SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic 1/5 ページ

z Home
z TheWeb
z Linux
z Microsoft
z SiteMap
z OpenSource
z Musings
z Recipes

SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic

Keywords: Linux Firewall, Windows Firewall, Iptables, Samba, TCP/UDP ports, Suse.

Introduction: You have a working simple Samba Windows-Linux network of the home or home-office or small
business variety [say ≤ circa 20 workstations]. You want to secure the hosts against intrusion. The Samba Tutorials
on this site cover some important things you should do.

This tutorial focuses on putting firewalls on Linux & Windows hosts using the software tools included by the
manufacturers.

Name Resolution: Suse's default install of Samba does not allow adequate LAN browsing (name resolution) when
hosts/workstations are individually firewalled. You must install one or more of the three common boosters/tweaks for
the default broadcast name resolution. The three options are to install the lmhosts file, install a wins server or
configure a local master browser. They are discussed in Samba IVA and Samba IVB.

Personal/Individual Firewalls on Hosts: You must of course have a perimeter defence for your LAN in the form of
an overarching firewall usually integrated with a router connecting the LAN to the internet. You then limit/specify
what traffic can enter or exit individual hosts [workstations] with individual firewalls. Your basic thinking is that
everything outside your physical host [your tin box, your computer] is to be blocked, except what you specifically
allow. This is good thinking in case the firewall on your router goes down or is penetrated. So you define/set the
network interface in the host in the "external" zone of each host and switch on the host's firewall to get an extra layer
of protection. Nothing much can get in, even from the other hosts

The next step is to let local network traffic through by opening ports for the various local services you need to allow.

Ports for Services: Here are the ports you need to open to allow Samba services through the firewall. I include some
other common apps as examples. If some application that uses a port doesn't work when the firewall is up then you
should investigate a port allocation for the app:

Samba
135/TCP: epmap [DCE endpoint resolution]
137/UDP: netbios-ns [NETBIOS Name Service]
138/UDP: netbios-dgm [NETBIOS Datagram Service]
139/TCP: netbios-ssn [NETBIOS Session Service]
445/TCP: microsoft-ds [Microsoft-DS]
Printing
515/TCP: Line Printer Daemon LDP
515/UDP: Line Printer Daemon LDP
631/TCP: Internet Printing Protocol IPP/CUPS
631/UDP: Internet Printing Protocol IPP/CUPS
SSH
22/TCP: ssh [Remote Login Protocol]
22/UDP: ssh [Remote Login Protocol]
Torrent
6881/TCP: files
4444/UDP: tracking
aMule
4662/TCP Standard client
4672/UDP Extended client

http://www.swerdna.net.au/linhowtosambasecure.html 2008/12/08
SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic 2/5 ページ
4665/UDP Extended server

You will have additional ports to add to this list, depending on which apps suddenly stop working. You can find a
comprehensive listing of ports listed on the IANA site (IANA = Internet Assigned Numbers Authority). For SMB
networking to function you must at least allow the ports in the list under Samba [but see my Note4].

Broadcast Packets: You must allow "Samba server" [by allowing passage of broadcast packets]

Note1: You might come across suggestions on the Internet to allow outgoing services like "microsoft-ds netbios-ssn"
for TCP or like "netbios-ns netbios-dgm" for UDP and sometimes for broadcasts of form "netbios-ns netbios-dgm".
Opening the ports in the list entries under Samba and allowing broadcast packets takes care of that for you.

Note2: Some people allow either duplex traffic or incoming traffic on all high ports. Although this takes care of apps
like Torrent & Mule, there's little point in having a firewall if all high ports are opened. High ports should be opened
consciously and individually for apps that require them [e.g. Torrent].

Note3: Port 1024 is sometimes recommended on the Internet as an addition to the list of ports to open [both for UDP
and TCP]. This is essentially a way to allow broadcast name resolution and it works in a flaky fashion for personal
firewalls on LANs but it can let name resolution down for long periods. Therefore it shouldn't be used as a substitute
for adequate name resolution.

Note4: Port 445 was implemented by Microsoft for Windows machines that have NetBIOS over TCPIP (NBT)
turned off. NBT is on for the typical SOHO LAN. So there is no pressing reason to have port 445 open. I choose not
to use 445 for two reasons: for administrative simplicity and because the fewer ports open the better from a security
standpoint. I've included mention of 445 for clarity, rather than simply not mentioning it. The SOHO LAN will work
with it or without it. You decide. If you leave 445 out, as I have in my iptables "make it happen" segment, you should
also include the line "smb ports = 139" in smb.conf/global. This will disable Samba's use of 445 altogether.

Trusted Nets [Allow IP Ranges]. Iptables can allow ranges of IP addresses through the firewall. These are so-called
"trusted nets" to accommodate Lans like the soho Lan we're discussing here. Typically the allowed range looks like
192.168.2.0/24 ("/24" denotes the entire subnet). Be sure to substitute your IP range for mine.

Note5: Notice that to define allowed traffic on the one hand via ports associated with various services and to define
allowed traffic on the other hand via TCPIP ranges provides two quite different but still compatible sorts of
pathways. Indeed some administrators use one or the other, not both. I use both because if I use just one approach
then I have to turn the firewalls off and on briefly when my wins server is being initialised, which is simply not
satisfactory. When I use both approaches the initialisation of the wins server is smooth/untroubled.

