein theoptions sectionunderforwarders:

options {directory "/var/named";forwarders { 10.11.12.13; 10.11.12.14; };listen-on { 127.0.0.1; 192.168.0.99; };allow-query { 127/8; 192.168.0/24; };notify no;

};

The IP addressesusedin the examplearearbitraryandtherefore,mustbe ad-justedto yourpersonalenvironment.

After options follow thezones.Thereshouldat leastbetheentriesfor “local-host”, “0.0.127.in-addr.arpa”, and“.”. Theentriesfor “type hint” do not needtobemodified,asthey functionin their presentstate.

Also, pleasebesurethata“;” followseachentryandthatthebracesareproperlyset.

If youhavemadechangesto theconfigurationfile /etc/named.conf or to thezonefiles,youwill haveto adjustBIND to rereadthesefiles. Youcando thisbyenteringrcnamed reload.

Otherwise,you cancompletelyrestartthe nameserver by giving the commandrcnamed restart. If youneedto stopthenameserver, enter:rcnamed stop.

If named shouldbealreadystartedwhenbooting,youwill only haveto resettheentryin /etc/rc.config, START_NAMED=no, to START_NAMED=yes.

A.2 The Configuration File /etc/named.conf

All the nameserver settingsBIND8 andBIND9 areto be madein the /etc/named.conf file. Thezonedataitself, however, is thehostnames,IP addresses,etc. For the domainsto be administered,separatefiles are to be storedin the/var/named directory, but moreon this in thenext chapter.

The/etc/named.conf is roughlydividedupinto two areas:oneis theoptionssectionfor generalsettingsandthe otherconsistsof zone entriesfor the indi-vidual domains.Additional sectionsfor logging andacl type entriescanbeadded.Commentlinesbegin with a‘#’ signor a‘//’.

A minimalistic/etc/named.conf lookslikeexampleA.2.1on thenext page.

104

A.2 The Configuration File/etc/named.conf

options {directory "/var/named";forwarders { 10.0.0.1; };notify no;

};

zone "localhost" in {type master;file "localhost.zone";

};

zone "0.0.127.in-addr.arpa" in {type master;file "127.0.0.zone";

};

zone "." in {type hint;file "root.hint";

};

File contentsA.2.1: Exampleof anamed.conf

This exampleworks for both BIND8 andBIND9, sinceno specialoptionsareusedwhich areonly understoodby oneversionor theother. BIND9.1.1acceptsall BIND8 configurationsandmakesnoteof optionsnot implementedatstart-up.SpecialBIND9 optionsare,however, not supportedby BIND8.

A.2.1 Impor tant configuration options in “options”

director y "/var/named"; specifiesthedirectorywhereBIND canfind thefilescontainingthezonedata.

forwar ders 10.0.0.1; ; is usedto specify the nameserver(s) (mostly of theprovider) to which DNS requests,which cannotbe respondedto directly,areforwarded.

forwar d fir st; causesDNS requeststo be forwardedfirst beforean attemptismadeto resolve themvia therootnameserver. Insteadof forward first,forward only canbe written to have all requestsforwardedandthe rootnameserverswill no longerrespond.This makessensefor firewall configu-rations.

listen-on por t 53 127.0.0.1; 192.168.0.1; ; tells BIND which network inter-faceand which port it is listening to. The port 53 specificationcan beleft out, since53 is still thedefault port. If this entry is completelyomitted,usuallyall interfaceswill beimplemented

quer y-sour ce address * por t 53; Thisentryis necessaryif afirewall is block-ing externalDNS requests.This tells BIND to postrequestsexternallyfrom

105


port53 andnot from any of theportsgreaterthan1024.

allo w-quer y 127.0.0.1; 192.168.1/24; ; definesthenetworksfromwhichclientscanpostDNS requests./24 at theendis anabbreviatedexpressionfor thenetmask,in this case255.255.255.0.

allo w-transf er ! *; ; controlswhich hostscanrequestzonetransfers,this ex-amplecutsthemoff completelydueto the ! *. Without this entry, zonetransferscanberequestedanywherewithout restrictions.

allo w-update ! *; ; this option controlsthe external write-accessto the zonedata. This makesit possiblefor clientsto register themselvesin the DNS,which is not recommendedfor securityreasons.Without this entry, zoneupdatesaregenerallyprohibited,this examplewould not changeanything,since! * likewiseprohibitsany action.

statistics-inter val 0; In the absenceof this entry, BIND8 generatesseverallinesof statisticalinformationin /var/log/messages. Specifying0 sup-pressesthesecompletely, otherwisethetime in minutescanbegivenhere.

cleaning-inter val 720; ThisoptiondefinesatwhichtimeintervalsBIND8 clearsits cache.Thisactivity triggersanentryin /var/log/messageseachtime it oc-curs.Thetime specificationis in minutes.Thedefault is 60minutes.

interface-inter val 0; BIND8 regularly searchesthenetwork interfacesfor newor no longer existing interfaces. If this value is set to 0, this will not becarriedout andBIND8 will only listenat the interfacesdetectedat start-up.Otherwise,theinterval canbedefinedin minutes.Thedefault is 60minutes.

notify no; no preventsothernameserversfrom beinginformedwhenchangesaremadeto thezonedataor whenthenameserver is restarted.

A.2.2 The Configuration Section “Log ging”

What, how and wherearchiving takes placecan be extensively configuredinBIND8. Normally, thedefaultsettingsshouldbesufficient. Thefollowingexam-ple is thesimplestform of suchanentryandwill completelysuppress“logging”:

logging {

category default { null; };

};

A.2.3 The Structure of Zone Entr y

After zone, the nameof the domainto be administeredis specified,arbitrarilymy-domain.de followedbyin andablockof relevantoptionsenclosedin curlybrackets. If you want to definea “slave zone”, thetype is simply switchedto

106


zone "my-domain.de" in {type master;file "my-domain.zone";notify no;

};

zone "other-domain.de" in {type slave;file "slave/other-domain.zone";masters { 10.0.0.1; };

};

slave anda nameserver hasto be specified,which administersthis zoneasmaster (but whichcanalsobea “slave”).

Theoptions:

type master; master indicatesthat this zone is administeredon this nameserver. This assumesthatyourzonefile hasbeenproperlycreated.

type slave; This zoneis transferredfrom anothernameserver. Must be usedtogetherwith masters.

type hint; Thezone. of thetypehint is usedfor specificationof therootnameservers.Thiszonedefinitioncanbeleft alone.

file “m y-domain.zone” or file “sla ve/other -domain.zone”; Thisentryspeci-fiesthefile wherezonedatafor thedomainis located.Thisfile is notrequiredby slaves, sinceits contentsarereadby anothernameserver. In ordertodifferentiatebetweenmasterandslave files, thedirectoryslave is specifiedfor theslave files.

master s { 10.0.0.1; }; This entry is only neededfor slave zones. It specifiesfrom whichnameserver thezonefile is to betransferred.

A.2.4 Structure of Zone Files

Two typesof zonefiles areneeded:oneserves to assignIP addressesto hostnamesand the otherdoesthe reverse: suppliesa given IP addresswith an IPaddress.

’.’ hasan importantmeaningin the zonefiles here. If host namesare givenwithout endingwith a ’.’, the zonewill alwaysbe appended.Thus, completehostnamesspecifiedwith a completedomainmustendwith a ’.’ so that thedomainis not addedto it again. A missingpoint or onein the wrong placeisprobablythemostfrequentcauseof nameserverconfigurationerrors.

Thefirst caseto consideris thezonefile "world.zone"which is responsibleforthedomain’world.cosmos’.

Line 1: $TTL definesthestandardTTL which appliesfor all theentriesin thisfile, here2 days.TTL standsfor “time to live”.

107


1. $TTL 2D2. world.cosmos. IN SOA gateway root.world.cosmos. (3. 2001040901 ; serial4. 1D ; refresh5. 2H ; retry6. 1W ; expiry7. 2D ) ; minimum8.9. IN NS gateway10. IN MX 10 sun11.12. gateway IN A 192.168.0.113. IN A 192.168.1.114. sun IN A 192.168.0.215. moon IN A 192.168.0.316. earth IN A 192.168.1.217. mars IN A 192.168.1.3

Line 2: TheSOA control record beginshere:

• Thenameof thedomainto beadministeredis world.cosmos in thefirstposition. This endswith a ’.’, sinceotherwise,the zonewould have tobe appendeda secondtime. Alternatively, a ‘@’ can be enteredhere.Then,thezonewouldbeextractedfrom thecorrespondingentryin /etc/named.conf.

• After IN SOA is thenameof thenameserver in chargeasmasterfor thiszone.In thiscase,thenameis extendedfrom gateway togateway.world.cosmos, sinceit doesnot endwith a‘.’.

• Afterwards,ane-mailaddressof thepersonin chargeof this nameserverwill follow. Sincethe ‘@’ sign alreadyhasa specialsignificance,‘.’is to be enteredhere instead,for [email protected], consequentlyroot.world.cosmos.. The ‘.’ sign at the endcannotbe neglected,otherwise,thezonewill still beaddedhere.

• A ‘(’ followsat theendhere,includingthefollowing linesup until ‘)’into theSOA record.

Line 3: The serial number is an arbitrarynumberwhich is increasedeachtime this file is changed.It is neededto inform thesecondarynameservers(slave servers)of changes.For this, a ten-digit numberof the dateandrunnumber, writtenasYYYYMMDDNN, hasbecomethecustomaryformat.

Line 4: Therefresh rate specifiesthetime interval at which thesecondarynameserversverify thezoneserial number. In this case,1 day(1D = 1day).

Line 5: Theretry rate specifiesthetimeinterval,atwhichasecondarynameserver, in caseof error, attemptsto contacttheprimaryserver again.Here2hours(2H = 2 hours).

Line 6: The expiration time specifiesthe time frame after which a sec-ondarynameserver discardsthe cacheddataif it hasnot regainedcontact

108


to theprimaryserver. Here,it is a week(1W = 1 week).

Line 7: Theminimum time to live stateshow long theresultsof theDNSrequestsfrom otherserverscanbe cachedbeforethey becomeinvalid andhaveto berequestedagain.

Line 9: TheIN NS specifiesthenameserver responsiblefor this domain.Thesameis true here,that gateway is extendedto gateway.world.cosmosbecauseit doesnot end with a ‘.’. Therecan be several lines like this,onefor the primaryandonefor eachsecondarynameserver. If notify isnot setto no in /etc/named.conf, all thenameserverslistedherewill beinformedof thechangesmadeto thezonedata.

Line 10: TheMX recordspecifiesthemail serverwhichaccepts,processesandforwardse-mailsfor the domainworld.cosmos. In this example,this isthehostsun.world.cosmos. Thenumberin front of thehostnameis thepreferencevalue. If therearemultiple MX entries,the mailserver with thesmallestvalueis takenfirst and,if mail deliveryto thisserverfails,anattemptwill bemadewith thenext highestvalue.

Line 12-17: Theseare now the actualaddressrecordswhereone or more IPaddressesareassignedto thehostnames.Thenamesarelistedherewithouta., sincethey areenteredwithout a domainaddedandcanall beappendedwith world.cosmos. Two IP addressesareassignedto thehostgateway,sinceit hastwo network cards.

The pseudo-domainin-addr.arpa is usedto assistthe reverselookup of IPaddressesinto hostnames.This will be appended,for this purpose,to the net-work componentsdescribedherein reverseorder. 1.168.192.in-addr.arpathusresultsfrom 192.168.1.

1. $TTL 2D2. 1.168.192.in-addr.arpa. IN SOA gateway.world.cosmos.

root.world.cosmos. (3. 2001040901 ; serial4. 1D ; refresh5. 2H ; retry6. 1W ; expiry7. 2D ) ; minimum8.9. IN NS gateway.world.cosmos.10.11. 1 IN PTR gateway.world.cosmos.12. 2 IN PTR earth.world.cosmos.13. 3 IN PTR mars.world.cosmos.

Line 1: $TTL definesthestandardTTL whichappliesto all entrieshere.

Line 2: ’Reverselookup’ shouldbeactivatedwith thisfile for thenetwork192.168.1.0. Sincethe zone is called ’1.168.192.in-addr.arpa’ here, it is,of course,undesirableto addthis to the hostname;therefore,theseareall

109


enteredcompletewith domainandendingwith ’.’. The restcorrespondstothepreviousexampledescribedfor world.cosmos.

Line 3-7: Seethepreviousexamplefor world.cosmos.

Line 9: This line alsospecifiesthe nameserver herewhich is responsibleforthiszone.This time,however, thenameis entered,includingthedomainandendingwith ’.’.

Line 11-13: Thesearethe pointerrecordswhich point to an IP addressat therelevanthostname.Only thelastpartof theIP addressis enteredhereat thebeginningof theline,andthelast’.’ omitted.Now, if thezoneis appendedtothisandthe’.in-addr.arpa’is ignored,theentireIPaddresswill bebackwards.

In thisform, thezonefilesareusablefor bothBIND8 andBIND9. Zonetransfersbetweendifferentversionsshouldalsonot normallybeanissue.

A.3 DNS Sample Configuration

In thesampleconfigurationof a nameserver illustratedhere,we will make thefollowing assumptions:Your domainnameis world.cosmos,you have a gate-way hostwhich establishesthe Internetconnectionand two company internalnetworksconnectedto oneanother. This hostwill beour nameserver andwillreceive thename“gateway”. Yournetwork appearsasfollows:

Network 1 includesthehosts:

• gateway IP 192.168.1.1

• earthIP 192.168.1.2

• marsIP 192.168.1.3

Network 2 includesthehosts:

• gateway IP 192.168.0.1

• sunIP 192.168.0.2

• moonIP 192.168.0.3

The hostsearthandmarsareonly connectedvia gateway with sunandmoon,just asall hostscanonly accesstheInternetvia gateway.

Thefollowing filesarenecessaryfor configuringthenameserver:

named.conf thecentralconfigurationfile,

world.zone containsthehosttable,

192.168.1.zone for thesubnetwith thehostsearthandmars,

192.168.0.zone for thesubnetwith thehostssunandmoon,

110

A.4 Fur ther Information

localhost.zone containstheIP addressof thelocalhost,

127.0.0.zone loopback,

root.hint containstheInternetrootservers.

Thelocalhost.zone, 127.0.0.zone androot.hint filesareautomaticallycreatedduringinstallationof BIND 8.

Thefile /etc/named.conf will haveto beadjusted,asshown in thefile A.3 onthefollowing page.

acl is theaccesscontrol list which definesfrom which IP addressesaccesscanbemadeto thedDNS server.

Thedirectory entryspecifieswheretheotherconfigurationfiles arelocated./var/named/ is thedefault.

TheprocessID of named is storedin thepid-file.

listen-on Port definesthe port from which the nameserver receives re-quests.

zone entriesspecifiesthe configurationfiles to which IP addressesand hostnamesareassignedto oneanother. This files will have to besetup in thenextstepin the/var/named/ directory.

The completehost table is enteredin the world.zone file (seefile A.3 onpage113). In our example,this lookslike thefollowing:

The option ‘$TTL’ specifiesthe “time to live”. ‘SOA’ standsfor “start of au-thority” andintroducesthepre-setrecord:hostname,e-mailaddress,wherethe“@” sign is substitutedby a “.”, serial number(dateanddouble-digitversionnumber)andTTL. ‘NS’ marksthenameserver. ‘A’ signalsthattheIP addressesof the hostswill follow in the domain. Thenameserver “gateway” hastwo IPaddresses,sinceit belongsto two subnets.

In thenext two zonefiles, thereverselookuptakesplacefor bothsubnets.

Now, beforeyou cantestyour nameserver, the entry in the/etc/rc.configfile will have to be set to START_NAMED=yes. Subsequently, the other hostscanbe informedof the IP addressof the nameserver aswell, for example,viaYaST1 (‘System administration’ -> ‘Configure network’ -> ‘Config-uration name server’).

Now, if you enternslookup earth in a console,you shouldseean outputofthe nameserver with IP addressaswell asthe IP addressof the hostearth. Ifthe nameserver is not functioning,you will find the causein the /var/log/messages file.


• Documentationonbind8: file:/usr/share/doc/packages/bind8/html/index.html.

• A sampleconfigurationcanbefoundat:/usr/share/doc/packages/bind8/sample-config

111


acl internal { 127.0.0.1; 192.168.1/24; 192.168.0/24; };

options {directory "/var/named";allow-query { internal; };forwarders { 10.0.0.1; };listen-on port 53 {127.0.0.1; 192.168.0.1; 192.168.1.1;};query-source address * port 53;cleaning-interval 120;statistics-interval 0;notify no;

};zone "world.cosmos" in {

type master;file "world.zone";

};


};


};

zone "localhost" in {type master;file "localhost.zone";

};


};

zone "." in {type hint;file "root.hint";

};

File contentsA.3.1: File named.conf

112


$TTL 2D

world.cosmos. IN SOA gateway root.world.cosmos (2001040501 ; serial1D ; refresh2H ; retry1W ; expiry2D ) ; minimum

IN NS gatewayIN MX 10 sun

gateway IN A 192.168.0.1IN A 192.168.1.1

sun IN A 192.168.0.2moon IN A 192.168.0.3earth IN A 192.168.1.2mars IN A 192.168.1.3

File contentsA.3.2: File world.zone

$TTL 2D

0.168.192.in-addr.arpa. IN SOA gateway.world.cosmos.root.world.cosmos. (

2001040501 ; serial1D ; refresh2H ; retry1W ; expiry2D ) ; minimum

IN NS gateway.world.cosmos.

1 IN PTR gateway.world.cosmos.2 IN PTR sun.world.cosmos.3 IN PTR moon.world.cosmos.

File contentsA.3.3: Thefile 192.168.0.zone

113


$TTL 2D1.168.192.in-addr.arpa. IN SOA gateway.world.cosmos.

root.world.cosmos. (2001040501 ; serial1D ; refresh2H ; retry1W ; expiry2D ) ; minimum

IN NS gateway.world.cosmos.

1 IN PTR gateway.world.cosmos.2 IN PTR earth.world.cosmos.3 IN PTR mars.world.cosmos.

File contentsA.3.4: Thefile 192.168.1.zone

• manpagefor named (man 8 named), in which therelevantRFCsarenamedalongwith themanpagefor named.conf (man 5 named.conf) in particu-lar.

114

B DHCP

B DHCP

B.1 The DHCP Protocol

Thepurposeof the“DynamicHostConfigurationProtocol”is to assignnetworksettingscentrallyfrom aserverratherthanto configurethemlocally oneachandevery workstation.A client configuredto useDHCPdoesn’t have control overits own staticaddressbut is enabledto fully auto-configureitself in line withwhattheserversideis telling him.

Oneway to useDHCP is to identify eachclient usingthe hardwareaddressofits network card(which is fixed in mostcases),andthen to supply that clientwith identicalsettingseachtime it connectsto the server. But DHCP canalsobe configuredsuchthat the server assignsaddressesto each“interested”host“dynamically” from an addresspool which is set up for that purpose. In thelattercase,theDHCPserverwill try to assignthesameaddressto theclienteachtime it receivesa requestfrom it (andevenover longerperiods).This of coursewon’t work if therearemoreclient hostsin thenetwork thannetwork addressesavailable.

