Deploying Suse Linux Enterprise Server

Purchase "Deploying Suse Linux Enterprise Server"

Configuring the Firewall

To fully secure your server from unnecessary or damaging traffic, you need to implement a Firewall. A Firewall allows you to route and control network traffic travelling into your network or between two or more different networks. For instance, You will want to implement a firewall wherever you want computers on another network to have limited or no access to your network. The classic example of this is the Internet. You should put a firewall between your local network and the Internet to protect your computers from unnecessary or unwanted traffic coming from the Internet.

Another good use for a firewall is to separate any Wireless Access Points on your network, so all traffic will go through a firewall before entering your network. This actually allows you to offer Internet Access to any one using a wireless connection without compromising the security of your local network. You could also use a firewall to separate a "testing network" from a production network, especially if you need Internet Access for your testing network. Doing this allows you to fully configure and test any servers without harming the current network, this is especially useful when working with Windows Domains.

Firewall Yast Module

Basically, the way the Linux Kernel implements it's firewall is it allows you to create "Zones" where you control network traffic. You can implement any number of "Zones" you want, but normally you use only 3 - Internal Zone, External Zone and Demilitarized Zone. You can then use these Zones to implement "Rules" that mananage the network traffic coming into the zone. You can even use rules to manipulate the traffic to move from one zone to another.

Maintaining these rules can be a daunting task, but since the inception of Linux IP Tables many tools have been created to make this job much easier. Suse Linux has the "Firewall" Yast Module to help you with this task.

Controlling Firewall StartupAssigning Zones to Network Adapters
Controlling the Firewall Startup and Assigning Zones to Network Cards

So, the first step in configuring your firewall is to assign these "Zones" to your network devices. This is done under the "Interfaces" section of the Yast Firewall module. These "zones" will be used to determine what network traffic will be allowed to enter each interface.

External Zone - This zone is primarily used for any Interface that is directly connected to the Internet or other "unsecure" network. With any Interface that you assign "External Zone", you must manually allow certain traffic to communicate with your server.

Internal Zone - This assignment should be placed on the Interface that is connected to your Local Area Network. By default, all network traffic is allowed on any interface that is designated "Internal Zone".

Demilitarized Zone - Similar to "External Zone", you must manually allow certain traffic through on any Interface designated "Demilitarized Zone". This zone is mainly used on larger networks where, for security reasons, Internet Servers (such as web, mail, etc.) are placed on a separate network than the local network.

Allowing Services through the FirewallAdjusting Broadcast through the Firewall
Allowing Services and adjusting Broadcasts through the Firewall

Once you setup all of your zones, you may want to "open" some ports on your Intefaces that you set to "External" or "Demilitarized" to allow access to certain services (such as Web Sites or Internet Mail). To do this go to the "Allowed Services" section and ensure that the correct Zone is selected in the "Allowed SErvices for Selected Zone" drop-down box. Then, simply select which service(s) to allow from the "Service to Allow" drop-down and hit "Add".

If you really want to, you can block all services from the "Internal Zone" and manually open the required ports for your server to work properly. Do this by checking the "Protect Firewall from Internal Zone" box. I highly recommend that you do not do this unless you know exactly what you are doing.

Note - If the service you wish to allow is not listed in the drop-down, simply click on "Advanced" and manually enter all the ports you wish to open.


Purchase "Deploying Suse Linux Enterprise Server"