Security

SolutionBase: Configure a firewall in Linux using SuSe's YaST

Configuring a firewall in Linux used to mean making many changes to text files on the command line. The chore was tedious and time consuming. In this article, Jack Wallen shows how to configure a firewall quickly and easily using GUI tools built into SuSe's YaST configuration tool.
This article is also available as a TechRepublic download.

In today's network environment -- where security is one of the major tools -- a firewall is one of the most important things you should have on your network. If you're new to Linux administration, the thought of creating a firewall using an entire iptables chain could be a bit daunting. Fortunately, there's a GUI way to build a Linux firewall using SuSE's YaST2. With a kit full of fundamental software, YaST2 takes the prize for best prepared.

In this article, we are going to poke around the YaST2 firewall tool and set up a firewall on a desktop machine. Our environment will include will be a server set up with OpenSuSE 10.2 and two Ethernet cards.

A quick look around YaST

Although it is contrary to what many Linux administrators would advise, I'm going to log into my SuSE 10.2 machine as root for this setup. I don't do this often, but it saves me from having to enter the root password every time I want to perform an administration task. Once you are done setting up these services, log out.

The first thing you'll want to do is to select the Computer menu, as shown in Figure A.

Figure A

The new GNOME 2.16 menu is quite a change from the usual cascading menu.

From the menu, select the Control Center entry, as shown in Figure B.

Figure B

The Control Center is grouped in both Groups and Common Tasks.

Select the Administrator Settings from the Common Tasks section to open the YaST Admin Tool. You'll then see the screen shown in Figure C.

Figure C

It should be obvious that Network Services is your next destination.

Select Network Services to reveal a listing of the various Network Services that can be configured from within YaST, as shown in Figure D.

Figure D

A nice collection of GUI tools to help you configure your Linux server.

Select the Security and Users link from the left side of the YaST control center, as shown in Figure E.

Figure E

There are a number of security options, but the Firewall is the obvious choice.

Double-click the Firewall icon. Once you've opened up the YaST Firewall tool, the first screen you will see is the startup screen, as shown in Figure F. Now you're ready to get into the nitty-gritty of firewall configuration.

Figure F

This view is in Tree mode. If you click the Help button at the bottom left, you will get a bit of help with the system.

Configuring the firewall

The first thing you should do is configure your firewall to start at boot. This is the default setting. Once you've double-checked that the firewall is configured to start at boot-up, you can either press Next or select the Interfaces link in the left pane.

The interfaces window will show you each of the available network interfaces on the machine. As you can see in Figure G, I have an Accton EN-1207D card and a Silicon Integrated SiS900 card available. The Silicon card had already been installed for the installation of the OS, so it was pre-configured to connect directly to a router (which was connected to the external network). The Accton has yet to be configured so, as you can see, there is no zone assigned.

Figure G

If you do not assign a zone to a device, no traffic will be allowed through said device.

Note: One of the things you will need to do is make sure networking is already applied to your network cards. If you need to assign custom strings like any to a card, you have to do that with the Custom button.

Since I already have the Silicon card set configured for a zone, we'll use the Accton card as an example and set it up for the internal zone. Highlight the card you want to configure and press Change (near the bottom) to open up the zone configuration window. You’ll see the screen shown in Figure H.

Figure H

Your choices are No Zone, Demilitarized Zone, Internal Zone, and External Zone.

Once you have configured your zones, select Allowed Services. If you are in Help mode, you will not see the Allowed Services button. To see the button, press the Tree button.

In the Allowed Services window, you are able to open ports to the Demilitarized Zone, the Internal Zone, and the External Zone. As you can see in Figure I, I already have DHCP, DNS, HTTP, SSH, Samba, and TFTP open to the external zone.

Figure I

This is not a secure setup.

This isn't a very good day. Most of those services should only be open to the internal zones. In this case, we need to remove DHCP, DNS, Samba, and TFTP from the external zone.

To do so, highlight the service to be removed and press the Remove button. Now the only services allowed through the external zone will be HTTP and SSH. Let's say we need to add POP server access to the external firewall. To do this, open the Service To Allow drop-down, select the type of service (we'll choose POP3 Server), and press Add. POP3 will now be allowed through the external zone (once these changes have been applied).

Securing the internal zone

Now we'll take a look at the internal zone. From the Allowed Services For The Selected Zone drop-down, select Internal Zone. Every listing is gray, indicating nothing is configurable; this is illustrated in Figure J.

Figure J

As it is, there is nothing you can do.

If you want to block any services on the internal zone, you will first have to select the Protect Firewall From Internal Zone check box. Once you do that, you may add or remove services in the same manner you did with the external zone. Take notice of the Protect Firewall From Internal Zone check box: If it's unchecked, all services are open. Once you check that box, all services are removed from the list; you will have to add them one at a time to your internal zone.

This same tool also allows you to configure Network Masquerading. To do this, press the Masquerading button on the left navigation bar. By default, masquerading is off. Select the check box for Masquerade Networks to enable this service. Here you can add or remove redirects, as shown in Figure K.

Figure K

Although masquerading is enabled, it will do nothing until you add a redirect.

Press the Add button to open the Add Masqueraded Redirect Rule window, as shown in Figure L.

Figure L

If the configuration is not completely and correctly entered, the redirect will not work.

Let's say you want use secure shell to access the internal network and go to a specific machine. For this, you'll enter the following information:

  • The Requested IP, as the IP shown to the public (our external address)
  • The protocol will be set to TCP
  • The requested port will be 22
  • The redirected IP will be the IP of the machine secure shell is to be directed to
  • The redirected port will be that of the port used on the SSH server

Finish that and press Add to add the service. Figure M shows the newly added SSH service redirect.

Figure M

You can remove the new service by highlighting it and pressing Remove.

With your redirects in place, you can move on to configure broadcast. Select the Broadcast link from the left navigation. Within the Broadcast configuration window, enter a space-separated list of ports you want to broadcast to your network within each zone. As you can see in Figure N, I am allowing CUPS and Samba broadcast packets in the internal zone.

Figure N

If your network is large, you might want to deselect Log Not Accepted Broadcast Packets.

The final two configurations are IPsec Support and Logging. To enable IPsec, press the IPsec button in the left navigation bar. Select the Enabled check box and then press the Details button to determine how to trust IPsec. Figure O shows what this looks like.

Figure O

Your choices are: Same Zone as Original Source Network, Demilitarized Zone, Internal Zone, and External Zone.

Finally, you can configure logging. You can configure how to log Accepted and Not Accepted Packets. Your choices in configuration are: Critical, All, or None as seen in Figure P.

Figure P

Remember, the larger your network, the more logging your server will have to do.

Once you have configured logging, press the Next button to create the summary of your configurations, as shown in Figure Q.

Figure Q

If you press the Back button, you will be returned to the Start Up screen.

Press Accept (if the configurations are ready to go) to save the settings and start the firewall.

Final thoughts

When I started using Linux, setting up a firewall in Linux meant working at the command line using an editor and fiddling around configuration files. Setting up a Linux firewall is now as simple as any other GUI-driven program. YaST2 has given Linux administrators an outstanding group of tools to use to set up a server and the Firewall tool is a perfect addition to that toolset.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

1 comments