With thesepossibilities,DHCPcanmake life easierfor systemadministratorsintwo ways.Any changes(evenlargerones)relatedto addressesandthenetworkconfigurationin generalcan be implementedcentrally by editing the server’sconfigurationfile, which is much more convenientthan reconfiguringlots ofclient machines.Also it’s mucheasierto integratemachines– andin particularnew machines– into the network, asthey canbe givenan IP addressfrom thepool. Thepossibilityof retrieving theappropriatenetwork settingsfrom aDHCPserver canbeespeciallyusefulin thecaseof laptopsregularly usedin differentnetworks.

A DHCP server not only suppliesthe IP addressandthe netmask,but alsothehostnameand the domainname,aswell as the gateway and the nameserveraddressesto beusedby theclient.

In additionto that,DHCPallows for a numberof otherparametersto beconfig-uredin a centralizedway, suchasa time server from which clientsmaypoll thecurrenttime,or evena print server.

In the following section,we will give you an overview of DHCP, without de-scribingtheservicein everydetail. In particular, wewantto show you,usingtheDHCPserver dhcpd,how simpleit canbe,even in your own network, to carryout theentiresetupby DHCP, from onecentralpoint.

115

B DHCP

B.2 DHCP Software Packages

SuSELinux 7.2 comeswith threepackagesrelatedto DHCP, all includedinseriesn.

Thefirst of theseis theDHCPserverdhcpd distributedby theInternetSoftwareConsortium,or ISC. This is theprogramwhich assignsandmanagesthecorre-spondinginformationfor thenetwork. Normally with SuSELinux thereis onlythis oneprogramavailableasfarastheserver is concerned,but youmaychoosefrom two differentDHCPclient programs.SuSELinux includesboththedhcp-client – which is alsofrom the ISC – andthe “DHCP client daemon”which isprovidedin thepackagedhcpcd.

SuSELinux 7.2 installsdhcpcd by default. Theprogramis veryeasyto handleandis launchedautomaticallyon eachsystemstartupto look out for a DHCPserver. It doesnot needa configurationfile to do its job andshouldwork out ofthebox in moststandardsetups.

If you administera morecomplex network, you might needthe ISC’s dhclientwhich canbe controlledvia the configurationfile /etc/dhclient.conf. Nomatterwhetheryou want to includean additionaldomainin the searchlist, orevento emulatethebehavior of aMicrosoftDHCPclient– if youareknowledge-ableaboutnetworksyou’ll find thatthedhclientgivesyounumerouspossibilitiesto customizeit to yourneeds,down to thelastdetail.

B.3 The DHCP Server dhcpd

Thecoreof any DHCPsystemis thedynamichostconfiguration protocoldae-mon. What this server doesis to “lease” addressesandto watchhow they areused,in line with thesettingsasdefinedin theconfigurationfile /etc/dhcpd.conf. By changingtheparametersandvaluesin thisfile, asystemadministratorcaninfluencetheprogram’sbehavior in numerousways.

Let’shavea look ata basicsample/etc/dhcpd.conf file:

This simple configurationfile shouldbe sufficient to get the DHCP server toassignIP addressesto thehostsof yournetwork. Onethingto remember, though,is to includeasemicolon(;) at theendof eachline. Withoutthatcharacter, you’llfind thatdhcpdwon’t evenstart!

As you might have noticed,theabove samplefile canbedivided into threedif-ferentsections.

In the first one,we’ve definedhow many secondsan IP addressis “leased”toa requestinghost by default (default-lease-time) before it shouldapplyfor renewal. Thesectionalsoincludesa statementon the maximumperiodforwhich a machinemaykeepanIP addressassignedby theDHCPserverwithoutapplyingfor renewal (max-lease-time).

In thesecondpart,somebasicnetwork parametersaredefinedon agloballevel:

• Thelineoption domain-name definesthedefaultdomainof yournetwork.

116

B.3 The DHCP Server dhcpd

default-lease-time# 600; # 10 minutesmax-lease-time 7200; # 2 hours

option domain-name "kosmos.all";option domain-name-servers 192.168.1.1 192.168.1.2;option broadcast-address 192.168.1.255;option routers 192.168.1.254;option subnet-mask 255.255.255.0;

subnet 192.168.1.0 netmask 255.255.255.0{range 192.168.1.10 192.168.1.20;range 192.168.1.100 192.168.1.200;}

File contentsB.3.1: Theconfigurationfile /etc/dhcpd.conf

• With the entry option domain-name-servers, you can specify up tothreevaluesfor theDNS serversusedto resolve IP addressesto hostnames(andvice versa).Ideally, you shouldhave configureda nameserver on yourmachineor somewhereelsein your network beforesettingup DHCP. Thisnameserver shouldalsodefinea hostnamefor eachdynamicaddress,andvice versa. If you want to learnhow to configureyour own nameserver,pleasereadchapterA on page103.

• Theline option broadcast-address definesthebroadcastaddressto beusedby therequestinghost.

• With option routers you cantell the server whereto senddatapacketswhich cannotbe deliveredto a hoston the local network (accordingto thesourceandtargethostaddressandthesubnetmaskprovided).In mostcases,andespeciallyin smallernetworks,this routerwill be identicalwith theIn-ternetgateway.

• With option subnet-mask, youspecifythenetmaskassignedto clients.

Beneaththesegeneralsettings,a network, includinga subnetmask,is defined.To finishoff, wespecifytheaddressrangethattheDHCPdaemonshouldusetoassignIP addressesto interestedclients. In our example,clientsmay be givenany addressbetween192.168.1.10 and192.168.1.20, aswell as192.168.1.100 and192.168.1.200.

If yourserverhasmorethanonenetwork card,youshouldeditthefile /etc/rc.config.d/dhcpd.rc.config andspecifytheinterfacesthatdhcpdis intendedto use,underDHCPD_INTERFACE.

After editingthesefew lines,youshouldbeableto activatetheDHCPdaemonbyissuingthecommandrcdhcpd start. Theserver is readyfor useimmediatelyafter that. You couldalsodo a basiccheckto seewhethertheconfigurationfileis syntacticallycorrect,by enteringthecommandrcdhcpd syntax-check. Ifyou encounterany unexpectedproblemswith your configuration,i. e. theserverabortswith an error or doesn’t return“done” uponstartup,you shouldbe able

117

B DHCP

to find out what hasgonewrong by looking for informationeitherin the mainsystemlog,/var/log/messages, or on console10 (��

Strg + �� Alt + �� F10 ).

If youwantdhcpdto beenabledautomaticallyonsystemstartup,youshouldeditthefile /etc/rc.config, to setthevariableSTART_DHCPD to yes. Naturally,you canalsousetherc.configeditorof YaST2to do this.

Congratulations,you’vejust setup yourown DHCPserver!

B.4 Assigning Fixed IP Addresses to Hosts

Now thatwe’redonesettingup theserver to assigndynamicaddresses,it’s timeto have a closer look at static addressesand the way to configurethem. Asmentionedabove, with DHCP it’s also possibleto assigna predefined,fixedaddressto onehosteachtime thelattersendsa requestto theserver.

As might beexpected,addressesthathave beenassignedexplicitly will alwaystake priority over addressesfrom the pool of dynamicaddresses.Furthermore,a staticaddresswill never expire in the way a dynamicaddresswould (i. e. incasetherearen’t enoughaddressesavailableanymoresothattheserverneedstoredistributethemamonghosts).

To identify a hostconfiguredto geta staticaddress,theDHCPdaemonfetchesthe hardwareaddressof that host. This is a numericalcodeconsistingof sixoctet pairs, which is unique to eachnetwork device sold in the world, e.g.00:00:45:12:EE:F4.

If the appropriatelines, like the onesin B.4, are addedto the configurationfile B.3.1 on the precedingpage,the DHCP daemonwill assignthe samesetof datato thecorrespondinghostunderall circumstances.

host earthhardware ethernet 00:00:45:12:EE:F4;fixed-address 192.168.1.21;

File contentsB.4.1: Entryaddedto theconfigurationfile

Thestructureof this entryshouldbealmostself-explanatory:

The first line setsthe DNS nameof the newly definedhost (hosthostname),and the secondone its MAC address. On any network-enabledLinux host,this addresscanbedeterminedvery easilywith the commandifconfig (lookfor HWaddr in the output). Windows machines,too, have commandsto elicitthis kind information from the system: on Windows 95/98/ME, you’d enterwinipcfg andon WindowsNT/2000ipconfig /all.

In the above example, a host with a network card having the MAC address00:00:45:12:EE:F4 is automaticallyassignedthe IP address192.168.1.21andthehostnameearth.

The type of hardware to be enteredshouldbe ethernet in nearly all cases,thoughtoken-ring (which is oftenfoundon IBM systems)is alsosupported.

118

B.5 The Finer Points

B.5 The Finer Points

As we’ve saidat thebeginningof this chapter, thesepagesareonly intendedtoprovide a brief survey of what you cando with DHCP. If you areinterestedinfurtherinformation,thepageof theInternetSoftwareConsortiumon thesubject(http://www.isc.org/products/DHCP/) will prove a goodsourceto readaboutthedetailsof DHCP, includingaboutversion3 of theprotocolwhichis cur-rently in betatesting.Apart from that,youcanalwaysrely on themanpagesforfurther help,expeciallyman dhcpd, man dhcpd.conf, man dhcpd.leasesandman dhcp-options. Also, if you look aroundyou’ll beableto find oneofthe several bookson the DynamicHost Configuration Protocol that have beenpublishedover theyears,andwhich takeanin-depthlook at thetopic.

Incidentally, dhcpd canevensupplyrequestinghostswith a file which containsa bootableoperatingsystemkernel,andwhich is definedin the configurationfile by theparameterfilename. This allowsyou to build clienthostswhich don’tneedaharddisk,i. e.they’reenabledto loadboththeiroperatingsystemandtheirnetwork dataover thenetwork (disklessclients). Which couldbeaninterestingoptionfor bothcostandsecurityreasons.Now addthepackagealiceto all this,andyou’ll beableto dosomereally amazingthings.But that’sanotherstory.. .

119

B DHCP

120

C Proxy Server: Squid


Thefollowingchapterdescribeshow cachingwebsitesassistedbyaproxyserverworks,andwhattheadvantagesareof usingSquid.

The most popularproxy cachefor Linux/UNIX platformsis Squid. We willdiscussits configuration,the specificationsrequiredto get it running, how toconfigurethe systemto do transparentproxying, how to gatherstatisticsaboutthecache’susewith thehelpof programslikeCalamaris andcachemgr andhowto filter webcontentswith squidgrd.

C.1 What is a Proxy Cache?

Squid actsasa proxy cache. It behaveslike an agentwhich receivesrequestsfrom clients(in this casewebbrowsers)andpassesthemto thespecifiedserverprovider. Whentherequestedobjectsarriveat theagent,it storesacopy in adiskcache.

Benefitsarisewhen different clients requestthe sameobjects: thesewill beserved directly from the disk cache,which is muchfasterthanobtainingthemfrom the Internetand,at the sametime, saving overall bandwithfrom the sys-tem.

$ %

& '

TipSquid covers a wide range of features, such as defining hierarchies of proxyservers to distribute the load, defining strict access control lists to all clientswilling to access the proxy and, with the help of other applications, allowingor denying access to specific web pages. It can also obtain statistics aboutthe most visited web sites, user usage of the Internet, and much more.

Squid is not a genericproxy. It normallycommunicatesbetweenHTTPconnec-tions. It alsosupportstheprotocolsFTP, Gopher, SSLandWAIS, but it doesnotsupportother InternetprotocolssuchasRealAudio, news or videoconferenc-ing. BecauseSquid only supportstheUDP protocolto provide communicationbetweendifferentcaches,many othermultimediaprogramsarenotsupported.

121


C.2 Some Facts About Cache Proxying

C.2.1 Squid and Security

It is alsopossibleto useSquid togetherwith a firewall, to secureinternalnet-works from the outside,usinga proxy cache. The firewall deniesall externalservicesexceptfor Squid, forcing all World Wide Webconnectionsto beestab-lishedby theproxy.

If thefirewall configurationincludesa DMZ, settheproxy there.In this case,itis importantthatall computersin theDMZ sendtheir log files to hostsinsidethesecurednetwork.

Oneway to implementthis featureis with the aid of a so-called“transparent”proxy. This is coveredin SectionC.6on page130.

C.2.2 Multiple Caches

“Multiple Caches”meansconfiguringdifferentcachessothatobjectscanbeex-changedbetweenthem,reducingthetotal systemloadaswell asincreasingthechancesof finding anobjectalreadyin thelocal network. It enablestheconfig-urationof cachehierarchiessothata cacheis ableto forwardobjectrequeststosibling cachesor to a parentcache.It cangetobjectsfrom anothercachein thelocalnetwork or directly from thesource.

Choosingtheappropiatetopologyfor thecachehierarchyis very important,be-causewedonotwantto increasetheoverall traffic on thenetwork. For example,in a very largenetwork it is possibleto configurea proxy server for every sub-network andconnectit to aparentproxy, connectedin its turnto theproxycachefrom theISP.

All this communicationis handledby ICP (InternetCacheProtocol) runningon top of the UDP protocol. Data transfersbetweencachesarehandledusingHTTP(HyperText TransmissionProtocol),which is basedonTCP, but for thesekindsof connectionsit is preferableto usefasterandsimplerprotocolscapableof reactingto incomingrequestswithin a maximumof oneor two seconds.

In orderto find thebestserver from which to get thedesiredobjects,onecachesendsan ICP requestto all sibling proxies. Thesewill answerthe requestsviaICPresponseswith aHIT codeif theobjectwasdetectedor aMISSif it wasnot.If multipleHIT responseswerefound,theproxyserverwill decidewhichserverto from, downloaddependingon factorssuchas which cachesentthe fastestansweror which oneis closer. If no satisfactoryresponseshave beensent,therequestwill besentto theparentcache.

$ %

& '

TipTo avoid duplication of objects in different caches in our network, other ICPprotocols are used such as CARP (Cache Array Routing Protocol) or HTCP(Hyper-Text Cache Protocol). The more objects maintained in the network,the greater the possibility of finding the one we are looking for.

122

C.3 System Requirements

C.2.3 Caching Internet Objects

Not all objectsavailablein ournetwork arestatic.Therearea lot of dynamicallygeneratedCGI pages,visitor counters,or encryptedSSL contentdocuments.This is thereasonsuchobjectsarenotstoredin thecache:everytimeyouaccessoneof theseobjects,it will alreadyhavechangedagain.

But thequestionremainsasto how long all theotherobjectsstoredin thecacheshouldstaythere.To determinethis, all objectsin thecacheareassignedthreedifferentstates:

1. FRESH: Whenthisobjectis requested,it is sentwithoutcomparingit to thetheoriginalobjecton thewebto seeif it haschanged.

2. NORMAL: Theoriginal server is queriedto seeif theobjecthaschanged.If it changed,thecachecopy is updated.

3. STALE: Theobjectis no longerconsideredvalid, andwill be downloadedagainfrom theserver.

Webandproxyserversfind out thestatusof anobjectby addingheadersto theseobjectssuchas“Last modified” or “Expires” andthecorrespondingdate.Otherheadersspecifyingthatobjectsmustnotbecachedareusedaswell.

Objectsin thecachearenormallyreplaceddueto a lackof freeharddisk space,using algorithmssuchas LRU (Last RecentlyUsed),which serve to replacecacheobjects.Theessentialprincipleis to replacelessrequestedobjects.

C.3 System Requirements

Themostimportantthing is to determinethemaximumloadthatoursystemwillhave to bear. It is thereforeimportantto pay moreattentionto the load peaksbecausethesemight bemorethanfour timestheday’s average.Whenin doubt,it would be better to overestimatethe system’s requirements,becausehavingSquid working closeto thelimit of its capabilitiescouldleadto a severelossinthequality of service.

In the following sections,several systemfactorswill be presentedin orderofimportance.

C.3.1 Hard Disk

Speedplays an importantrole in the cachingprocessso shouldbe of utmostconcern. In hard disks, this parameteris describedas “random-seektime” inmilliseconds;asa rule of thumb:thelower this value,thebetter.

Accordingto theSquid User’sGuide(http://www.squid-cache.org), for asystemusingonly onedisk, the formula for calculatingthe numberof requestspersecondfrom theseektimeof thedisksis quiteeasy:

requestspersecond= 1000/ seektime

123


Squid enablesmultiple disksto be usedsimultaneously, increasingthe numberof requestspersecond.For instance,if you have threediskswith thesameseektime of 12milliseconds,usingthefollowing formulawill resultin:

requestspersecond= 1000/ (seektime / numberof disks)= = 1000/ (12/3)=250requestspersecond

In comparisonto usingIDE or SCSIdisks,SCSIis preferable;newer IDE disks,however, have similar seektimesto SCSIand,togetherwith DMA- compatibleIDE controllers,increasethespeedof datatransferwithoutconsiderablyincreas-ing thesystemload.

Size of the Disk Cache

In a small cache,theprobability of a HIT (finding the requestedobjectalreadylocatedthere)will be small becausethe cacheis quickly filled up and, in thiscase,the lessrequestedobjectswill be replacedby newer ones. On the otherhand,if 1 GB is availablefor thecacheandtheusersonly need10 MB a daytosurf, it will takemorethan100daysto fill thecache.Probablythe easiestway to determinethe cachesizeneededis to considerthemaximumtransferrateof our connection.With a1 MB/s connection,themax-imum transferratewill be125 KB/s. If all this traffic endsup in thecache,inonehourit will addup to 450 MB, and,assumingthatall this traffic is generatedin only 8 working hours,it will reach3.6 GB in oneday. Sincetheconnectionwasnot usedup to its maximumcapacity(otherwisewe would have procureda fasterone),we couldassumethat the total amountof datagoing throughthecacheis about2 GB. In theexample,to keepall thebrowseddataof onedayinthecache,we will require2 GB of diskspacefor Squid.Summingup, Squid tendsto readandwrite smallerblocksfrom or to thedisk,so that how quickly it detectstheseobjectson the disk is moreimportantthanhaving a fastdisk.

C.3.2 RAM

The amountof memoryrequiredby Squid directly correlatesto the amountofobjectsallocatedin the cache. Squid also storescacheobject referencesandfrequentlyrequestedobjectsin memoryto speedup retrieval of this data. Thememoryis onemillion timesfasterthana harddisk! (Comparethesearchtimeof a harddisk, about10 milliseconds,with the 10 nanosecondsaccesstime ofthenewerRAM memories)Every objectin RAM memoryhasa sizeof 72 bytes (for “small” pointerar-chitectureslike Intel, Sparc, MIPS, etc. For Alpha it is 104 bytes. If theaveragesizeof anobjecton the Internetis about8 KB andwe have 1 GB diskfor the cache,we will be storing about130,000objects,resultingin closeto10 MB RAM for meta-dataalone.Squid alsostoresotherdatain memory, suchasatablewith all usedIP adresses,a fully qualifieddomainnamescache,hot objects(themostrequested),buffers,accesscontrollists,etc.

