Security

SolutionBase: Configure a firewall in Linux using SuSe’s YaST

By · July 5, 2007, 11:35 PM PST · jlwallen

Image 1 of 16

  • By Jack Wallen

    This gallery is also available as a TechRepublic article and download.

    In today's network environment where security is one of the major tools, one of the most important things you should have on your network is a firewall. If you're new to Linux administration, the thought of creating a firewall using an entire iptables chain could be a bit daunting. Fortunately there's a GUI way to build a Linux firewall using SuSE's YaST2. With a kit full of fundamental software, YaST2 takes the prize for best prepared.

    In this article we are going to poke around the YaST2 firewall tool and set up a firewall on a desktop machine. What our environment will include will be a server set up with OpenSuSE 10.2 and two ethernet cards.

    A Quick look around YaST

    Although contrary to what many Linux administrators would advise I am going to log into my SuSE 10.2 machine as root for this setup. I don't do this often but it saves me from having to enter the root password every time I want to perform an administration task. This is okay for setting up the services we're dealing with, but once you are done setting up said services, log out and log back in with your regular user account.

    The first thing you'll want to do is to click on the Computer menu as shown.

  • The Control Center is grouped in both Groups and Common Tasks.

    From the menu click on the Control Center entry as seen.

  • It should be obvious that Network Services is your next destination.

    Click on the Administrator Settings from the Common Tasks section to open the YaST Admin Tool. You'll then see the screen shown.

  • A nice collection of GUI tools to help you configure your Linux server.

    Click on Network Services to reveal a listing of the various Network Services that can be configured from within YaST as shown.

  • There are a number of security options, but the Firewall is the obvious choice.

    Double click the Firewall icon. Once you've opened up the YaST Firewall tool the first screen you will see is the start up screen as seen. Now you're ready to get into the nitty-gritty of firewall configuration.

  • This view is in Tree mode. If you click the Help button at the bottom left you will get a bit of help with the system.

    Configuring the firewall

    The first thing you should do is configure your firewall to start at boot. This is the default setting. Once you'd double-checked that the firewall is configured to start at boot up, you can either click Next or click on the Interfaces link in the left pane.

    The interfaces window will show you each of the available network interfaces on the machine. As you can see, I have an Accton EN-1207D card and a Silicon Integrated SiS900 card available. The Silicon card had already been installed for the installation of the operating system so it was pre-configured to connect directly to a router (which was connected to the external network.) The Accton has yet to be configured so, as you can see, there is no zone assigned.

  • If you do not assign a zone to a device, no traffic will be allowed through said device.

    NOTE: One of the things you will need to do is make sure networking is already applied to your network cards. If you need to assign custom strings like any to a card you have to do that with the Custom button.

    Since I already have the Silicon card set configured for a zone, we'll use the Accton card as an example and set it up for the internal zone. Highlight the card you want to configure and click Change near the bottom to open up the zone configuration window. You'll see the screen shown.

  • Your choices are No Zone, Demilitarized Zone, Internal Zone, and External Zone.

    Once you have configured your zones click, on Allowed Services. If you are in Help mode you will not see the Allowed Services button. To see the button, click on the Tree button.

    In the Allowed Services window, you are able to open ports to the Demilitarized Zone, the Internal Zone, and the External Zone. As you can see I already have DHCP, DNS, HTTP, SSH, Samba, and TFTP open to the external zone.

  • This is not a secure setup.

    This isn't a very good day. Most of those services should only be open to the internal zones. In this case, we need to remove DHCP, DNS, Samba, and TFTP from the external zone.

    To do so, first highlight the service to be removed and click the Remove button. Now the only services allowed through the external zone will be HTTP and SSH. Let's say we need to add POP server access to the external firewall. To do this click the Service To Allow drop-down and select the type of service (we'll choose POP3 Server) and click Add. Easy enough, POP3 will now be allowed through the external zone, once these changes have been applied.

  • As is there is nothing you can do.

    Securing the internal zone

    Now we'll take a look at the internal zone. From the Allowed Services For The Selected Zone drop-down select Internal Zone. The first thing you will notice is that everything is grayed out indicating nothing is configurable.

    If you want to block any services on the internal zone, you will first have to click the Protect Firewall From Internal Zone check box. Once you do that, you will add or remove services in the same manner you did with the external zone. Take notice of the Protect Firewall From Internal Zone check box. It it's unchecked all services are open. Once you check that box all services are removed from the list, so you will have to add them one at a time to your internal zone.

    This same tool also allows you to configure Network Masquerading. To do this, click on the Masquerading button on the left navigation bar. By default masquerading is off. Click the check box for Masquerade Networks to enable this service. Here you can add or remove redirects as shown.

  • Even though masquerading is enabled, it will do nothing until you add a redirect.

    Click the Add button to open the Add Masqueraded Redirect Rule window. You'll see the screen shown.

  • If the configuration is not completely and correctly entered, the redirect will not work.

    Let's say you want use secure shell to access the internal network and go to a specific machine. For this, you'll enter the following information:

  • You can remove the new service by highlighting it and clicking Remove.

    With your redirects in place you can move on to configure broadcast. Click on the Broadcast link from the left navigation. Within the Broadcast configuration window, enter a space-separated list of ports you want to broadcast to your network within each zone. As you can see I am allowing CUPS and Samba broadcast packets in the internal zone.

  • If your network is large you might want to deselect Log Not Accepted Broadcast Packets.

    The final two configurations are IPsec Support and Logging. To enable IPsec, click on the IPsec button in the left navigation bar. Click on the Enabled check box and then click the Details button to determine how to trust IPsec.

  • Your choices are: Same Zone as Original Source Network, Demilitarized Zone, Internal Zone, and External Zone.

    Finally, you can configure logging. Your can configure how to log accepted and not accepted packets. Your choices in configuration are: Critical, All, or None.

  • Remember, the larger your network the more logging your server will have to do.

    Once you have configured logging click the Next button to create the summary of your configurations as shown.

By Jack Wallen

This gallery is also available as a TechRepublic article and download.

In today's network environment where security is one of the major tools, one of the most important things you should have on your network is a firewall. If you're new to Linux administration, the thought of creating a firewall using an entire iptables chain could be a bit daunting. Fortunately there's a GUI way to build a Linux firewall using SuSE's YaST2. With a kit full of fundamental software, YaST2 takes the prize for best prepared.

In this article we are going to poke around the YaST2 firewall tool and set up a firewall on a desktop machine. What our environment will include will be a server set up with OpenSuSE 10.2 and two ethernet cards.

A Quick look around YaST

Although contrary to what many Linux administrators would advise I am going to log into my SuSE 10.2 machine as root for this setup. I don't do this often but it saves me from having to enter the root password every time I want to perform an administration task. This is okay for setting up the services we're dealing with, but once you are done setting up said services, log out and log back in with your regular user account.

The first thing you'll want to do is to click on the Computer menu as shown.

Related Topics:

Security Software CXO Hardware Mobility Data Centers Cloud

By Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Show Comments