Iptables - make it happen: Every distro has its GUI to assist in translating these port adjustments to "rules" in
iptables. The hard part is over: i.e. to have the requirements clearly understood/enumerated as above. I will go
through the process for Suse 10.0, 10.1 here to demonstrate.

You can use the GUI approach in either of two ways with YAST. The GUI for "firewall" at Yast --> Security and
Users --> Firewall --> Allowed Services is there to set open ports and to allow passage of broadcast packets (i.e. to
allow Samba server). But I found it to be unreliable. Entering there can stop my firewall from working. The other
GUI facilities under "firewall" are fine for me. The alternative GUI is at Yast --> System --> /etc/sysconfig Editor,
where everything mentioned above can be set in one go. Of course the easiest way is to forget the GUI approach and
just edit the firewall setup file directly with a text editor. The file is /etc/sysconfig/SuSEfirewall2.

So here's one of those three ways to get the settings locked in: Open Yast --> System --> /etc/sysconfig Editor -->
Network --> Firewall --> SuseFirewall2 --> + (expand) --> then locate the entries in the list below. You'll find them
in the left hand column of the GUI. Change them using the right hand column of the GUI to include the settings in
the list below:

z FW_DEV_EXT <--entry--> any eth-id-00:13:d4:fe:36:59 modem0

[notice I've fire walled "any" device not listed, the ethernet card and my modem.]
z FW_SERVICES_EXT_TCP <--entry--> 135 139 515 631 6881
[notice I've included a port for KTorrent and allowed for LDP & IPP printing. This is where you add ports/TCP
for your additional services. I've also left port 445 out as explained above.]

http://www.swerdna.net.au/linhowtosambasecure.html 2008/12/08
SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic 3/5 ページ
z FW_SERVICES_EXT_UDP <--entry--> 137 138 515 631 4444
[notice I've included a port for KTorrent and allowed for LDP & IPP printing. This is where you add
ports/UDP for your additional services.]
z FW_ALLOW_FW_BROADCAST_EXT <--entry--> yes
[This enables broadcasts from Samba Server.]
z FW_TRUSTED_NETS <--entry--> 192.168.2.0/24
[This allows the Lan through. NB: substitute your IP range for mine.]

Note you can find the card name, like e.g. eth-id-00:13:d4:fe:36:59 or like e.g. wlan-bus-usb in Yast --> Network
devices/network cards.

Note also: There are othert ways to set the above features but it is not safe in my experience to set using Yast ->
Firewall -> Allowed Services.

At this stage you can switch the firewall on using Yast --> Security and Users --> Firewall --> Start/stop/save-and-
start firewall.

Windows firewall - make it happen: In Windows RClick the "Local Area Connection" icon and open "Internet
Protocol (TCP/IP)" --> Properties. Select "Advanced" --> Options --> TCP/IP filtering --> Properties. Enable TCP/IP
Filtering (All adapters). For TCP ports select to "permit only" and enter the following: 135, 139 and ports for your
special services If you choose to include TCP 445, you put it here. Similarly for UDP allow 137, 138 and ports for
special services. Leave IP protocols alone. Restart computer. Activate windows firewall in XP; In Win 2000 it's
activated by the procedure just described.

I Hope this Tutorial makes life a bit easier for you.

Swerdna: December 05 2006

Samba: Browsing Shares

SOHO LAN Primer

Troubleshoot Samba

Browsing Explained

Recipes for Browsing

Making File Shares

About Usershares

CIFS: Mapped Drives

& Mounted Shares

Samba and Vista

Lan & Net Connectivity

SuSE Firewall

Configure Network Card

Configure Wireless Card

Configure (K)torrent

Nokia Mobile Phone

HSDPA Wireless Modem

http://www.swerdna.net.au/linhowtosambasecure.html 2008/12/08
SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic 4/5 ページ
Maxon BP3-USB
BigPond NextG HSDPA

BigPond EVDO CDMA

Broadband via VMware

Servers

Apache + SSI & CGI

Windows Print Server

Suse Samba Print Server

Suse IPP Print Server

Samba File Server

Internet Connection Sharing

Partition Filesystem Boot Backup Restore

Mount FAT32 Read/Write

Mount NTFS Read/Write

Multiboot Windows & openSUSE with Grub

Multiboot openSUSE with Windows bootloader

Mount /home on a Separate Partition

Linux Ghost Clone

Unattended Backups
& SystemRescueCD
Installing Printers

Brother Laser HL2040

HP Laserjet 1020
Miscellaneous

Cron Tables & CronTab

Install FreeBASIC

Install VMware Server

You have Internet Explorer. PLease upgrade to Firefox.

z Home
z TheWeb
z Linux
z Microsoft
z SiteMap
z OpenSource
z Musings
z Recipes

http://www.swerdna.net.au/linhowtosambasecure.html 2008/12/08
SuSEfirewall2: HowTo Firewall a Suse/openSUSE Workstation for LAN Network Traffic 5/5 ページ
Valid XHTML Valid CSS Copyright © Asserted [Swerdna•Net] 18758 835614

http://www.swerdna.net.au/linhowtosambasecure.html 2008/12/08