124

C.4 Star ting Squid

It is very importantto have morethanenoughmemoryfor the Squid process,becauseif it hasto be swapped,the systemperformancewill be dramaticallyreduced.In orderto assistusin cachememorymanagement,wecanusethetoolcachemgr.cgi, asdiscussedlateron in SectionC.7.1on page133.

C.3.3 CPU

Squid isnotaprogramthatrequiresintensiveCPUusage.Theloadof theproces-soris only increasedwhile thecontentsof thecachearebeingloadedor checked.Usingamulti-processormachinedoesn’t increasetheperformanceof thesystem.To increaseefficiency it is betterto buy fasterdisksor addmorememory.

Someexamplesof configuredsystemsrunningSquid areavailableat http://wwwcache.ja.net/servers/squids.html.

C.4 Star ting Squid

Squid is alreadypreconfiguredin SuSELinux sothatyou caneasilystartit im-mediatelyafterinstallation.A prerequisitefor asmoothstartis analreadyconfig-urednetwork, at leastonenameserverand,of course,Internetaccess.Problemscanariseif a dial-up connectionis usedwith dynamicDNS configuration. Incasessuchasthis,at leastthenameservershouldbeclearlyentered,sinceSquidwill only startif it doesnotdetecta DNS in the/etc/resolv.conf.

To startSquid, enterat thecommandline, as‘root’:rcsquid start

For the initial start-up,the directory structurewill first have to be definedin/var/squid/cache. Thisisdoneautomaticallyby thestartscript/etc/init.d/squid andcantake a few secondsor even minutes. If done appearsto theright in green,Squid hasbeensuccessfullyloaded.You cantestSquid’s func-tionalityonthelocalsystembyenteringlocalhost andPort 3128 asproxyinthebrowser. In orderto allow all usersto accessSquid andthustheInternet,youwill only needto changetheentry in theconfigurationfile /etc/squid.conffrom http_access deny all to http_access allow all. However, indoingsoyou shouldbeawarethatSquid is madecompletelyaccessibleto any-oneby thisaction.Therefore,youshould,whateverthecase,defineACL’swhichcontrolaccessto theproxy. But moreon this in thenext chapter.

If youhavemadechangesin theconfigurationfile /etc/squid.conf, youwillhave to instructSquid to loadthechangedfile. You cando thisby entering:rcsquid reload

Or you canrestartSquid:rcsquid restart

Also, thefollowing commandis important:rcsquid status

With this,youcandeterminewhethertheproxy is runningandwithrcsquid stop

125


you canhalt Squid. The latter cantake a while sinceSquid waits up to half aminute(shutdown_lifetime) beforedroppingthe connectionsto the clientsandthenit still asto write its datato the disk. If Squid is haltedwith kill orkillall, thiscanleadto thedestructionof thecachewhichwill thenhaveto befully removedin orderto beableto restartSquid.

If Squid dies after a short period of time, even thoughit hasseeminglybeenstartedsuccessfully, this could be the resultof a faulty nameserver entry or amssing/etc/resolv.conf file. The causeof the startfailure would thenbeloggedby Squid in the/var/squid/logs/cache.log file.

If Squid shouldbe loadedautomaticallywhenthe systemboots,you will onlyneedto resettheentrySTART_SQUID=no to START_SQUID=yes in the/etc/rc.config file.

An uninstallof Squid will neitherremovethecachenor thelog files. Youwouldhave to manuallydeletethe/var/squid directory.

Local DNS Server

Settingup a local DNS serversuchasBIND-8 or BIND-9 makesabsolutesenseeven if theserver doesnot manageits own domain. It will thensimply actasa“caching-onlyDNS” andwill alsobeableto resolve DNS requestsvia therootnameserverwithout requiringany specialconfigurations.If youenterthis in the/etc/resolv.conf with the IP address127.0.0.1 for localhost, Squidwill detecta vaild nameserver whenit startsup. Configuringa nameserver is,however, a chapterin itself andwill thereforenot bedescribedhereat length.Itis sufficient,however, to install thepackageandto startBIND. Thenameserverof the provider shouldbe enteredin the configurationfile /etc/named.confunderforwarders, alongwith its IP address.If you have a firewall running,even if it is just thepersonalfirewall, you will have to make surethat theDNSrequestswill beallowedthrough.

C.5 The Configuration File /etc/squid.conf

All HTTP proxy server settingsareto bemadein the/etc/squid.conf file.To beableto startSquid for thefirst time, no changesarenecessaryin this file,but externalclientswill initially bedeniedaccess.Theproxy needsto bemadeavailablefor thelocalhost and,usually, with 3128 asport. Theoptionsareex-tensive andampledocumentationandexamplesareprovidedin thepreinstalled/etc/squid.conf file. Nearly all entriesbegin with a # sign (the lines arecommentedout) andtherelevantspecificationsareto befoundat theendof thefile. Thevaluesgivenalmostalwayscorrelatewith thedefaultvalues,sothatre-moving thecommentsignswithout changingany of theparametersactuallyhaslittle effect in mostcases.It is betterto leave thesampleasit is andto reinsertthe optionsalongwith the modifiedparametersin the line below. In this way,you caneasilyinterpretthedefault valuesandthechanges.

If youhaveupdatedanearlierSquid version,it is recommendedthatyouedit thenew /etc/squid.conf andonly apply thechangesyou madein theprevious

126

C.5 The Configuration File/etc/squid.conf

file. If you try to implementtheold squid.conf again,you arerunninga riskthat the configurationwill no longer function, sinceoptionsare always beingmodifiedandnew changesadded.

General Configuration Options

http_por t 3128 This is the port whereSquid listensfor client requests.Thedefault port is 3128, but 8080 is alsocommon.You have theoptionhereofspecifyingseveralportnumbers,separatedby blankspaces.

cache_peer <hostname> <type> <proxy-por t> <icp-por t> Here,youcanen-ter a parentproxy as“parent”, for example,if you wantto, or usethatof theprovider. As <hostname>, thenameandIP addressof theproxy to beusedareentered,andas<type>, parent. For <proxy-port>, theport numberis to beenteredwhich is alsospecifiedby theoperatorof theparentfor usein thebrowser, usually8080. You cansetthe<icp-port> to 7 or 0 if theICP port of theparentis not known andits useis irrelevant to theprovider.In addition,default andno-query shouldbespecifiedaftertheportnum-bersin orderto strictly prohibit theuseof theICP protocol.Squid will thenbehave likea normalbrowser, asfarastheprovider’sproxy is concerned.

cache_mem 8 MB Thisentrydefinesthemaximimamountof diskspaceSquidcanusefor thecaches.Thedefault is 8 MB.

cache_dir ufs /var/squid/cac he 100 16 256 Theentrycache_dir definesthedirectorywhereall theobjectsareto bestoredon disk. Thenumbersat theendindicatethe maximumdisk spacein MB to be usedaswell asthe num-berof directoriesin thefirst andsecondlevel. Theufs parametershouldbeleft alone.Thedefault is 100 MB occupieddisk spacein the/var/squid/cache directory, andto create16sub-directoriesinsideit whicheachcontain256 moresub-directories.Whenspecifyingthe disk spaceto be used,youshouldalwaysleave sufficient reserve disk space.Valuesfrom a minimumof 50 to a maximumof 80 percentof theavailabledisk spacemake themostsensehere.Thelasttwo numbersfor thedirectoriesshouldonly beincreasedwith caution,sincetoo many directoriescanalsoleadto performanceprob-lems. If you have severaldiskswhich areto sharethecache,you canenterseveralcache_dir lines.

cache_access_log /var/squid/logs/access.log pathfor log message

cache_log /var/squid/logs/cac he.log pathfor log message

cache_store_log /var/squid/logs/store .log pathfor log message

Thesethreeentriesspecifythe pathwhereSquid will log all of its actions.Normally, nothingis changedhere. If Squid is experiencinga heavy usageburden,it might make senseto distribute the cacheand the log files overseveraldisks.

emulate_httpd_log off If the entry is set to on, you will obtainreadablelogfiles. Someevaluationprogramscannotinterpretthis,however.

127


client_netmask 255.255.255.255 With this entryyou canmaskthe loggedIPaddressesin thelog files to hidetheclients’ identity. Thelastdigit of theIPaddresswill besetto zeroif youenter255.255.255.0 here.

ftp_user Squid@ With this,you cansetthepassword which Squid shouldusefor theanonymousFTPlogin. Thelogin ‘anonymous’ andyoure-mailad-dressas password are generallyusedto accesspublic FTP servers,whichsavesyouthetroubleof enteringyourusernameandpasswordeachtimeyoudownloadFTP. Squid@ without the domainis the default, sincethe clientscanoriginatefrom any domain. It canstill make sense,however, to spec-ify a valid e-mail addresshere,sincesomeFTPserverscanchecktheseforvalidity.

cache_mgr webmaster An e-mailaddressto which Squid sendsa messageifit unexpectedlycrashes.Thedefault is webmaster.

logfile_r otate 0 If you call up squid -k rotate, Squid canrotatesecuredlogfiles. Thefilesarenumbered,dependingonthenumbergiven,afterreach-ing thespecifiedvalue,theoldestfile at thatpoint will beoverwritten.Thisvalueherenormallystandsfor 0 becausearchiving anddeletinglog files inSuSELinux is carriedout by a cronjobwhichcanbefoundin theconfigura-tionfile /etc/logfiles. Theperiodof timeafterwhichthefilesaredeletedis definedin the/etc/rc.config file via theMAX_DAYS_FOR_LOG_FILESentry.

append_domain <domain> With append_domain, youcanspecifywhichdo-mainwill automaticallybeappendedwhennoneis given.Usuallyyourowndomainis enteredhere,soenteringwww in thebrowsersufficesto guaranteeaccessto yourown webserver.

forwar ded_for on If yousettheentryto off, Squid will removetheIP addressandthesystemnameof theclient from theHTTP requests.

negative_ttl 5 min utes; negative_dns_ttl 5 min utes Normallyyoudon’t needto changethesevalues. If you have a dial-up connection,however, the In-ternetmay, at times,not beaccessible.Squid will make a noteof thefailedrequestsandwill thenrefuseto issuenew ones,eventhoughtheInternetcon-nectionhasbeenre-established.In a casesuchasthis, you canchangetheminutes to seconds andthen,afterclicking onReload in thebrowser, thedial-upprocessshouldbere-engagedaftera few seconds.

never_direct allo w <acl_name> If you wantto preventSquid from takingre-questsdirectly from the Internet,you canusethe above commandto forceconnectionto anotherproxy. You needto have previously enteredthis incache_peer. If all is specifiedasthe<acl_name>, you will forceall re-queststo beforwardeddirectly to theparent. This might benecessary, forexample,if you areusinga provider which strictly stipulatesthe useof itsproxiesor deniesits firewall directInternetaccess.

128

C.5 The Configuration File/etc/squid.conf

Options for Access Contr ols

Squid providesanintelligentsystemwhich controlsaccessto theproxy. By im-plementingso-called“ACL’s”, it canbeconfiguredeasilyandcomprehensively.This involveslists with ruleswhich areprocessedsequentially. ACL’s mustbedefinedfirst, beforethey canbeused.SomedefaultACL’s suchasall andlo-calhost alreadyexist. DefininganACL onits own will notyetyield any resultsuntil it is put to use,e.g. in conjunctionwith http_access, whenthedefinedrulesareimplemented:

acl <acl_name> <type> <data> An ACL requiresat leastthreespecificationsto defineit. Thename<acl_name> canbearbitrarily chosen.For <type>,you canselectfrom a varietyof differentoptionswhich canbefoundin theACCESS CONTROLS sectionin the /etc/squid.conf file. The specifica-tion for <data> dependson the individual ACL type andcanalsobe readfrom afile, e.g.via hostnames,IP addressesor URLs. Herearesomesimpleexamples:acl mysurfers srcdomain .my-domain.comacl teachers src 192.168.1.0/255.255.255.0acl students src 192.168.7.0-192.168.9.0/255.255.255.0acl lunch time MTWHF 12:00-15:00

http_access allo w <acl_name> http_access defineswho is allowedto usethe proxy andalso who can accesswhat on the Internet. For this, ACL’sarespecified.localhost andall have alreadybeendefinedabove,whichcandeny or allow accessvia deny or allow. A list containingany numberof http_access entriescanbecreated,processedfrom top to bottomand,dependingon which occursfirst, accesswill be allowed or deniedto therespectiveURL. Thelastentryshouldalwaysbehttp_access deny all.In thefollowingexample,thelocalhost hasfreeaccessto everythingwhileall otherhostsaredeniedaccesscompletely.http_access allow localhosthttp_access deny all

Anotherexample,wherethepreviously definedACL’s areused:Thegroup‘teachers’ alwayshasaccessto theinternet,while thegroup‘students’only getsaccessMondayto Fridayduringlunchtime.http_access deny localhosthttp_access allow teachershttp_access allow students lunch timehttp_access deny all

Thelist with thehttp_access entriesshouldonly beentered,for thesakeof readability, at thedesignatedpositionin the/etc/squid.conf file. Thatis, betweenthetext\# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

andtheclosinghttp_access deny all

redirect_pr ogram /usr/bin/squidGuar d With this option,a redirectorsuchasSquidGuard, which is ableto block unwantedURLs, canbe specified.In-ternetaccesscanbeindividually controlledfor varioususergroupswith the

129


help of proxy authenticationand the appropriateACL’s. SquidGuard is apackageof its own, which canbeseparatelyinstalledandconfigured.

authenticate_pr ogram /usr/sbin/pam_auth If usersneedto beauthenticatedon the proxy, a correspondingprogramsuchaspam_auth canbe specifiedhere. Whenaccessingpam_auth for thefirst time, theuserwill seea loginwindow wherethe usernameand password must be entered. In addition,an ACL is still requiredso that only clientswith a valid login cansurf theInternet:

acl password proxy_auth REQUIRED

http_access allow passwordhttp_access deny all

TheREQUIRED afterproxy_auth canbe substitutedby a list of permittedusernames.

ident_lookup_access allo w <acl_name> With this, you will manageto havean ident requestrun throughfor all ACL-definedclientsin orderto find outeachuser’s identity. If you applyall to the<acl_name>, this will bevalidfor all clients. Also, an ident daemonmust be running on all clients, forLinux, you caninstall the pidentd packagefor this purpose,for Windows,thereis freesoftwareavailableto downloadfrom theInternet.To ensurethatonly clientswith a successfulident lookup arepermitted,a correspondingACL will alsohaveto bedefinedhere:

acl identhosts ident REQUIRED

http_access allow identhostshttp_access deny all

Here,too,youcanreplacetheREQUIRED with a list of permittedusernames.Usingident canslow down theaccesstime quitea bit, sinceident lookupswill haveto berepeatedfor eachrequest.

C.6 Transparent Proxy Configuration

Theusualwayof workingwith proxyserversasfollows: thewebbrowsersendsrequeststo a certainport in the proxy server andthe proxy providesthesere-quired objects,whetherthey are in its cacheor not. Whenworking in a realnetwork, severalsituationsmayarise:

• For securityreasons,it is recommendedthat all clientsusea proxy to surftheInternet.

• All clientsmustuseaproxy whetherthey areawareof it or not.

• In largernetworksalreadyusinga proxy, it is possibleto spareyourselfthetrouble of reconfiguringeachmachinewhenever changesare madein thesystem.

130

C.6 Transparent Proxy Configuration

In all thesecasesa transparentproxymaybeused.Theprincipleis verysimple:theproxy interceptsandanswerstherequestsof thewebbrowser, sothatthewebbrowserreceivesthe requestedpageswithout knowing wherethey arecomingfrom. Thisentireprocessis donetransparently, hencethename.

C.6.1 Kernel Configuration

First of all we have to make surethat theproxy server’s kernelhassupportfortransparentproxy. Otherwisewe will have to addthis option to thekernel,andcompile it again. More on this topic is available in the SuSELinux ReferenceGuide.

In theentrycorrespondingto NetworkingOptions,select‘Network Firewalls’,and then the options‘IP: firewalling’ and ‘IP: Transparent proxy-ing’. Now we just have to save thenew configuration,compilethenew kernel,install it, reconfigureLILO if necessary, andrestartthesystem.

C.6.2 Configuration Options in /etc/squid.conf

Let us take a look at the optionsthatwe needto activatein the/etc/squid.conf file to getthetransparentproxy up andrunning.

Theoptionsare:

• httpd_accel_host virtual

• httpd_accel_port 80 # theport numberwheretheactualHTTP server islocated

• httpd_accel_with_proxy on

• httpd_accel_uses_host_header on

C.6.3 Firewall Configuration with SuSEfire wall

Now we have to redirectall incoming requestsvia the firewall with help of aport-forwardingrule to theSquid port.

To do this,we will usea tool providedby SuSE:SuSEfirewall. Its configurationfile canbefoundin /etc/rc.config.d/firewall.rc.config. Theconfig-urationfile, in turn, consistsof well documentedentries.Even if we only wantto seta transparentproxy, wewill haveto configurea coupleof firewall options.In ourexample:

• Devicepointingto theInternet:FW_DEV_WORLD=“eth1”

• Devicepointingto thenetwork: FW_DEV_INT=“eth0”

Portsand services(see/etc/exports) on the firewall being accessedfrom un-trustednetworks as Internet. This exampleonly providesweb servicesto theoutside:

131


FW_SERVICES_EXTERNAL_TCP=“www”

Ports/services(see/etc/exports) on thefirewall beingaccessedfrom these-curenetwork, bothTCPandUDPservices.

FW_SERVICES_INTERNAL_TCP=“domainwww 3128”

FW_SERVICES_INTERNAL_UDP=“domain”

We areaccessingwebservicesandSquid (whosedefault port is 3128).

Theservice“domain” specifiedbeforestandsfor DNS or DomainNameServer.It is normalto usethis service,otherwisewe cansimply take it out of theaboveentriesandsetthefollowing optionto no:

FW_SERVICE_DNS=“yes”

Themostimportantoptionis number15:

## 15.)# Which accesses to services should be redirected to a localport# on the firewall machine?## This can be used to force all internal users to surf via your# squid proxy, or transparently redirect incoming webtraffic to# a secure webserver.## Choice: leave empty or use the following explained syntax of# redirecting rules, separated by a space.# A redirecting rule consists of 1) source IP/net,# 2) destination IP/net, 3) original destination port and# 4) local port to redirect the traffic to, separated by a colon,# e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080"#

Thecommentsaboveshow thesyntaxto befollowed.First of all, theIP addressandthenetmaskof the“internalnetworks” areaccessingtheproxyfirewall. Sec-ondly, theIP addressandthenetmaskto which theseclientsare“sending”theirrequests.In thecaseof webbrowsers,wewill specifythenetworks0/0, awild-cardthatmeans“to everywhere”.After that, the “original” port to which theserequestsaresentand,finally, theport to whichall theserequestsare“redirected”.

As Squid supportsmoreprotocolsthanHTTP, wecanalsoredirectrequestsfromotherportsto ourproxy. For example,wecanalsoredirectservicesfor FTP(port21),HTTPSor SSL(port443),andHTTPor web(port80) to ourSquid port. Intheexamplewe usethedefault port3128.

In casetherearemorenetworksor servicesto add,they only needto beseparatedby a singleblankcharacterin thecorrespondingentry.

Following our example,we will give proxy accessin our network only to webandFTPprotocols.

FW_REDIRECT_TCP="192.168.0.0/16,0/0,80,3128192.168.0.0/16,0/0,21,3128"

FW_REDIRECT_UDP="192.168.0.0/16,0/0,80,3128192.168.0.0/16,0/0,21,3128"

132

C.7 Squid and Other Programs

In orderto startthefirewall andthenew configurationwith it, wehaveto changeanentryin the/etc/rc.config file. TheentrySTART_FW mustbesetto "yes":

START_FW="yes"

$ %

& '

NoteAfter the configuration file /etc/rc.config has been edited, you willhave to execute the SuSEconfig script, all by hand, in order to make thechanges effective in your system. The safest way of doing this is with helpof YaST ‘System administration’ -> ‘Change configuration file’which will run SuSEconfig automatically.

StartSquid asshown in theSectionC.4 on page125. To checkif everythingisworkingproperly, takealook attheSquid logsin /var/squid/logs/access.log

In orderto verify thatall portsarecorrectlyconfigured,we canperforma portscanon the machinefrom any computeroutsideour networks. Only the webservicesport (80)shouldbeopened.Theway to do theportscanis with nmap:nmap -O IP_address


In thefollowing section,wewill seehow otherapplicationsinteractwith Squid.cachemgr.cgi enablesthesystemadministratorto checktheamountof mem-ory neededfor cachingobjects,squidgrd filters web pages,andCalamaris is areportgeneratorfor Squid.

C.7.1 cachemgr .cgi

Thecachemanager(cachemgr.cgi) is aCGI utility for displayingstatisticsaboutthememoryusageof a runningSquid process.It is alsoa moreconvenientwayto managethecacheandview statisticswithout loggingtheserver.

Setup

First of all, we needa runningwebserveron our system.To checkif Apache isalreadyrunning,typeas‘root’: rcapache status.

If a messagelike this appears:

Checking for service httpd: OKServer uptime: 1 day 18 hours 29 minutes 39 seconds

Apacheis runningon our machine.Otherwisetype: rcapache start to startApachewith theSuSELinux default settings.

133


Thelaststepto setit up is to copy thefile cachemgr.cgi to theApachedirec-tory cgi-bin:

cp /usr/share/doc/packages/squid/scripts/cachemgr.cgi /var/www/cgi-bin

Cache Manager ACL’s in /etc/squid.conf

Therearesomedefault settingsin the original file requiredfor the cacheman-ager:

acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255

With thefollowing rules:

http_access allow manager localhosthttp_access deny manager

Thefirst ACL is themostimportant,asthecachemanagertriesto communicatewith Squid over thecache_objectprotocol.

The following rulesassumethat the web server andSquid arerunningon thesamemachine. If the communicationbetweenthe cachemanagerand Squidoriginatesat the web server on anothercomputer, we will have to include anextra ACL asin figureC.7.1.

acl manager proto cache_objectacl localhost src 127.0.0.1/255.255.255.255acl webserver src 192.168.1.7/255.255.255.255 # IP of webserver

File contentsC.7.1:Addingextra ACL

Thenaddtherulesasin figureC.7.2on thenext page.

We canalsoconfigurea password for themanagerif we want to have accesstomoreoptionssuchasclosingthe cacheremotelyor viewing moreinformationaboutthecache.We thenhaveto configuretheentrycachemgr_passwd with apassword for themanagerandthelist of optionsthatwewantto beableto view.This list appearsasa partof theentrycommentsin /etc/squid.conf.

Rememberto restartSquid with the -k reconfigure option every time theconfigurationfile is changed.

Viewing the Statistics

Goto thecorrespondingwebsite:http://webserver.example.org/cgi-bin/cachemgr.cgi

Press‘continue’ andbrowsethroughthe differentstatistics.More detailsoneachentry shown by the cachemanageris in the Squid FAQ http://www.squid-cache.org/Doc/FAQ/FAQ-9.html

134


http_access( allow manager localhosthttp_access allow manager webserverhttp_access deny manager

File contentsC.7.2:AccessRules

C.7.2 SquidGuar d

This chapteris not intendedto go throughanextensive configurationof Squid-Guard, only to introduceit and give someadviceon using it. For more in-depthconfigurationissues,pleaserefer to the SquidGuard web site at: http://www.squidguard.org

SquidGuard is a free(GPL), flexible andultra fastfilter, redirectorand“accesscontrollerplugin” for Squid. It lets you definemultiple accessruleswith dif-ferentrestrictionsfor differentusergroupson a Squid cache.SquidGuard usesSquid’s standardredirectorinterface.

SquidGuard canbeusedfor thefollowing:

• limit thewebaccessfor someusersto a list of acceptedor well-known webserversor URLs.

• block accessto somelisted or blacklistedweb servers or URLs for someusers.

• block accessto URLs matchinga list of regular expressionsor words forsomeusers.

• redirectblockedURLs to an“intelligent” CGI-basedinfo page.

• redirectunregisteredusersto a registrationform.

• redirectbannersto anemptyGIF.

• havedifferentaccessrulesbasedon time of day, dayof theweek,date,etc.

• havedifferentrulesfor differentusergroups.

• andmuchmore..

NeitherSquidGuardor Squid canbeusedto:

• Edit, filter or censortext insidedocuments

• Edit, filter or censorHTML-embeddedscript languagessuchasJavaScriptor VBscript

Using SquidGuar d

Install thesquidgrd from theseriesn. Edit a minimal configurationfile /etc/squidguard.conf. Thereareplenty of configurationexamplesin http://www.squidguard.org/config/. You canexperimentlater with morecom-plicatedconfigurationsettings.

135


Thefollowing stepis to createadummy“accessdenied”page,or amoreor lessintelligent CGI pageto redirectSquid in casethe client requestsa blacklistedwebsite.Again,usingApache is stronglyrecommended.

Now wehave to tell Squid to useSquidGuard.We will usethefollowing entriesin the/etc/squid.conf file:

redirect_program /usr/bin/squidGuard

Thereis anotheroptioncalledredirect_children configuringhow many dif-ferent“redirect” (in thiscaseSquidGuard) processesarerunningonthemachine.SquidGuard is fastenoughto copewith lots of requests(SquidGuard is quitefast: 100,000requestswithin 10 secondson a 500MHzPentiumwith 5900do-mains,7880URLs,13780in sum).Thereforeit is not recommendedto setmorethan4 processesbecausethismayleadto anunnecesaryincreaseof memoryfortheallocationof theseprocesses.

redirect_children 4

And lastof all, sendaHUPsignalto Squid to haveit readthenew configuration:

squid -k reconfigure

Now you cantestyoursettingswith a browser.

C.7.3 Cache Repor t Generation with Calamaris

Calamarisis a Perlscriptusedto generatereportsof cacheactivity in ASCII orHTML format. It workswith nativeSquid accesslog files. TheCalamarisHomepageis locatedathttp://Calamaris.Cord.de/

Theuseof theprogramis quiteeasy. Log in as‘root’, andthen:cat access.log.files | calamaris [options] > reportfile

It is importantwhenpiping morethanonelog file that the log files arechrono-logically ordered,thatis, olderfilesfirst.

Thevariousoptions:

-a normallyusedfor theoutputof availablereports

-w anHTML report

-l amessageor logo in theheaderof thereport

Further information on the variousoptionscan be found in the manualpage:man calamaris

A typical example:cat access.log.2 access.log.1 access.log | calamaris -a -w >/usr/local/httpd/htdocs/Squid/squidreport.html

Thereportis storedin thedirectoryof thewebserver. Again,Apache is requiredto view thereports.

Anotherpowerful cachereportgeneratortool is SARG(Squid AnalysisReportGenerator).

Furtherinformationon this canbefoundin therelevantInternetpagesat:http://web.onda.com.br/orso/

136

C.8 More Information on Squid

C.8 More Information on Squid

Visit the homepageof Squid: http://www.squid-cache.org/. Here,youwill find theSquid UserGuideandaveryextensivecollectionof FAQsonSquid.

TheMini-Howto regardingtransparentProxiesin thepackagehowtoen, under/usr/share/doc/howto/en/mini/TransparentProxy.gz

In addition,mailing lists areavailablefor Squid at:[email protected].

Thearchive for this is locatedat:http://www.squid-cache.org/mail-archive/squid-users/

137


138

D Network Security

D Network Security

D.1 Masquerading and Firewalls

Owing to its outstandingnetwork capabilities,Linux is becomingever morewidespreadasa routeroperatingsystemfor dialup or dedicatedlines. For thepurposesof this chapter, by “router” we refer to a host which hasmore thanonenetwork interfaceandtransmitsany packetsnot destinedfor oneof its ownnetwork interfacesto anotherhostcommunicatingwith it (oftencalledgateway).Thepacketfiltering mechanismprovidedby theLinux kernelallowsfor aprecisecontrolover which packetsof theoverall traffic areallowedthroughandwhichpacketsarestopped.

In general,definingtheexactrulesfor sucha packet filter requiresat leastsomeexperienceon thepartof theadministrator. For thelessexperienceduser, SuSELinux includestwo separatepackageswhichareintendedto makeit easierto setup theserules: the longer-establishedpackageSuSEfirewall andthe the newerpackagePersonal-firewall. Themaindifferencebetweenthemlies in thedegreeto which they areconfigurableand,asa resultof this, therearealsodifferenceswith regardto flexibility andintendedpurpose.

SuSEfirewall is highly configurable,makingit agoodchoicefor amorecomplexpacket filtering setup. In contrast,Personal-firewall canbe configuredby set-ting just onevariable,andis aimedat blockingany attemptto make aninboundconnectionwith the correspondinghost. Both packet filter solutionsallow youto addfiltering rulesto enablemasquerading(alsocalledNAT = Network Ad-dressTranslation),i. e.usingaLinux machineasarouterto link a localnetworkthrougha dialupor dedicatedconnection,whereonly oneIP addressis visibleto theoutsideworld. In otherwords,masqueradingis achievedby implementingrulesfor packetfiltering.

$ %

& '

CautionThis chapter only describes standard procedures which should work wellin most situations. However, there’s no guarantee that this book or othermaterials provided by us are free of mistakes which might have escaped ourattention. Please don’t make the authors of this book responsible if someevil cracker should gain access to your system, despite all your well-craftedsecurity measures. On the other hand, we do appreciate your criticism andcomments. Even though you might not receive a direct answer from us, restassured that suggestions for improvement will be taken seriously.

139

D Network Security

D.1.1 Masquerading Basics

Masqueradingis a specialLinux caseof NAT, or Network AddressTranslation.There’snothingterribly complicatedabouttheunderlyingprincipleof this: Yourrouterhasmorethanonenetwork interface,typically a network cardanda mo-dem(or an ISDN interface). While oneof theseinterfaceswill link you to theoutsideworld, theremainingones(or theonly remainingone,for thatmatter)areusedto connectthis routerwith theotherhostsin your network. Now let’s havea look at an examplewheredialout connectionsarehandledvia ISDN, i. e. thenetwork interfaceisippp0. Severalhostsof your localnetwork areconnectedtothenetwork cardof yourLinux router, which in thiscaseis assumedto beeth0.Thenetwork addressof your internalnetwork is, say, 192.168.0.0, while therouter’s addressis 192.168.0.1, andthehoststo be linkedup have addresseslike 192.168.0.2, 192.168.0.3, etc. Thesehostswill sendany packetsnotdestinedfor the local network to the address192.168.0.1 which is the net-work interfaceof your routerandthusfunctionsasthenetwork’s default routeror default gateway.

$ %

& 'NotePlease make sure that both the broadcast addresses and the networkmasks are the same for all hosts when configuring your network!

With this setup,assoonasoneof thehostssendsa packet destinedfor anInter-net address,this packet endsup at the routermachinebecauseit’s beensetupasthe network’s default router. However, beforeanything canhappenbeyondthat,therouterneedsto beconfiguredto actuallyforwardsuchpackets– whichSuSELinux won’t do by default for securityreasons!Therefore,you needtoset the variableIP_FORWARD, which is definedin the file /etc/rc.config,to IP_FORWARD=yes. Theforwardingmechanismis enabledafterrebootingorissuingthis command:echo 1 > /proc/sys/net/ipv4/ip_forward

This is wherethemasqueradingbegins. Giventhat therouter, asseenfrom theoutside,hasonly one IP address(to stick with our example,after dialing outthis addresswill belongto theISDN interface),thesourceaddressof thepacketmustbereplacedwith therouter’s own addressbeforesendingit out over whatis calledthe externalnetwork interface. If the routerdidn’t replacethe sourceaddress,the receiving endwould have no meansto reply with the packetsthatyour host awaits. This is especiallytrue if you are using the 192.168.x.xaddressrange. Thoughthe latter representsa valid setof IP addresses,they’renot forwardedat all by any of theInternet’s routers.

With theexchangeof sourceaddresses,thetargethostat theotherendof thelinkis told that it is supposedto talk to your router, but it won’t seethehostin yourinternalnetwork. Your internalhost is hiddenbehindthe router, which is whythetechniqueis called“masquerading”.

In mostcasessendingsomepacketsimplieswe expectto getsomethingbackinreply. Againbecauseof theaddresstranslation,thetargetaddressfor thesereply

140


packetswill beour router. Now therouter’s taskis to recognizethepacketsontheir way back, translatingthe target addresssuchthat the host in the internalor local network is madeto “believe” that thepacketshave beendirectly senttoit. The taskof recognizingthepacketsbelongingto a connectionhandledby amasqueradingrouteris managedwith thehelpof a tablewhich is locatedright inthekernelof your routeraslong asthisconnectionexists.By usingtheipchainsandthe iptablescommand,the superuser(‘root’) canevenview thesetables.Pleasereadthe documentationof thesecommandsfor detailedinstructionsonhow to usethem. In any case,it’s worth mentioningthat individual masquer-adedconnectionsarenotonly identifiedby theirsourceandtargetaddresses,butalsoby theport numbersandtheprotocolsinvolved. Theoreticallyat least,thiswould enableyour routerto simultaneously“hide” many thousandconnectionsperinternalhost.

With theroutingof inboundtraffic dependingon themasqueradingtablethere’sno way to opena connectionto someinternalhostfrom theoutside.For suchaconnection,therewould beno entry in thetablebecausetheentry itself is onlycreatedif aninternalhostopensa connectionwith theoutside.In addition,anyestablishedconnectiongetsassigneda statusentry in the table,andthis entrycannotbeusedby anotherconnection,ratherthissecondconnectionwouldhaveto rely on anotherstatusrecord.

As a consequenceof all this, you might experiencesomeproblemswith a num-ber of applications:Programsuseprotocolsto talk to eachotherandsomeofthesetry to openadditionalconnectionsor to sendpackets from the server totheir client which cannotberecognizedasbeingvalid by a simplepacket filter.Examplesof suchprotocolsareFTP(only if in PORT mode;Netscapeaswell asthestandardftp programandmany othersusethePASV mode,andthis passivemodeis much lessproblematicas far aspacket filtering andmasqueradingisconcerned),ICQ, cucme,IRC (DCC, CTCP),Quake andothers.TheFTPpro-tocol, for instance,opensa controlling connectionandin additionanotheronefor eachfile to be transferred(calledthedataconnection).In PORT mode,theserver opensa connectionwith the client but, in PASV (passive) mode,it’s theclientwhichestablishesaconnection.As we’vesaidbefore,oursetupallowsforconnectionsto beopenedexclusively from the internalside,which explainsthetroublethatFTPwill causeif usedin PORT mode.

TheLinux kernelhandlesmasqueradingor NAT with thehelpof packetfilteringrules,sothenext sectionis aboutfirewalls.

D.1.2 Firewalling Basics

“Firewall” is probablythemostwidely usedtermto describeamechanismto linktwo networks(howeversmall they might be)while at thesametime imposingaratherstringentpolicy on thedatatraffic betweenthem.Therearevarioustypesof firewallswhichmostlydifferwith regardto thelogical,abstractlevelonwhichtraffic is analysedandcontrolled.Strictly speaking,themechanismthatwe willdescribein this sectionis calleda “packet filter”. A packetfilter is just onewayto set up a firewall in the broadersense. Like any type of firewall, a packetfilter alonedoesnot guaranteefull protectionfrom all securityrisks. What a

141

D Network Security

packet filter doesis implementa setof rulesrelatedto protocols,portsandIPaddresses,in orderto decidewhetherdatamaypassthroughor not. Onthebasisof this, onecanblock any packetswhich, accordingto their addresseswerenotsupposedto betravelingonthenetwork in thefirst place.For instance,youmightbeinterestedin blockingany packetsrelatedto thetelnetserviceof yourhostsonport23. Ontheotherhand,if youwantpeopleto haveaccessto yourwebserver,you’ll needto enablethecorrespondingport. Notethatapacketfilter won’t scanthecontentsof any packetsaslongasthey havelegitimateaddresses(e.g. they’redirectedto your webserver). Thus,packetscouldbesentwhich containdatatoattackyourCGI server, but thepacketfilter would let themthrough.

A moreeffective (but morecomplex) mechanismcould be setup by combin-ing several typesof systems,e.g. a packet filter interactingwith anapplicationgateway/proxy. In this case,the packet filter rejectsany packetswhich arenotdestinedfor ourdeclaredtarget,i. e.only packetsdirectedto theapplicationgate-way areallowedthrough.This gateway or proxy now pretendsto be theactualclient of theserver thatwe’recontacting.In a sense,sucha proxy couldbecon-sideredasamasqueradingmachinefor theprotocolusedby ourapplication.Oneexamplefor sucha proxy is Squid,an HTTP proxy server. If you wereto useSquid,you’d have to tell your browserto communicatevia theproxy, suchthatany HTTPpagesrequestedwouldbeservedfrom theproxycacheratherthandi-rectly from theInternet.As anotherexample,theSuSEproxysuite(thepackageproxy-suitein seriessec)includesa proxy for theFTPprotocol.

In the following section,we’re going to focus on the two packet filters thatcome with SuSELinux. For more information and links on the topic, readthe Firewall-HOWTO documentincludedin packagehowtoen, seriesdoc. Ifyou have this packageinstalled,you canreadthe HOWTO with the commandless /usr/share/doc/howto/en/Firewall-HOWTO.gz, providedthatyouhave installedthepackagehowtoen.

D.1.3 Personal-fire wall

As mentionedabove, SuSELinux includestwo differentpackagesto setup fil-tering rules: Personal-firewall andSuSEfirewall. The main differencebetweenthetwo is theirconfigurability. Personal-firewall shouldrequirenoconfigurationandlittle maintenance;it is intendedto giveyou thepossibilityof connectingtotheInternetwhile notallowing any incomingconnections,meaningthatthehost(or thenetwork interface)protectedby it will notoffer any servicesto otherhostsout there.Accordingly, thepackagepersonal-firewall shouldbeanadequateso-lution for mosthome-basedworkstations.

$ %

& '

NoteAs we’ve already mentioned in the section about masquerading, the factthat incoming connection requests are rejected may lead to a number ofproblems with protocols trying to open a second connection to the client. Inthat respect, the effect that Personal-firewall can have on your applicationsis similar to the masquerading function.

142


Enablingpersonal-firewall is aseasyassettingthisonevariablein thefile /etc/rc.config.d/security.rc.config:REJECT_ALL_INCOMING_CONNECTIONS

Pleasereadthecommentsin thisfile to insertthenetwork interfaceor interfaces(separatedby spaces)which you want to be protectedfrom incomingconnec-tions.Apart from thenamesof theseinterfacesthemselves,suchaseth0, eth1,or ippp0, youmayalsoinsertthefollowing keywords:

no Use this to disable personal-firewall. You can achievethe same by leaving the value for the variable RE-JECT_ALL_INCOMING_CONNECTIONSblank.

yes Thismakespersonal-firewall actonall interfacesexceptlo. lo istheloopbackinterface,localhost,i. e.connectionsto localhostareallowed.

modem This refersto all themodemsthatareconnected,asa shortformfor interfacenamesbeginningwith ppp, i. e.ppp0, ppp1, . . .

masq Packetsreceivedby thehostwhich arenot destinedfor oneof itsown interfacesareto bemasqueradedaccordinglywhenforward-ing them.

TableD.1: Possiblekeywords

$ %

& '

CautionEnabling the masquerading function makes sense only if IP forwarding(commonly also called routing) has been enabled, too. To achieve this,set the variable IP_FORWARD in /etc/rc.config to IP_FORWARD=yes.IP forwarding will be enabled after the next reboot, or after entering thecommand: echo 1 ) /proc/sys/net/ipv4/ip_forward

Soif youhaveentered:REJECT_ALL_INCOMING_CONNECTIONS="ippp0 modem"

all connectionrequestsarriving at your ISDN interface,or via your modem,aredropped. Assumingthat you have configureda network cardwhich is knownto your systemaseth0, that interfacewill not beaffectedby thefirewall at all.Also, themasqueradingfunctionis disabled.

$ %

& 'NoteADSL and other variants of DSL are considered modems here becausethey get assigned an interface name like ppp0 or ppp1.

143

D Network Security

Here’sanotherexample:REJECT_ALL_INCOMING_CONNECTIONS="modem masq"

This would have the following effects: Interfacesbeginning with ppp cannotacceptconnectionsanymore. Provided that IP forwarding is enabled(seethenoteabove!),packetsgoingthroughnetwork interfacesthatdon’t begin with pppare“hidden” behindtheIP addressof yourexternalinterface.However, notethatthis doesnot necessarilydeterminethe actualaddressusedfor masquerading!Theoretically, you could be online via both an ISDN cardanda modem,andwhile incomingconnectionsdirectedto the modemarerejected,thosedirectedto theISDN interfacewouldbeallowedthrough.With masquerading,thesourceaddressis alwaystheaddressof theinterfacethroughwhichthepacketwill leaveyour router.

And yet anotherexample: You have configureda network cardto have the in-terfacenameeth0; in additionyouhave installedon yoursystemanISDN cardwhich correspondsto ippp0. Now youenterthesekeywords:

REJECT_ALL_INCOMING_CONNECTIONS="ippp0 masq"

Again we assumethatyou’ve alreadyenabledIP forwarding. Now if you haveconfiguredthehostsof yourlocalnetwork suchthatthey usetheIP addressof thenetwork cardastheirdefaultrouter, any outgoingtraffic from your localnetworkwill bemasqueradedby therouter. Inboundconnectionrequestsarriving atyourISDN interfaceareignored.

Our lastexample:REJECT_ALL_INCOMING_CONNECTIONS="masq"

Here,noneof theconnectionrequestsarriving at theinstallednetwork interfacesarediscarded,but connectionsforwardedfrom otherhoststhroughyour routeraremasqueraded.This is on theconditionthat theotherhostsareconfiguredtousean availablenetwork interfaceof your routerastheir default gateway. Butbe warnedthat any hostthat is actuallyableto sendpacketsto you couldhidebehindyour router, i. e. if its packetsarenot destinedfor oneof your router’s IPaddresses.

In the following sectionwe will describethe configurationof SuSEfirewall,which is a rathermorechallengingtaskandrequiresa certaindegreeof expe-rienceandunderstanding.Pleasenotethatneitherthe configurationof firewallpackagesnor thesetupof masqueradingarecoveredby thefreeinstallationsup-port thatSuSEprovides.

D.1.4 SuSEfire wall

Youcanfind documentationonSuSEfirewall in /usr/share/doc/packages/SuSEfirewall. Also, thetheoreticalbackgroundis alsocoveredin thismanual.

Theconfigurationof SuSEfirewall is storedin /etc/rc.config.d/firewall.rc.config andis commentedin English.Thefollowing paragraphsarea step-by-stepdescriptionto successfullycompletethe configuration. For eachcon-figurationitem, you’ll find a notewhetherit is relevant for firewalling or mas-querading.If youstumbleacrossany commentsin theconfigurationfile thatare

144


relatedto what is calledDMZ (or “demilitarizedzone”),pleasenotethat this isnot coveredhere.

If yourrequirementsarestrictly limited tomasquerading,fill outtheitemsmarkedwith masqueradingonly.

• START_FW (firewall, masquerading):Setthis variableto yes in /etc/rc.config, in order to ensurethe script is started. This enablesthe firewalland/ormasquerading.

• FW_DEV_WORLD (firewall, masquerading):For exampleeth0. This is thedevice to link you up with the Internet. In the caseof ISDN, for instance,you’d have to insertippp0 here.

• FW_DEV_INT (firewall, masquerading):Thedevice linking you up with theinternal,“private” network. Leave this blank if there’s no internalnetwork,e.g. if thefirewall is supposedto protectonly this host.

• FW_ROUTE (firewall, masquerading):If youneedthemasqueradingfunction,youhaveto insertyes here.For afirewall withoutmasquerading,thisshouldbe doneonly if accessto the internalnetwork is required– which in turnwould only work if your internalhostsuseofficially registeredIP’s. Nor-mally, though,youshouldnotallow accessto your internalnetwork from theoutside.On theotherhand,if you insertyes becauseof masquerading,yourinternalhostsarestill invisible to the outsidedue to their privatenetworkaddresses(e.g. 192.168.x.x) which areignoredby Internetrouters.

• FW_MASQUERADE (masquerading):Set this to yes if you needthe mas-queradingfunction. Note that it’s saferto have a proxy server betweenthehostsof theinternalnetwork andtheInternet.

• FW_MASQ_NETS (masquerading):Insertthehostsand/ornetworksto bemas-queraded,leaving a spacebetweentheindividualentries.For example:

FW_MASQ_NETS="192.168.0.0/24 192.168.10.1"

• FW_PROTECT_FROM_INTERNAL (firewall): Set this to yes if you want toprotectyour firewall hostfrom attacksoriginatingin your internalnetworkaswell. If you do so,servicesareonly availableto the internalnetwork ifexplicitly enabled.Also seeFW_SERVICES_INTERNAL_TCP andFW_SERVICES_INTERNAL_UDP.

• FW_AUTOPROTECT_GLOBAL_SERVICES (firewall): This shouldnormallybeleft asit is, i. e.setto yes.

• FW_SERVICES_EXTERNAL_TCP (firewall): Enter the servicesto be madeavailable,e.g. "www smtp ftp domain 443". You’d normally leave thisblankfor a workstationat homethatis not supposedto offer any services.

• FW_SERVICES_EXTERNAL_UDP (firewall): Leave this blank if you don’thappento run a nameservicewhich you want to make availableto theout-side.Otherwise,inserttheportsto beused.

145

D Network Security

• FW_SERVICES_INTERNAL_TCP (firewall): This definesthe servicesmadeavailableto theinternalnetwork. Thenotationis thesameasforFW_SERVICES_EXTERNAL_TCP, but refersto the internal network in thiscase.

• FW_SERVICES_INTERNAL_UDP (firewall): Seeabove.

• FW_TRUSTED_NETS (firewall): Herewe specifythehoststhatwe canreallytrust (“trustedhosts”). Note,however, that theseneedto be securedby thefirewall just likeany others.

Here’s anexample:"172.20.0.0/16 172.30.4.2" meansthatall hostswhich have an IP addressbeginning with 172.20.x.x, plus the hostwiththeIP address172.30.4.2, areallowedto passthroughthefirewall.

• FW_SERVICES_TRUSTED_TCP (firewall): Hereyou canspecifytheport ad-dresseswhich maybeusedby “trustedhosts”. For instance,if you weretograntthemaccessto all services,you’d enter1:65535. Usually, though,itwill besufficient to enterssh astheonly service.

• FW_SERVICES_TRUSTED_UDP (firewall): Justlikeabove,but for UDPports.

• FW_ALLOW_INCOMING_HIGHPORTS_TCP (firewall): Setthisto ftp-data ifyou intendto usenormal(active)FTPservices.

• FW_ALLOW_INCOMING_HIGHPORTS_UDP (firewall): Set this to dns to beableto usethenameserversregisteredin /etc/resolv.conf. If youenteryes here,all high portswill beenabled.

• FW_SERVICE_DNS (firewall): Enteryes hereif you’rerunninganameserverthat is supposedto be availableto externalhosts. At the sametime, you’llneedto enableport 53underFW_TCP_SERVICES_*.

• FW_SERVICE_DHCLIENT (firewall): Enteryes hereif you’reusingdhclientto getyour IP address.

• FW_LOG_*: Hereyou canspecifythefirewall’s loggingactivity. For normaloperation,it’ ll besufficient to setFW_LOG_DENY_CRIT to yes.

• FW_STOP_KEEP_ROUTING_STATE (firewall): Insert yes hereif you haveconfiguredyour dialoutprocedureto work automaticallyvia diald or ISDN(dial ondemand).

Now thatyou’redoneconfiguringSuSEfirewall, pleasedon’t forgetto testyoursetup(e.g. with telnet from an external host). Have a look at /var/log/messages, whereyoushouldseesomethinglike this:

Feb 7 01:54:14 www kernel: Packet log: input DENY eth0PROTO=6 129.27.43.9:1427 195.58.178.210:23 L=60 S=0x00I=36981 F=0x4000 T=59 SYN (#119)

146

D.2 SSH – Secure Shell, the SafeAlternative

D.2 SSH* – Secure Shell, the Safe Alternative

In this ageof theomnipresentnetwork, accessinga remotesystemis a matteroffact. If we areusingit to receive mail, mantaina server or to appendanarticleto a websiteof aneditorialsystem– anauthenticationof theuserscarryingoutsuchactionsalwayshasto take place.Thesedays,mostusersarewell awarethattheir usernameandpassword is onlyintendendfor their own use. Obligationto personaldatais usuallyguaranteedbetweentheemployer, computercenteror serviceprovider.However, thecontinuingpracticeof authenticatingandtransferringdatain cleartext form is afrighteningphenomenon.MostdirectlyaffectedarethecommonlyusedservicesPost Office Protocol (POP) for retrieving mail andtelnetfor logging on to remotesystems.Using thesemethods,userinformationanddataconsideredsensitive, suchasthe contentsof a letter or a chatvia the talkcommand,travel openlyandunsecuredover the network. For one thing, thisencroacheson theuser’s privacy and,for another, it leavessuchaccessmethodsopento misuse.Suchaccessis oftenused,especialyto attackothersystemsfromthere,or to obtainadministratoror rootpermissionson this system.The vulnerability of a systembecomesespeciallyapparentif ‘root’ tasksofthisnaturearecarriedoutonaremotenetwork. Wouldyouannouncewhereyouhideyourextraapartmentkey over theradio?Any device involved in datatransferor operatingon the local network suchasfirewall, router, switch,mailserver, workstation,etc.,canalsoaccessthedata.Incontrastto someoneelseopeningandsabotagingyourmail at thepostoffice,forexample,thereis no way a recipientcanbeawareof thecopying or alteringofhis or herdigital data.Therearelaws thatbasicallyprohibit suchbehavior, indeedit is liable to prose-cution,but oneshouldstill not rely on the relatively negligible chancesof suchoperationsbeinguncovered,astherearenumerouswaysdatacanbehacked.In respectto theserisks,droppingthenetwork connectionremainstheonly op-tion, but it is neitherfeasiblenordesirablein mostcases.Justasshuttingoff theirreplacableserviceslikewisevulnerableto eavesdroppingis not a solution.Thessh softwareprovidestheonly preferrablealternative.Completeauthentica-tion, usuallyusernameandpassword aswell asthecommunicationis encryptedhere.Evenhere,snatchingtransferrabledatais possible,but thecontentscanatleastnotbedecipheredby intruderswithout themissingkey. Thisenablessecurecommunicationvia unsecurednetworkssuchastheInternet.SuSELinux includesthe ssh openssh packagesin the sec series. Basically,both packagesprovide the samefunctionality. Whendecidingbetweenoneorthe otherproduct,you shouldconsiderthat, on the onehand,ssh may not beimplementedin thecommercialarenadueto its availability at no costunderthestipulationof an OpenSourcelicense. You canfind moreinformationon thisunder/usr/share/doc/packages/ssh/COPYING after having installedthessh package.On the otherhand,the openssh packageis alsoprovidedwhichhasbeendevelopedfor severalyears.It is undertheauspicesof a lessrestrictivelicense.SuSELinux usesit in all of its packagedefault selections.To this end,thefollowing sectionswill referto OpenSSH.

147

D Network Security

D.2.1 The OpenSSH Package

As soonasyouhaveinstalledtheopenssh package,thefollowing programswillbeavailableto you: ssh, scp andsftp asalternativesto telnet, rlogin, rsh, rcp andftp.

D.2.2 The ssh Program

With thessh program,you canlog on to remotesystemsandwork interactivelythere.It is thusa replacementfor both telnet andrlogin. Dueto its similarity torlogin, thesymbolicnameslogin similarly correspondsto ssh. For example,youcanlog in to thehosthelios by enteringhannah@earth:~> ssh sun

After thecommandhasrun its course,you will beaskedfor a password on thehelios systemwithhannah@sun password:

Following successfulauthentication,youcanwork from thecommandline there,e.g. with ls, or interactively with theSuSEadministrationprogramYaST.

If thelocalusernameis differentfrom theremoteusername,youcanlog in usinga differentlogin nameviahannah@earth:~> ssh -l augustine sun

orhannah@earth:~> ssh augustine@sun

Furthermore,ssh offers the familiar option from rsh of runningcommandsonanothersystem. In the following example,we will run the commanduptimeis run on the hosthelios anda directorywith the nametmp is created.Theprogramoutputis displayedon thelocal terminalof thehostearth.hannah@earth:~> ssh sun ’uptime; mkdir tmp’hannah@sun password:

1:21am up 2:17, 9 users, load average: 0.15, 0.04, 0.02

Apostrophesarenecessaryhereto summarizethecommands.Only thencanthesecondcommandberunon thehostsunin.

D.2.3 scp – Secure Copy

Using scp, copy the files to a remotemachine.scp is the mostsecureanden-cryptedsubstitutefor rcp. For example,hannah@earth:~> scp MyLetter.tex sun:

copiesthefile MyLetter.tex from themachineearth to themachinesun. Iftheusernamesinvolvedonearth andsundiffer, scp will resortto theusername@machine format alreadymentionedin referenceto the ssh com-mand.An -l optiondoesnot exist here.

After it asksfor the password, scp will start the datatransferandwill show aseriesof stars,graduallymarkingtheprogressfrom left to right. In addition,the

148


estimatedtime of arrival will be shown on the right margin. All outputcanbesuppressedby giving theoption-q.

scp provides,alongwith copying individualfiles,arecursivecopying featureforentiredirectories.

hannah@earth:~> scp -r src/ sun:backup/

copiestheentirecontentsof thedirectorysrc/ includingall sub-directoriestothe machinesun. Becausethe directory namebackup is specified(after thehostnamesun:),datais storedin thesub-directorybackup on themachinesun.If this sub-directorydoesnot exist yet, it will automaticallybe createdby thiscommand.

Via the option-p, scp canobtaina time stampof thefiles. -C compressesthedatatransfer. Thisminimizesthedatavolumebeingtransferred,but createsmoredemandon the processor. The latter concernis negligible in light of modernprocessorcapabilities.

D.2.4 sftp - Secure File Transf er

Alternatively, sftp canbe usedfor securefile transfer. During the session,sftpprovidesmany of the samecommandsfamiliar from ftp. This may be an ad-vantageover scp,especiallywhentransferringdatafor which thefilenamesareunknown.

D.2.5 The SSH Daemon (sshd) – Server-Side

To implementssh andscp, the ssh client programs,an ssh daemon,a server,have to berunningin thebackground.This waitsfor its connectionsonTCP/IP port 22.

Thessh daemonis a componentof thessh packageandis automaticallystartedon a SuSELinux systemin runlevel 3 and5 . ThevariableSTART_SSHD issetto yes in /etc/rc.config.

The daemongeneratestwo key pairswhenstartingfor the first time. The keypairsconsistof a privateanda public key. Therefore,this procedureis referredto aspublic key-based.To guaranteethesecurityof thecommunicationvia ssh,only thesystemadministratorcanseetheprivatekey files. Thefile permissionsarerestrictively definedby thedefaultsetting.Theprivatekeysareonly requiredlocally by thessh daemonandcannotbegivento anyoneelse.

On the otherhand,the public key components(possiblya file recognizablebythenameextension.pub) aresentto communicationpartnersandarereadablefor all users.

A connectionis introducedby thessh client. Thewaiting ssh daemonandtherequestingssh client exchangeidentificationdatacomparingthe protocolandsoftwareversionsand to prevent connectionto the wrong port. Sincea childprocessof theoriginal ssh daemonis theonethatanswers,severalssh connec-tionscanbemadesimultaneously.

149

D Network Security

Theserverwill thensendits publichost key andaserver key, regeneratedby thessh daemonevery hour. Both allow thessh client to encrypta currentlyavailablesessionkey andthento sendit to the ssh server. The ssh client alsosuppliestheserverwith thepreferredencryptionmethodor cipher.The privatehostandserver keys absolutelynecessaryfor decodingthe sessionkey cannotbe derived from the public parts. Only the ssh daemoncontactedcandecipherthe sessionkey using its own keys (seealso/usr/share/doc/packages/openssh/RFC.nroff).

This initial connectionphasecanbe followed closelyusingthe ssh client pro-gram’serrorsearchoption-v. It will endwith theconfirmationoutputof thesshdaemon,“Receivedencryptedconfirmation.”.By way of client-sidestorageof all public hostkeys following initial contactin ~/.ssh/known_hosts, such“man-in-the-middle”accessattemptscan beprevented.ssh serverswhich try to fraudulentlyusenamesandIP addressesofotherswill beexposedby a clearindicator. Either they will benoticeddueto ahostkey which differsfrom ~/.ssh/known_hosts, or they will not beabletodecipherthesessionkey in theabsenceof anappropriateprivatecounterpart.It is recommendedthat you securelyarchive the privateandpublic keys storedin /etc/ssh/ externally. In this way, key modificationscanbe detectedandthe old onessavedagainafter re-installingthem. The latteractionsparesusersfrom theunsettlingwarning.If it is verifiedthat,despitethewarning,it is indeedthe correctssh server, the existing entry regardingthis systemwill have to beremovedfrom ~/.ssh/known_hosts.

D.2.6 SSH Authentication Mechanisms

Now, theactualauthenticationwill take placewhich, in its simplestform, con-sistsof enteringapassword asmentionedabove.

The aim of ssh wasto introducea securesoftwarethat is alsoeasyto use. Aswith the rsh andrlogin programs,soonto bereplaced,ssh mustalsobeabletoprovideanauthenticationmethodwhich is simpleto useon a daily basis.

ssh accomplishesthisby wayof anotherkey pairgeneratedby theuser. Thesshpackagealsoprovidesa helpprogram,ssh-keygen, for this. After enteringhannah@sun:~> ssh-keygenGenerating RSA keys:

the key pair will begeneratedaftera minuteor two. You will bepromptedforthebasefilenamewhereyouwantto storethekeys:Enter file in which to save the key (/home/hannah/.ssh/identity):

Confirmthedefaultsettingsothatyouendupwith this requestfor apassphrase:Enter passphrase (empty for no passphrase):

Even if the software suggestsan empty passphrase,a text from ten to thirtycharactersis recommendedfor the proceduredescribedhere. Useasshortandsimplea phraseaspossible.After you have enteredthis successfully, you willbe promptedto confirm this by enteringit again. Subsequently, you will seethe outputof the locationwherethe privateandpublic keys arestored,in ourexample,thefilesidentity andidentity.pub, .

150


Enter same passphrase again:Your identification has been saved in /home/hannes/.ssh/identity.Your public key has been saved in /home/hannes/.ssh/identity.pub.The key fingerprint is:79:c1:79:b2:e1:c8:20:c1:89:0f:99:94:a8:4e:da:e8 hannah@sun

Whentheprivatekey (identity) is generatedandis locatedon a systemyou arenot administeringor whenretrieving your userdirectoryover theNFS,it is es-peciallyimportantto useapassphrase.Usessh-keygen -p to changeyouroldpassphrase.

Copy the public key component(identity.pub)to the remotemachineandsaveit thereat the location~/.ssh/authorized_keys. You will be asked to au-thenticateyourselfwith your passphrasethenext time you attemptto make theconnection.If this doesnot occur, verify thelocationandcontentsof theafore-mentionedfiles.

In the long run, this procedureis moretroublesomethangiving your passwordeachtime. To handlethis, the ssh packageprovidesanotherhelpprogram,thessh-agent, whichretainstheprivatekeysfor thedurationof an“X session”.TheentireX sessionwill thenbestartedasachild processof ssh-agents. Theeasiestway to do this is to setthevariableusessh at thebeginningof the.xsessionfile to yes andto log in via a displaymanagersuchasKDM or XDM. Alterna-tively, youcanenterssh-agent startx.

As soonasyouhavestartedyourX session,releaseyourprivatekey via ssh-add.Unlessssh-add canaccessa terminal,e.g. is startedvia a menuor is re-routedby </dev/null, agraphicalentryscreenwill appear, x11-ssh-askpass.

Now you can use ssh or scp as you normally would. Given that you haveassignedyourself a private key as describedabove, you shouldno longer bepromptedfor yourpassword.

Besureto exit yourX sessionor to lock yourscreenvia apasswordlock programsuchasxlock whenleaving yourmachine.

D.2.7 X, Authentication and other Forwar ding Mechanisms

Beyond the previously describedsecurity-relatedimprovements,ssh alsosim-plifies the usageof remoteX applications.If you call up ssh with the option-X, theDISPLAY variablewill automaticallybeseton theremotemachineandall X outputwill be pipedto the remotemachineover the existing sshconnec-tion. At thesametime,thisconvenientfunctionpreventstheauthorizedintrusiondiscussedabovewhenX applicationsarestartedremotelyandlocally viewed.

By addingtheoption-A, thessh-agent authenticationmechanismwill becarriedover to the next machine.Thisway, you canview theseapplicationsfrom onemachineto theotherwithout having to entera password. However, only if youhave previously assignedthepublic key to thedestinationhostsin questionandhaveproperlysavedthemthere.

To be safe,both mechanismshave beende-activatedin the default settngsbutcanbe permanentlyactivatedat any time in the system-wideconfigurationfile/etc/ssh/sshd_config or theuser’s~/.ssh/config.

151

D Network Security

Similar to X forwarding,ssh canbe alsousedto pipe any TCP/IPconnection.As anexample,SMTPandPOP3portpipes:root@earth:~ # ssh -L 25:sun:25 sun

Here,eachconnectionis piped to “earth port 25”, SMTP to the SMTP porton helios via anencryptedchannel.This is especiallyusefulefor thoseusingSMTPserverswithoutSMTP-AUTH or POP-before-SMTPfeatures.E-mailcanbetransferredfor delievery via the“home” mail server in this mannerfrom anyarbitrarylocationconnectedto anetwork.

In a similar manner, the following commandforwardsall port 110 andPOP3requestsonearth to thePOP3portof heliosroot@earth:~ # ssh -L 110:sun:110 sun

Bothexamplesmustbecarriedoutby user‘root’ sincetheconnectionis madeto privilegedlocal ports. E-mail is sentandretrieved,asis customary, by nor-mal usersin an existing ssh connection. The SMTP andPOP3hostmust beconfiguredon thelocalhostfor this reason.

Additional informationcanbe found in the manualpagesfor eachof the pro-gramsdescribedaboveandalsoin thefilesunder/usr/share/doc/packages/openssh.

D.3 Security as a Matter of Confidence

D.3.1 Basic Considerations

Oneof themaincharacteristicsof a Linux/UNIX systemis its ability to handleseveralusersat a time andto allow theseusersto performseveral tasksat once(multi-user, multi-tasking),all on thesamecomputer. Moreover, we expecttheoperatingsystemto benetwork transparent,i. e.oftenwewouldn’t evenwanttoknow whetherthedataor applicationsthatwe’reusingareprovidedlocally fromour machineor madeavailablefrom somewhereelse.

Thisparticularfeatureof having severaluserswith multiple tasksrunningononesystemleadsto theobviousneedfor a mechanismto keeptheseusersandtheirdataseparatefrom eachother. Now this is undeniablyanareawheremany variedconsiderationshaveto bemadeandsomeof themmayinvolvecertainemotionalaspects.Therefore,it’s really importantto givesomeseriousthoughtto securityandprivacy issues.

The term “data security” isn’t really all that new; in fact, it wasalreadyin usebeforecomputerscould be linked throughnetworks. Justlike today, the mostimportantconcernwastheability to keepdataavailablein spiteof a lost or oth-erwisedamageddatamedium(a harddisk in mostcases),probablymorethanthe possibility that sucha defectcould bring down the wider infrastructureforsometime. This chapterof theSuSEmanualis primarily focusedon confiden-tiality issuesandonwaysto protecttheprivacy of users,but it cannotbestressedenoughthatacomprehensivesecurityconceptshouldalwaysincludeproceduresto have a regularly updated,workableandtestedbackupin place.Without this,youcouldhaveaveryhardtimegettingyourdataback– andnotonly in thecase

152


of somehardwaredefect,but also if the suspicioncreepsin that someonehasgainedunauthorizedaccessandtamperedwith yourfiles.

D.3.2 Local Security and Network Security

If westepbackonemoment,it seemsonly logical thatdatastoredonacomputercanonly beaccessedif it hasactuallybeenmadeavailablesomehow. Assumingthat we don’t want to keepour dataunderlock andkey forever, we cangiveaccessto it in severalways:

• Somepersonis sitting in front of acomputerandis talking to theuserof thedataon thephone

• directly from theconsoleof acomputer(physicalaccess)

• overa serialline

• usinga network link

Obviouslyall thesecasesaresimilar in that,asauser, you’d haveto authenticatebeforebeingable to accessthe resourcesor datain question. In otherwords,thereshouldbesomeaccessrule in placewhichrequiresyouto provideproofofyour identity to gainaccessto thedataor computingresourcesrequested.Nowa webservermight belessrestrictive in this respect,but you still wouldn’t wantit to discloseall your personaldatato any surferout there. On a SuSEsystem,a few tweaksare probablysufficient to make it boot right into your desktopwithout evenaskingfor a password – only in mostcasesthatwouldn’t besucha good idea. Becausein a way, with the login procedure,you “extend” yourpersonalityandits actionsontothecomputerthatyou’recontrollingand,with afew exceptions,youwouldn’t wantany otherpersonto dosoon yourbehalf.

In the list above, the first caseis the onewherethe highestamountof humaninteractionis involved, like whenyou’re contactinga bankemployeeandneedto prove that you’re the personowning that bankaccount. So you’ll be askedto provide a signature,a PIN or a password to prove thatyou’re thepersonyouclaimto be. In somecases(whicharenot really typical for computers,operatingsystemsandnetworks) it might be possibleto elicit someintelligencefrom aninformedpersonjust by mentioningknown bits andpieceshereandtherein acanny way or to worm one’sway into theconfidenceof thatpersonby applyingclever rhethoric.Thevictim couldbeled to graduallyrevealmoreandmorein-formation,maybewithout even becomingawareof it. Somepeopleareratherunmindfulof what they sayor actunconsciouslyin theway they give answers,so that even a questionwhich they believe wasleft unansweredmight provideenoughinformation to proceedwith an even moreprecisequestion. Pieceaf-ter piecegetsaddedto thepuzzleuntil thepictureis nearlycomplete(“No, Mr.Smith is on vacationright now, it’s at leastthreeweeksbeforehe’ll bebackin.He’s not my bossanyway, you know he’s up therein thefourth storywhile I’mherein the third!”). In hacker circles, this is called“social engineering”.Youcanonly guardagainstthis by educatingpeopleandby dealingwith languageand information in a consciousway. Beforebreakinginto computersystems,

153

D Network Security

attackersoftentry to targetreceptionists,servicepeopleworking with thecom-pany or evenfamily membersand,in many cases,suchanattackbasedonsocialengineeringwill only bediscoveredat a muchlatertime.

A personwanting to obtain (unauthorized)accessto your datacould alsousethe conventional,very traditionalway andtry to get at your hardwaredirectly.Therefore,themachineshouldbeprotectedagainstany tamperingsothatnoonecanremove, replaceor cripple its components.This alsoappliesto the systemasa whole (including the backups!)andeven any network cableor the powercord. Likewise, it might be necessaryto securethe boot procedure,as therearesomewell-known key combinationsprovoking specialreactionson bootup.You canprotectyourselfagainstthis by settingpasswordsfor theBIOS andthebootloader.

Serialportsconnectingwith terminalsarestill beingusedin many placesbut arerarely installedwith new systemsanymore. With regardto dataaccess,serialterminalsare a specialcase,i. e. unlike network interfacesthey don’t rely ona network protocol to communicatewith the host. A simplecable(or maybean infrared port) is usedto sendplain charactersback and forth betweenthedevices. The cableitself is the weakestpoint of sucha system: With an oldprinterconnectedto it, it’sreallyeasyto recordanythingthatrunsoverthewires.Whatcanbeachievedwith a printercanalsobedonein otherways,dependingon theeffort thatgoesinto theattack.

Networksmake it easierfor usto accessdataremotely, but they do this with thehelpof network protocolswhichareoftenrathercomplex. Thismightseempara-doxicalatfirst, but is really indispensableif youwantto work from any locationsowish to remotelycontrolacomputeror to retrievedatafrom it. It is necessaryto haveabstract,modulardesignswith layersthataremoreor lessseparatefromeachother. We rely on suchdesignsin many daily computingsituations.Mod-ularity meansthatyour text processor, for instance,doesn’t needto know aboutthekind of harddisk thatyou’reusing,or thatyoure-mailprogramdoesn’t haveto carewhetheryouhavea modemor anethernetcard.Thecomponentsof youroperatingsystem(Linux in our case)careaboutthe detailsof a certainsetoffunctionsandmake theseavailableto thesystemthroughapredefinedinterface.With this modularity, a text processoror a mail useragent(MUA) canfunctionon a variety of hardwareplatforms,while, at leastin principle, you could alsousetheseprogramsfrom any placein theworld.

>Fromthedataperspective andasa consequenceof theway in which files arehandledandaccessed,thereis nodifferencebetweenopeningafile from acom-mandline or telling awebserver(e.g. Apache)to dosofor yousothatthefile issentout over thenetwork anddisplayedby a browser. In bothcases,a userwiththeproperpermissionshasopenedthefile andseenat leastpartsof its contents.Thereareotherpossibilities:to readthefile, youcouldalsolog in via a network(e.g. usinga telnetprogramor with a secureshell client – which is actuallyamuchbetteroptionassshencryptsall network traffic). To doso,however, you’dhave to take severalhurdles:first, you arerequiredto log in at thehostover thenetwork, i. e. to authenticateyourself(provideproofof your identity). Onceyouarein, you facethefile permissionsrestrictingyouractionson thatsystem.

154


Giventhatopeninga file locally on a hostrequiresotheraccessrulesthanopen-ing anetwork connectionwith a serverona differenthost,weneedadistinctionbetweenlocal securityandnetwork security. The line betweenthe two canbedrawn wheredatahaveto beput into packets,in orderto besentsomewhereelsebeforethey canbeused.

Local Security

As we’ve mentionedabove, local securitystartswith the physicalenvironmentin thelocationwherethecomputeris running.Let’sassumethatyourmachineissetup in aplacewheresecurityis in line with yourexpectationsandneeds.Nowif you put yourselfin theplaceof anattacker for a moment,it’s easyto seethataslong aswe’re talking about“local security”,thetaskis to keepusersseparatefrom eachother, sothatnousercanassumethepermissionsof anotherone.Thisis a generalrule to beobserved,but it’s especiallytruefor the‘root’ account,thesupremepoweronany system.Usersthatbecome‘root’ havetheability totake over any otherlocal useraccountwithout knowing thepassword, andthusreadany locally storedfile.

For anattacker who obtainedaccessto local resourcesfrom thecommandline,there’s certainly no shortageof things that could be doneto compromisethesystem:

Passwords

On a Linux system,it is, of course,not thecasethatpasswords(andyou do usepasswordson yourmachine,don’t you?)arestoredasplain text to just comparethetext stringwith whathasbeenenteredat theprompt.If thingswerelike that,all accountson your systemwould be compromisedassoonassomeonegrabsthe correspondingfile. Rather, the systemencryptsyour password; eachtimeit is entered,it getsencryptedagain,and is comparedwith the previously en-cryptedstring. Naturally, this will only work if the encryptedpassword cannotbe reverse-computedinto the original text string. This is actuallyachieved bya specialkind of algorithmwhich is alsocalled“trapdooralgorithm” becauseitonly works in onedirection. An attacker who hasobtainedtheencryptedstringwon’t be ableto get at your password by simply applyingthe samealgorithmonceagain.Instead,it wouldbenecessaryto testall thepossiblecharactercom-binations,until a combinationis found which looks like your password whenencrypted.As you canimagine,with passwordsthatareeightcharacterslong,therearequiteanumberof possiblecombinationsto calculate.

In theseventies,it wasarguedthat this methodwould bemoresecurethanoth-ers due to the relative slownessof the algorithm used,so that it took one ormoremoresecondsto encryptjust onepassword. In the meantime,however,PC’shavebecomepowerful enoughto doseveralhundredthousandor evenmil-lion encryptionspersecond,which is why wehavetwo additionalrequirements.First,encryptedpasswordsshouldnot bevisible to regularusers(therefore,reg-ular usersdon’t have readpermissionfor /etc/shadow). Second,evenif pass-wordsbecamevisible becauseof someerror, they shouldn’t be easyto guess.Accordingly, it’s not really usefulto “translate”a password like “tantalise” into“t@nt@1ls3”. Thingslike thatwhereyou just swapa few lettersarea pieceof

155

D Network Security

cake for password crackingprogramswhich usedictionariesto guesswords. Abetterway would be to make up a word with no commonmeaning,somethingwhich only makessenseto you personally(but not in the way you seta cipheron thecombinationlock of your suitcase!),like the first lettersof thewordsofa sentence.As an example,onecould usea book title, suchas“The Nameofthe Rose”by UmbertoEco. This would give the following well-formedpass-word: “TNotRbUC9”. By contrast,passwordslike “beerbuddy” or “jasmine76”areeasilyguessedevenby someonewhohasonly somecasualknowledgeaboutyou.The boot procedureYoushouldconfigureyoursystemsuchthatit cannotbebootedfrom afloppy orfrom CD, eitherby removing thedrivesentirelyor by settinga BIOS passwordandconfiguringtheBIOS to allow bootingfrom aharddiskonly.

Normally, a Linux systemwill bootstrapwith thehelpof a bootloaderallowingyou to passon additionaloptionsto thebootkernel.Theseoptionsarecrucialtoyoursystem’ssecurity:Not only doesthekernelitself runwith rootpermissions,but it is alsothefirst authorityto grantroot permissionson systemstartup.Youcanpreventothersfrom usingsuchparameterson bootupby usingthe options“restricted”and“password=your_own_password” in /etc/lilo.conf. Don’tforgetto executethecommandlilo aftermakingany changesto /etc/lilo.conf andlook for any unusualoutputthat thecommandmight produce.If youshouldforget this password, you’ll have to know the BIOS password andbootfrom CD to readtheentryin /etc/lilo.conf from a rescuesystem.File PermissionsAs a generalrule, oneshouldalwayswork usingthemostrestrictive privilegespossiblefor a given task. For instance,it’s definitely not necessaryto be rootto reador write one’s e-mail. If the mail program(or MUA = mail useragent)that you’re usinghasa bug, this bug couldbe usedasan attackingmechanismwhich will actwith exactly thepermissionsof theprogramwhenit wasstarted.By following theaboverule,you’ll mimimizetherisk of thathappening.The permissionsof the well over 200,000files includedin a SuSEdistributionarecarefullychosen.A systemadministratorwho installsadditionalsoftwareorotherfilesshouldtakegreatcarewhendoingso,especiallywhensettingtheper-missionbits. Experiencedandsecurity-conscioussystemadministratorsalwaysusethe-l optionwith thecommandls to getanextensivefile list, whichallowsthemto detectany wrongfile permissionsimmediately. It shouldalsobenotedthat an incorrectfile attribute doesnot only meanthat files could be overwrit-tenor deleted.It alsoallows for a situationwherefiles thathave beenchangedcouldbeexecutedwith thepermissionsof ‘root’ or, in thecaseof configura-tion files, that programscould usesuchfiles with the permissionsof ‘root’.This increasesthepossibility thata potentialattacker will besuccessfulquiteabit. Attacksof this kind arecalledcuckoo’seggs,becausetheprogram(theegg)is hatched(executed)by a differentuser(bird), just like a cuckoo would trickotherbirdsinto hatchingits eggs.A SuSEsystemincludesthefilespermissions, permissions.easy,permissions.secure andpermissions.paranoid, which areall in thedi-rectory/etc. Thepurposeof thesefiles is to definespecialpermissions,suchas

156


world-writabledirectoriesor setuserID bits (if the latter is set,thecorrespond-ing programwon’t run with thepermissionsof theuserthathaslaunchedit, butwith thepermissionsof thefile owner, whichwill be‘root’ in mostcases).Anadministratormayusethefile /etc/permissions.local to addhis own set-tings.ThevariablePERMISSION_SECURITY, whichis setin /etc/rc.config,defineswhich of theabovefiles is usedby SuSE’sconfigurationprogramsto setpermissionsaccordingly. As a moreconvenientway to selectthe file, you canusethesubmenu‘Security’ in YaST1 or YaST2. To learnmoreaboutthetopic,pleasereadthecommentsin /etc/permissions, or consultthemanualpageof chmod (man chmod).

File raceconditions

Let’s assumethata programwantsto createa file in a directorywhich is world-writable(suchas/tmp). First theprogramcheckswhetherthefile alreadyexistsand, if that is not the case,it getscreated. However, betweencheckingandfile creation,thereis a very shortmomentwhich canbe usedby an attacker tocreatea symboliclink, i. e. a pointerto anotherfile. Theprogrammay thenbetrickedinto following thesymboliclink, overwriting thetargetfile with its ownpermissions.This is calleda racebecausetheinterval duringwhich theattackercan createa “symlink” is very short indeed. The raceis only possibleif thecheckingandfile creationprocedureis not madeto be indivisible or atomic. Iftheraceis allowedto takeplaceatall, there’sachancethatit maybewonby theattacker, i. e. it’s all a matterof probability.

Buffer overflows,format string bugs,signedand unsignedbugs

Specialcaremust be taken whenever a programis supposedto processdatawhich canor couldbechangedby a userat will, thoughthis is moreof anissuefor theprogrammerof anapplicationthanfor regularusers.Theprogrammerhasto make surethathis applicationwill interpretdatain the correctway, withoutwriting theminto memoryareaswhicharetoosmallto holdthem.Also, thepro-gramshouldhandoverdatain a consistentmanner, usingtheinterfacesdefinedfor thatpurpose.

A buffer overflow canhappenif theactualsizeof a memorybuffer is not takeninto accountwhenwriting to that buffer. Thereare caseswherethis data(asgeneratedby the user)useup somemore spacethan what is available in thebuffer. As aresult,datais writtenbeyondtheendof thatbufferarea,whichundercertaincircumstancesmakes it possiblethat a programwill executeprogramsequencesinfluencedby theuser(andnot by theprogrammer),ratherthanjustprocessinguserdata. A bug of this kind may have seriousconsequences,inparticularif theprogramis beingexecutedwith specialprivileges(seetheabovesectionon this topic). “Formatstringbugs”work in a slightly differentway, butagainit’s theuserinputwhich couldleadtheprogramastray.

In mostcases,theseprogrammingerrorsareexploited with programsthat areexecutedwith specialpermissions,i. e. setuidandsetgidprograms– which alsomeansthatyoucanprotectyourdataandyoursystemfrom suchbugsby remov-ing thecorrespondingexecutionprivilegesfrom programs.Again, thebestwayis to applyapolicy of usingthelowestpossibleprivileges(seethesectiononthetopic of permissions).

157

D Network Security

Given thatbuffer overflows andformatstring bugsarebugsrelatedto thehan-dling of userdata,they arenotonly exploitableif accesshasbeengivento alocalaccount.Many of the bugsthat have beenreportedcanalsobe exploited overa network link. Accordingly, buffer overflowsandformatstringbugsshouldbeclassifiedasbeingrelevantfor bothlocalandnetwork security.

Viruses

Contraryto whatsomepeoplewill tell you, thereare virusesthatrun on Linux.However, thevirusesthatareknown werereleasedby their authorsas“proof ofconcept”,meaningthat they werewritten in order to prove that the techniqueworksasintended.On theotherhand,noneof theseviruseshave beenspotted“in thewild” sofar.

Viruseswouldn’t be able to survive andspreadwithout a host on which theycanlive. In our case,thehostwould bea programor an importantstorageareaof the system,suchas the masterboot record,which needsto be writable forthe programcodeof the virus. Owing to its multiusercapability, Linux canrestrict write accessto certainfiles, which is the caseespeciallywith systemfiles. Therefore,if you did your normalwork with ‘root’ permissions,you’dincreasethechanceof thesystembeinginfectedby a virus. By contrast,if youfollow theprincipleof usingthelowestpossibleprivilegesasmentionedabove,chancesare that you’ll have a hard time getting any virus at all. Apart fromthat, you shouldnever rush into executinga programthat you’ve gottenfromsomeInternetsitewhich you don’t really know. SuSE’s RPM packagescarryacryptographicsignature,asa digital label that the necessarycarewastaken tobuild them. Virusesarea typical symptomthat the administrator(or the user,for thatmatter)lackstherequiredsecurityawareness,thusputtingat risk evenasystemthatshouldbehighly secureby its verydesign.

Virusesshouldnot be confusedwith wormswhich belongto the world of net-worksentirelyanddon’t needa hostfor spreading.

Network Security

As long aswe werefocusedon local security, our maingoalwasto keepusersapartwithin a system,andin particulartheuser‘root’. By contrast,networksecuritymeansthatthesystemaswholeshouldbeprotectedfrom anattackorig-inating in the network. Thoughthe typical login procedurerequiresenteringausernameanda password, this kind of userauthenticationis mostly relatedtolocalsecurity. However, in thespecialcaseof loggingin overanetwork,weneedto considerboththeactionshappeningbeforetheauthenticationproper(networksecurity)andanything thathappensafterwards(localsecurity).

X Window system(X11 authentication)

As we’vementionedat thebeginning,network transparency is oneof thecentralcharacteristicsof aUNIX system.X11, thewindowing systemof UNIX operat-ing systems,canmake useof this featurein an impressive way. With X11, it’sbasicallyno problemto log in at a remotehostandstarta graphicalprogramwhich will thenbesentover thenetwork to bedisplayedon yourcomputer. Theprotocolto communicatebetweentheX applicationandtheX server (which is

158


the local processthat draws the windows with the help of your video card) isrelatively lightweight asfar asbandwidthusageis concerned.This is becausethe protocolwasdesignedin the eightieswhennetwork bandwidthwasstill ascarceresource.

Now if we want an X client to be displayedremotelyusingour X server, thelatter is supposedto protectthe resourcemanagedby it (i. e. the display)fromunauthorizedaccess.In moreconcreteterms,certainpermissionsmustbegivento the client program. With the X Window System,thereare two waysto doso, calledhost-basedaccesscontrol andcookie-basedaccesscontrol. The for-mer relieson theIP addressof thehostwheretheclient is supposedto run; theprogramto control this is xhost. Whatxhost doesis to enterthe IP addressof a legitimateclient into a tiny databasebelongingto theX server. Note,how-ever, that relying on IP addressesfor authenticationis not exactly very secure.For instance,if therewerea seconduserworking on thehostsendingtheclientprogram,thatuserwouldhaveaccessto theX serveraswell – just likesomeonestealingthe IP address.Becauseof theseshortcomings,we won’t describethisauthenticationmethodin moredetail here,but you can learnaboutthe way itfunctionsif you readthemanpageof xhost (which includesasimilarwarning).

In thecaseof cookie-basedaccesscontrol,a characterstringis generatedwhichis only known to theX server andto the legitimateuser, just like anID cardofsomekind. This cookie(theword goesbacknot to ordinarycookiesbut to Chi-nesefortunecookieswhich containanepigram)is storeduponlogin in the file.Xauthority in the user’s homedirectoryandis availableto any X Windowclient wantingto usetheX server to displaya window. Thefile .Xauthoritycan be examinedby the user with the tool xauth. If you were to rename.Xauthority or if you deletedthefile from your homedirectoryby accident,you would not be able to openany new windows or X clients. You can readmoreaboutX Window’s securitymechanismsin the manpageof Xsecurity(man Xsecurity).

Apart from that,ssh (secureshell)canbeusedto completelyencrypta networkconnectionandforwardit to anX server transparently(i. e.without theencryp-tion mechanismbeingperceivedby theuser).Thisis alsocalled“X forwarding”.X Forwardingis achievedby simulatinganX serverontheserversideandsettinga DISPLAY variablefor the shell on the remotehost. Beforebeingdisplayed,the client opensa connectionwith sshd(secureshell daemon,the server sideprogram)which thengetstheconnectionsthroughto the realX server. If yoursetuprequiresthatX clientsaredisplayedremotely, you shouldconsiderusingssh andhave a closerlook at it. Themanpageof ssh will tell you moreaboutthefunctionalityof this program.

$ %

& '

CautionIf you don’t consider the host where you log in to be a secure host, youshouldn’t use X forwarding. With X forwarding enabled, an attacker couldauthenticate via your ssh connection to intrude on your X server and sniffyour keyboard input, for instance.

159

D Network Security

Furtherdetailsaboutssh canbefoundin sectionD.2 on page147of thisbook.

Buffer overflowsand format string bugs

As we’vesaidin thesectionon localsecurity, buffer overflowsandformatstringbugsshouldbe classifiedasissuesconcerningboth local andnetwork security.Justlike with the local variantsof suchbugs,buffer overflows in network pro-grams,whensuccessfullyexploited,aremostlyusedto obtain‘root’ permis-sions.Evenif thatis not thecase,anattackercouldusethebug to gainaccesstoan unprivilegedlocal accountto exploit any other(local) vulnerabilitieswhichmight exist on thesystem.

Buffer overflowsandformatstringbugsexploitableovera network link arecer-tainly the most frequentform of remoteattacksin general. Exploits for these(i. e. programsto exploit thesenewly foundsecurityholes)areoftenpostedonthe securitymailing lists; they canbe usedto target the vulnerability withoutknowing aboutthe detailsof the code. Over the years,experiencehasshownthat the availability of exploit codeshascontributedto moresecureoperatingsystems,which is obviously dueto the fact thatoperatingsystemmakerswereforcedto fix theproblemsin their software. With freesoftware,anyonehasac-cessto thesourcecode(SuSELinux comeswith thesourceof all theprogramsthatmake it available)andanyonewho findsa vulnerabilityandits exploit codecansubmita patchto fix thecorrespondingbug.

DoS- Denial of Service

Thepurposeof this kind of attackis to forcedown a serverprogram(or evenanentiresystem),somethingwhichcouldbeachievedby variousmeans:overload-ing theserver, keepingit busywith garbagepackets,orexploitingaremotebufferoverflow (i. e. a buffer overflow which cannotbe exploited to run programsontheremotesite).

Often a DoS attackis donewith the solepurposeof makingthe servicedisap-pear. However, oncea givenservicehasbecomeunavailable,communicationscouldbecomevulnerableto so-calledman-in-the-middleattacks(sniffing, TCPconnectionhijacking,spoofing)andDNSpoisoning,whichareexplainedbelow.

Man in the middle: sniffing, tcp connectionhijacking, spoofing

In generalany remoteattackperformedby anattackerwhoputshimselfbetweenthe communicatinghostsis calleda “man-in-the-middleattack”. What almostall typesof man-in-the-middleattackshave in commonis that thevictim won’tnormally becomeawarethat there’s somethinggoing on. Therearemany pos-siblevariants:For instance,theattacker couldpick up a connectionrequestandforwardthat to the targetmachinehimself. Now thevictim hasunwittingly es-tablisheda connectionwith the wronghost,becausethe otherendis posingasthe legitimatedestinationmachine.The simplestform of a man-in-the-middleattackis called“sniffer”, i. e.theattacker is “just” listeningto thenetwork trafficpassingby. As amorecomplex attack,the“man in themiddle” couldtry to takeoveranalreadyestablishedconnection(hijacking).To do so,theattackerwouldhaveto analyzethepacketsfor sometimeto beableto predicttheTCPsequencenumbersbelongingto theconnection.Whentheattacker finally seizesthe roleof thetargethost,thevictim will noticebecauseheor shegetsanerrormessagesayingtheconnectionwasterminateddueto a failure.

160


Whatoftenmakesthingseasierfor attackersis the fact that thereareprotocolswhicharenotsecuredagainsthijackingthroughencryptionandwhichdon’t per-form anauthenticationprocedureuponestablishingtheconnection.Finally, wewant to mention“spoofing”, which is an attackwherepacketsaremodifiedtocontaincounterfeitsourcedata,i. e. mostly the IP address.Most active formsof attackrely on sendingout suchfake packets– somethingwhich on a Linuxmachinecanonly bedoneby thesuperuser(‘root’).

Many of the attacksmentionedarecarriedout in combinationwith a DoS. Ifan attacker seesan opportunityto abruptlybring down a certainhost (even ifonly for a shorttime), thatwill make it easierfor him to pushtheactive attack,becausethehostwon’t beableto interferewith theattackfor sometime.

DNS poisoning

DNS poisoningmeansthat the attacker corruptsthe cacheof a DNS server byreplying to it with spoofedDNS reply packets,trying to get the server to sendcertaindatato a victim who is requestinginformationfrom thatserver. To foistsuchfalseinformationonto the server in a credibleway, normally the attackermusthave receivedandanalysedsomepacketsfrom it. Giventhatmany serversareconfiguredto maintaina trust relationshipwith otherhosts(which is basedon IP addressesor hostnames),suchanattackmaybesuccessfulin a relativelyshorttime, but, on the otherhand,it alsorequiresquite an effort. In any case,the attacker will needa goodunderstandingof the actualstructureof the trustrelationshipsbetweenhosts. From the attacker’s viewpoint, targeting a DNSserver with a well-timed DoS attackto spoil its information is often the firstthing to consider.

Again, you canprotectyourselfby usingencryptedconnectionswhich areableto verify theidentity of thehoststo which youwantto connect.

Worms

Wormsareoftenconfusedwith viruses,but there’sacleardifferencebetweenthetwo. Unlike viruses,wormsdon’t needto infect a hostprogramto live. Rather,they arespecializedto spreadasquickly aspossibleon network structures.Thewormsthat appearedin the past,suchasRamen,Lion or Adore, make useofwell-known securityholesin server programslike bind8 or lprNG. Protectingagainstwormsis relatively easy. Giventhatsometime will elapsebetweenthediscovery of a securityholeandthemomenttheworm hits your server, thereisa goodchancethatanupdatedversionof theprogramaffectedwill beavailableon time. Of course,that is only useful if the administratoractuallyinstallsthesecurityupdateson thesystemsin question.

D.3.3 Some General Security Tips and Tric ks

Inf ormation: To handlesecuritycompetently, it’s importantto keepup withnew developmentsand to stay informed aboutthe latestsecurityissues. Onevery goodway to protectyour systemsagainstproblemsof all kinds is to getand install the updatedpackagesrecommendedby securityannouncementsasquickly as possible. SuSEsecurityannouncementsare publishedon a mail-ing list to which you cansubscribeby following the link http://www.suse.

161

D Network Security

de/security. The list, which hasthe [email protected], is a first-handsourceof informationwith regardto updatedpackagesandincludesmembersof SuSE’ssecurityteamamongits activecontributors.

Themailing list [email protected] is a goodplaceto discussany se-curity issuesof interest;you cansubscribeto it underthe URL asgivenabovefor [email protected].

[email protected] is oneof thebest-known securitymailing listsworldwide.We really recommendthatyou readthis list which receivesbetween15 and20 postingsper day. More informationcanbe found at http://www.securityfocus.com.

The following is a list of rules which you may find useful to deal with basicsecurityconcerns:

• Accordingto theruleof usingthemostrestricivesetof permissionspossiblefor every job,avoid doingyourregularjobsas‘root’. Thisreducestheriskof gettingacuckoo’seggor avirusandprotectsyoufrom yourownmistakes.

• If possible,always try to useencryptedconnectionsto work on a remotemachine.Use“ssh” (secureshell)to replacetelnet, ftp, rsh andrlogin.

• Avoid usingauthenticationmethodsbasedon IP addressesalone.

• Try to keepthemostimportantnetwork-relatedpackagesup-to-dateandsub-scribeto the correspondingmailing lists to receive announcementson newversionsof suchprograms(e.g. BIND, sendmail, ssh). The sameshouldapplyto softwarewhich is relevantto local security.

• Changethe/etc/permissions file which bestfits your needsto optimizethe permissionsof files which arecrucial to your system’s security. If youremove the setuidbit from a program,it might well be that it cannotdo itsjob anymorein theway it is supposedto. On theotherhand,considerthatinmostcasestheprogramwill alsohave ceasedto bea potentialsecurityrisk.Youmight takea similarapproachwith world-writabledirectoriesandfiles.

• Disableany networkservicesthatyoudon’t absolutelyrequirefor yourserverto work properly. This will make your systemsafer, plus it preventsyourusersfrom gettingusedto a servicethatyou hadnever intendedto beavail-ablein thefirst place(theso-calledlegacy problem).Openports(thosehav-ing thesocket stateLISTEN) canbe foundwith theprogramnetstat. Asfor theoptions,we suggestthatyou usenetstat -ap or netstat -anp.The -p option allows you to seewhich processis occupying a port underwhichname.

Comparethenetstat resultswith thoseof a thoroughportscandonefromoutsideyourhost.An excellentprogramfor this job is nmap, whichdoesnotonly checkout theportsof your machine,but alsodraws someconclusionsasto which servicesarewaiting behindthem. However, portscanningmaybe interpretedasan aggressive act, so don’t do this on a hostwithout theexplicit approval of theadministrator. Finally, rememberthat it’s importantthatyounot only scanTCPportsbut alsoUDPports(options-sS and-sU).

162


• To monitor the integrity of the files of your systemin a reliableway, youshouldusetheprogramtripwire. Encryptthedatabasecreatedbytripwireto prevent it from being tamperedwith. Furthermore,you shouldkeepabackupof this databaseavailable outsideyour machine,i. e. storedon anexternaldatamediumnotconnectedto it by somenetwork link.

• Pleasetake propercarewheninstallingany third-partysoftware.Therehavebeencaseswherea cracker hadbuilt a trojanhorseinto the tar archive of asecuritysoftwarepackage– which wasfortunatelydiscoveredvery quickly.If youinstallabinarypackage,youshouldhavenodoubtsaboutthesitefromwhichyou havedownloadedit.

NotethatSuSE’s RPM packagesaregpgsigned.Thekey usedby SuSEforsigningreadsasfollows:

ID:9C800ACA 2000-10-19SuSEPackageSigningKey <[email protected]>

Key fingerprint = 79C1 79B2 E1C8 20C1 890F 9994 A84E DAE8 9C800ACA

Thecommandrpm -checksig package.rpm showsyouwhetherthecheck-sumandthesignatureof a(notyetinstalled!)packagearecorrect.Beginningwith version7.1of SuSELinux, you canalsofind thekey on thefirst CD ofthedistributionandon mostkeyserversworldwide.

• Checkyour backupsof userandsystemfiles regularly. Considerthat if youdon’t testwhetherthebackupwill work or not,it mightactuallybeworthless.

• Checkyour log files, if possible,with a smallscript thatyou write to searchfor suspiciousentries. Admittedly, this is not exactly a trivial task. In theend,only you canknow which entriesareunusualandwhich arenot.

• Usetcp_wrappers to restrictaccessto the individual servicesrunningonyour machine,sothatyou haveexplicit controloverwhich IP addressescanconnectto a service. For further informationon tcp\_wrappers, consultthemanualpageof tcpd(8) andhosts\_access (man tcpd,man hosts_access).

• YoucanuseSuSEFirewall to enhancethesecurityprovidedby tcpd(tcp_wrapper).However, if you don’t intendto provide any servicesfromyour machine,you shouldprobablyinstall Personal-firewall instead. Con-figuring Personal-firewall is as simple as providing the nameof the net-work interfaceon which inboundtraffic shouldbe rejected. You can findmoreinformationonthisin thefiles/sbin/SuSEpersonal-firewalland/etc/rc.config.d/security.rc.config, aswell asin sectionD.1 onpage139.

• Designyoursecuritymeasuresto beredundant:amessagethatyouseetwiceis muchbetterthannot gettingany messageat all. You would feel thesamewaywhenit comesto thewayyourco-workerscommunicatewith you.

163

D Network Security

D.3.4 Using the Central Security Repor ting Address

If youfind asecurityrelatedproblem(pleasechecktheavailableupdatepackagesfirst), don’t hesitateto write ane-mail to [email protected]. Pleaseincludea detaileddescriptionof the problemand the versionnumberof the packageconcerned.SuSEwill try to sendareplyassoonaspossible.Youareencouragedto pgpencryptyoure-mailmessages.SuSE’spgpkey is asfollows:

ID:3D25D3D91999-03-06SuSESecurityTeam<[email protected]>

Key fingerprint= 73 5F2E99 DF DB 94 C48F 5A A3 AE AF 22 F2 D5

Thiskey isalsoavailablefor downloadfrom: http://www.suse.de/security

164

E YaST and SuSE Lin ux License Terms


YaSTCopyright (c) 1995- 98 SuSEGmbH,Furth(Germany)

The object of this licenseis the YaST (Yet anotherSetupTool) program,thename“YaST”,SuSELinux theLinux Distribution of SuSEGmbHandall otherprogramsof SuSEGmbHunder this license, all programsderived from YaSTor anotherprogram under this licenseandall works or namesderived in fullor in part thereoftogetherwith theuse,application,archiving, reproductionandpassingonof aprogramunderthis license,all programsderivedfrom a programunder this licenseand all works derived in full or in part thereof. The YaSTprogram,any otherprogramunderthis licenseandall sourcesaretheintellectualpropertyof SuSEGmbH within the meaningof the Copyright Law. ThenameYaSTis a registeredtrademarkof SuSEGmbH. In the following SuSEGmbHis thelicensorandevery useror processorof YaSTor anyotherprogramunderthis license, worksderivedin full or in part thereof,togetherwith every personwhoreproduces,distributesor archivesYaST, SuSELinux or anyotherprogramunderthis license, is thelicenseeof SuSEGmbH.

The following licensetermsare recognisedasa result of the processing,use,application,archiving reproductionanddisseminationof theprogramsunderthislicense.

Only this licensegivesthe Licenseethe right to usereproduce,to distribute orto amendYaST, anyotherprogramunderthis licenseor worksderivedthereof.Theseactionsareforbiddenby thecopyright act,if this licenseis notrecognised.If thislicenseis recognisedandcompliedwith in full, it is alsovalid evenwithoutthewrittenconsentof theLicensee.

1. Usage

YaST, SuSELinux and any other program underthis licensemay be usedfor personalandcommercialpurposesif thecopyright andlicensetermsoftheinstalledpackagesandprogramesareobserved.Theuseof YaSTor anyother program under this license, even if a modifiedversionis used,doesNOT exemptin particulartheLicenseefrom theduty to take duecarewithregard to the licensetermsof the packagesor programsinstalledthroughYaST, anyotherprogramunderthis licenseor worksbasedon it.

2. Processing

All programsderivedfrom YaST, anyotherprogramunderthis licenseandall worksderivedthereof,in full or partsthereofareto befilled on theopen-ing screenwith theclearinformation“Modified Version”. Moreover theop-eratorgive his nameon theopeningscreen,statingthatSuSEGmbHis notproviding any supportfor the“Modified Version”andis excludedfrom any

165


liability whatsoever. Every amendmentto the sourceswhich arenot con-ductedby SuSEGmbH are deemedto be a “Modified Version”. The Li-censeeis entitledto changehis copy from thesourcesof YaSTor anyotherprogramunderthis license, wherebyawork basedononeof theseprogramsis created,providedthatthefollowing conditionsaresatisfied.

a) Every amendmentmusthave a notein thesourcewith dateandoperator.Theamendedsourcesmustbemadeavailablefor theuserin accordancewith section3) togetherwith theunamendedlicense.

b) The Licenseeis obliged to make all work distributed by him which isderivedasa wholeor in part from a programunderthis licenseor partsthereofto third partiesasa wholeunderthetermsof this licensewithoutroyalties.

c) Theamendmentof this licenseby a Licensee,evenin part,is forbidden.

SuSEGmbHreservestheright to acceptpartsor all amendmentsof a modi-fied versionof any programunderthis licenseinto theofficial versionof theconcernedprogramfreeof charge.TheLicenseehasno bearingon this.

3. Dissemination

It is forbiddento reproduceor distributedatacarrierswhichhavebeenrepro-ducedwithoutauthorisationfor paymentwithout theprior writtenconsentofSuSEGmbH or SuSELinux. Distribution of programsunderthis license,their sources,whetheramendedor unamendedin full or in part thereof,andthe works derived thereoffor a charge requirethe prior written consentofSuSEGmbH.

All programsderived from programsunder this license, andall works de-rivedthereofasa wholeor partsthereofmayonly bedisseminatedwith theamendedsourcesand this licensein accordancewith 2b). Making YaST,or any other program underthis licenseor works derived thereofavailablefree of charge togetherwith SuSELinux on FTP Serversandmailboxesispermittedif thelicenseson thesoftwareareobserved.

4. Guarantee

No guaranteewhatsover is given for YaST, any other program under thislicenseor for works derivedthereof and SuSELinux. The SuSEGmbHguaranteeonly coversfault-freedatacarriers.

SuSEGmbHwill provideeveryprogramunderthis licenseandSuSELinuxASIT IS without any guaranteewhatever that it is fit for a specificpurposeor use. In particularSuSEis not liable for lost profit, savings not made,ordamagesfrom theclaimslodgedby third partiesagainsttheLicensee.SuSEGmbHis not liable eitherfor otherdirector indirectconsequentiallosses,inparticularnot for thelossor productionof recordeddata.

Theobservanceof therespectivelicensesandcopyrightsof theinstalledsoft-ware is incumbentsolely uponthe userof the relevant program andSuSELinux.

166


5. Rights

No other rights to YaST, any other program under this licenseor to SuSELinux are grantedother than negotiatedin this license. An infringementagainstthis licenseautomaticallyterminatestherightsof theLicensee.How-ever the right of third partieswho have receivedcopiesor rightsunderthislicensefrom the Licensee,arenot terminatedas long asall partsof his li-censearerecognisedandobserved. If theLicenseeis subjectto conditions,or obligationsasa resultof a court judgement,patentterms,licenseterms,or anotherreason,andtheseconditionsor obligationscontradictthis licenseasa wholeor in part, theLicenseeshallonly beexemptedin full or in partfrom thislicenseandits termswith theexpressprior writtenconsentof SuSE,SuSEis entitledto withhold its consentwithoutgiving reasons.

6. Additional restrictions

If thedistribution or useof YaST, anyotherprogramunderthis licenseandSuSELinux or partsof SuSELinux is restrictedin a stateeitherby patentsor by interfacesprotectedby copyright, SuSEGmbHcanspecifyanexplicitgeographicrestrictionof thedistribution of theconcernedprogramor partsof SuSELinux, in which thesestatesarefully or partiallyexcludedfrom dis-tribution. In sucha casethis licenseincludesthewholeor partialrestrictionasif it waswrittendown in this license.

167


168

Index

Index

symbolsSuSELinux SolutionsAG . . . 98SuSELinux Firewall on CD . 63

AACLs

arranging. . . . . . . . . . . . . . . . 55defining . . . . . . . . . . . . . . . . . 54

addingusersproblems. . . . . . . . . . . . . . . . 29

Apache . . . . . . . . . . . . . . 133,136AUTOPROTECT . . . . . . . . . . . 67awk . . . . . . . . . . . . . . . . . . . . . . . 66

Bbibliography . . . . . . . . . . . . . . 101BIND . . . . . . . . . 28,77,103,162bind8 . . . . . . 40,41,64,111,161bootparameters. . . . . . . . . . . . 83businesssupport. . . . . . . . . . . . 98

Ccachemgr. . . . . . . . . . . . . . . . . 121cachemgr.cgi . . . . . . . . . . . . . 125Calamaris. . . . . . . . . . . . 121,133chroot . . . . . . . . . . . . . . . . . . . . . 79communicationanalysis. . . . . 91communicationmatrix . . . . . . 91compartment. . . . . . . . . . . . . . . 79configuration

bootmanager. . . . . . . . . . . . 23documentation. . . . . . . . . . . 60editing . . . . . . . . . . . . . . . . . . 59saving . . . . . . . . . . . . . . . . . . . 58SuSEFirewall Script . . . . . . 65testing. . . . . . . . . . . . . . . . . . . 59

configurationdisk . . . . . . . . . . 80configurationfiles . . . . . . . 26,80contentfilter . . . . . . . . . . . . 56,78CPU . . . . . . . . . . . . . . . . . . . . . 125cracklib . . . . . . . . . . . . . . . . . . . 35

Ddhclient . . . . . . . . . . . . . . . . . . 146

DHCP . . . . . . . . . . . . . . . . . . . 115dhcpcd . . . . . . . . . . . . . . . . . . 116dhcpd . . . . . . . . . . . . . . . . . . . . 116DHCPD_INTERFACE . . . . . . . 117diald . . . . . . . . . . . . . . . . . . . . . 146DNS . . . . . . . . . . . . . . . . . . . . . . 77

configuration. . . . . . . . . . . . . 40domain . . . . . . . . . . . . . . . . . . . . 31DomainNameSystem. seeNIS

Ffas-devel . . . . . . . . . . . . . . . . 19fasd . . . . . . . . . . . . . . . . . . . . . . . 34firewall . . . . . . . . . . . . . . . . . . . 139

baseconfiguration. . . . . . . . 36monitoring . . . . . . . . . . . . . . . 60new configuration. . . . . . . . 35services. . . . . . . . . . . . . . . . . 64setup. . . . . . . . . . . . . . . . . . . . 85start-up. . . . . . . . . . . . . . . . . . 86testing. . . . . . . . . . . . . . . . . . . 86

FirewallSetups. . . . . . . . . . . . . . . . . . . 14

Firewall AdministrationSystem9, 17,34

startup . . . . . . . . . . . . . . . . . . 34userfwadmin . . . . . . . . . 33,34

ftp . . . . . . . . . . . . . . . 51,148,149ftp proxy . . . . . . . . . . . . . . . 52,78ftp-proxy-suite . . . . . . . . . . . . . 64

Ggateway . . . . . . . . . . . . . . . . . . . 32grep . . . . . . . . . . . . . . . . . . . . . . . 66

Hharden_suse. . . . . . . . . . . . . . . 20host.conf . . . . . . . . . . . . . . . . . . 27

alert . . . . . . . . . . . . . . . . . . . . . 28multi . . . . . . . . . . . . . . . . . . . . 28nospoof . . . . . . . . . . . . . . . . . 28order . . . . . . . . . . . . . . . . . . . . 27trim . . . . . . . . . . . . . . . . . . . . . 28

HOSTNAME . . . . . . . . . . . . . . 31hosts. . . . . . . . . . . . . . . . . . . 26,28howtoen . . . . . . . . . . . . 137,142HTTPproxy . . . . . . . . 53,58,77httpf . . . . . . . . . . . . . . . . . . . 64,78

Iifconfig . . . . . . . . . . . . . . . . . . . . 66inetd . . . . . . . . . . . . . . . . . . . . . . 32intrusiondetection. . . . . . . . . . 93IP address. . . . . . . . . . . . . . . . . 32ipchains. . . . . . . . . 41,64–66,76ipchains(8). . . . . . . . . . . . . 63,64ipchains-save . . . . . . . . . . . . . . 76

KK51firewall . . . . . . . . . . . . . . . . 68KDM . . . . . . . . . . . . . . . . . . . . 151kernelcaps . . . . . . . . . . . . . . . . 79

Llibcinfo . . . . . . . . . . . . . . . . . 28LILO . . . . . . . . . . . . . . . . . . . . . . 23Linux training . . . . . . . . . . . . . . 99linuxrc . . . . . . . . . . . . . . . . . . . . 20Live Filesystem. . . . . . . . . . . . 96

Mmagicuser . . . . . . . . . . . . . . . . . 78mail . . . . . . . . . . . . . . . . . . . . . . . 77mail relay . . . . . . . . . . . . . . . . . . 46masquerading. . . . . . . . . . . . . 139

Nnameresolution

NIS . . . . . . . . . . . . . . . . . . . . . 28nameserver . . . . . . . . . . . . 28,31nameservicecachedaemon. 29nameserviceswitch . . . . . . . . 28netmask. . . . . . . . . . . . . . . . . . . 32netstat. . . . . . . . . . . . . . . . . . . . . 66network . . . . . . . . . . . . . . . . . . . 26

configurationfiles . . . . . . . . 26manualconfiguration. . . . . 25

169

Index

networks . . . . . . . . . . . . . . . . . . 26nmap. . . . . . . . . . . . . . . . . . . . . . 59nscd . . . . . . . . . . . . . . . . . . . 29,31nscd.conf. . . . . . . . . . . . . . . . . . 29nsswitch.conf. . . . . . . . . . . . . . 28

Oopenssh. . . 64,79,82,147,148

Ppackagedhcpcd . . . . . . . . . . . . . . . . 116fas-devel . . . . . . . . . . . . . . 19howtoen . . . . . . . . . . 137,142libcinfo . . . . . . . . . . . . . . . 28

packet filter . . . . . . . . . . . 76,139pam_auth. . . . . . . . . . . . . . . . . 130parentproxyconfiguration . . 57personalfirewall . . . . . . . . . . 142pidentd. . . . . . . . . . . . . . . . . . . 130postfix . . . 46,64,68,69,77,81professionalservices. . . . . . . . 98ps . . . . . . . . . . . . . . . . . . . . . . . . . 94

RRAM . . . . . . . . . . . . . . . . . . . . 124rcp . . . . . . . . . . . . . . . . . . . . . . . 148resolv.conf . . . . . . . . . . . . . . . . . 31rlogin . . . . . . . . . . . . . . . . 148,150rootpassword . . . . . . . . . . . . . . 23rsh . . . . . . . . . . . . . . . . . . 148,150

SSaX . . . . . . . . . . . . . . . . . . . . . . . 25scp . . . . . . . . . . . . . 148,149,151sec. . . . . . . . . . . . . . . . . . . . . . . 147secumod. . . . . . . . . . . . . . . . . . . 79secureshell . . . . . . . . . . . . . . . 147security . . . . . . . . . . . . . . . . . . 152

firewall . . . . . . . . . . . . . . . . . 139securitypolicy . . . . . . . . . . . . . 90sed. . . . . . . . . . . . . . . . . . . . . . . . 66sendmail. . . . . . . . . . . . . . 32,162

seriesdoc . . . . . . . . . . . . . . . . 28,142n . . . . . . . . . . . . . . 18,116,135zfw . . . . . . . . . . . . . . . . . . . . . 18zfw1 . . . . . . . . . . . . . . . . . . . . 18

services. . . . . . . . . . . . . . . . 91,99sftp . . . . . . . . . . . . . . . . . . 148,149slogin . . . . . . . . . . . . . . . . . . . . 148smtpd . . . . . . . . . . . . . . . . . . . . . 68Squid . . . . . . . 64,68,77,78,82,

121–129,131–137squidgrd . . . . . . . . 121,133,135SquidGuard. 129,130,135,136ssh 36,49,68,69,79,147–152,

162configuration. . . . . . . . . . . . . 48keys . . . . . . . . . . . . . . . . . . . . . 48

ssh-add. . . . . . . . . . . . . . . . . . . 151ssh-agent. . . . . . . . . . . . . . . . . 151ssh-agents. . . . . . . . . . . . . . . . 151ssh-keygen . . . . . . . . . . . . . . . 150START_DHCPD . . . . . . . . . . . . 118startupscripts . . . . . . . . . . . . . . 32startx . . . . . . . . . . . . . . . . . . . . 151support. . . . . . . . . . . . . . . . . . . . 97

commercial. . . . . . . . . . . . . . 98professionalservices. . . . . . 98services. . . . . . . . . . . . . . 98,99

SuSEservices. . . . . . . . . . . . . . . . . 99

SuSE. . . . . . . . . . . . . . . . . . . . . . 99SuSEFirewall Adminhost 82,85SuSEfirewall module . . . . . . . 41SuSEFirewall Script . . . . . . . . 65SuSELinux Firewall Adminhost

50new installation . . . . . . . . . . 20

SuSELinux Firewall onCD . . 9,13

SuSELinux LiveCD for Firewall64,85

suse-ftp-proxy. . . . . . . . . . . . . 78

SuSEconfig. . . . . . . . 26,81,133SuSEfirewall . . . . . . . . . . . . . . 131syslog

configuration. . . . . . . . . . . . . 50syslog-ng . . . . . . . . . . . . . . 18,61

Ttelnet . . . . . . . . . . . . . . . . . . . . 148tinyproxy . . . . . . . . . . . . . . 64,78traceroute. . . . . . . . . . . . . . 67,68training . . . . . . . . . . . . . . . . . . . . 99transproxy. . . . . . . . . . . . . . 64,78troubleshooting. . . . . . . . . 89,93

Uupdate. . . . . . . . . . . . . . . . . 17,92

completion . . . . . . . . . . . . . . 19with YaST1. . . . . . . . . . . . . . 18with YaST2. . . . . . . . . . . . . . 18

VVariableDHCPD_INTERFACE . . . . . 117START_DHCPD . . . . . . . . . . 118

XXDM . . . . . . . . . . . . . . . . . . . . 151XFree86. . . . . . . . . . . . . . . . . . . . 2xlock . . . . . . . . . . . . . . . . . . . . 151xterm . . . . . . . . . . . . . . . . . . . . . 61

YYaST. 2, 17,25,26,31,32,148,

165YaST1. . . . . . . . . . . . . . . 111,157YaST2. . . . . . 17,19–27,31,157

harddisk . . . . . . . . . . . . . . . . 22keyboard . . . . . . . . . . . . . . . . 21languageselection. . . . . . . . 20mouse. . . . . . . . . . . . . . . . . . . 21network . . . . . . . . . . . . . . . . . 25startinstallation . . . . . . . . . . 24timezone. . . . . . . . . . . . . . . . 21

170

Documents

SuSE Linux Firewall on CDbeta.redes-linux.com/manuales_english/SuSE/SuSE_firewall...(e-mail,chat, etc.) and information gathering offered by it seem to grow every day, and the number