Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] Solved, Re: [SLE] Firewall oddity
- From: Simon Roberts <thorpflyer@xxxxxxxxx>
- Date: Sun, 13 Nov 2005 22:29:39 +0000 (UTC)
- Message-id: <20051113222937.21332.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
That makes sense. Thanks for the follow-up.
Cheers,
Simon
--- Darryl Gregorash <raven@xxxxxxxxxxxxx> wrote:
> On 11/12/2005 10:48 AM, Simon Roberts wrote:
> >Thanks Darryl for the pointers, I finally worked out what's going on
> >(with a little more help from ethereal and by setting the "log
> >everything" mode on the firewall).
> >
> >The problem was that for some reason setting dhcp as an allowed
> service
> >doesn't quite do the job. You have to add bootpc and bootps to the
> >"allowed broadcast" field too.
> >
> >I'm not sure how this ever worked, given that the broadcast field in
> >Yast's firewall wizard isn't something I'd played with before, and
> I'm
> >also unsure why Yast isn't smart enough to set that field when I
> told
> >it that I wanted to allow dhcp. Maybe 10.0 is smarter, or maybe I
> did
> >something unimaginably fiendish to confuse it :)
> >
> >Anyway, now, with bootpc and bootps as allowed broadcasts, it works
> >again.
> Apologies for not getting back to you sooner, but it's good to see
> you
> were able to resolve this on your own. I doubt my "pointers" had much
> bearing on that; perhaps I got you to focus your attention on the
> firewall a bit more, but nothing more than that. My previous message
> said nothing about initial broadcast messages, which I mistakenly
> thought were actually working -- I thought you were saying that
> renewal
> requests weren't getting through. Yes, it is strange that your dhcp
> worked before, without that broadcast service being specifically
> allowed
> (are you certain the internal interface wasn't previously open to
> *all*
> broadcast messages?). But I've seen stranger things reported in here
> before :)
>
> The following explanation should help future readers with the same
> problem understand what has happened here:
>
> At first, a system usually has no idea where any dhcp server is, so
> it
> has to use a broadcast message to find one (it will also obtain a
> first
> IP lease at this time). When the time comes to renew the initial
> lease,
> it does know of a dhcp server, so a unicast message is possible.
>
> On the dhcp server (which is what Simon is configuring here), the DMZ
> and/or INT interfaces must therefore be opened for INPUT on port
> bootps
> (67) for both types of messages. The lines in the firewall config for
> FW_SERVICES_INT_TCP, etc only pertain to unicast messages, with a
> separate set used for broadcast. It makes no sense to combine the two
> sets of variables, because very few services need to use broadcast;
> you
> would have to write exceptions into the script for those that did.
> It's
> far simpler to use separate config variables, one set for unicast
> messages and another for broadcast.
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Cheers,
Simon
--- Darryl Gregorash <raven@xxxxxxxxxxxxx> wrote:
> On 11/12/2005 10:48 AM, Simon Roberts wrote:
> >Thanks Darryl for the pointers, I finally worked out what's going on
> >(with a little more help from ethereal and by setting the "log
> >everything" mode on the firewall).
> >
> >The problem was that for some reason setting dhcp as an allowed
> service
> >doesn't quite do the job. You have to add bootpc and bootps to the
> >"allowed broadcast" field too.
> >
> >I'm not sure how this ever worked, given that the broadcast field in
> >Yast's firewall wizard isn't something I'd played with before, and
> I'm
> >also unsure why Yast isn't smart enough to set that field when I
> told
> >it that I wanted to allow dhcp. Maybe 10.0 is smarter, or maybe I
> did
> >something unimaginably fiendish to confuse it :)
> >
> >Anyway, now, with bootpc and bootps as allowed broadcasts, it works
> >again.
> Apologies for not getting back to you sooner, but it's good to see
> you
> were able to resolve this on your own. I doubt my "pointers" had much
> bearing on that; perhaps I got you to focus your attention on the
> firewall a bit more, but nothing more than that. My previous message
> said nothing about initial broadcast messages, which I mistakenly
> thought were actually working -- I thought you were saying that
> renewal
> requests weren't getting through. Yes, it is strange that your dhcp
> worked before, without that broadcast service being specifically
> allowed
> (are you certain the internal interface wasn't previously open to
> *all*
> broadcast messages?). But I've seen stranger things reported in here
> before :)
>
> The following explanation should help future readers with the same
> problem understand what has happened here:
>
> At first, a system usually has no idea where any dhcp server is, so
> it
> has to use a broadcast message to find one (it will also obtain a
> first
> IP lease at this time). When the time comes to renew the initial
> lease,
> it does know of a dhcp server, so a unicast message is possible.
>
> On the dhcp server (which is what Simon is configuring here), the DMZ
> and/or INT interfaces must therefore be opened for INPUT on port
> bootps
> (67) for both types of messages. The lines in the firewall config for
> FW_SERVICES_INT_TCP, etc only pertain to unicast messages, with a
> separate set used for broadcast. It makes no sense to combine the two
> sets of variables, because very few services need to use broadcast;
> you
> would have to write exceptions into the script for those that did.
> It's
> far simpler to use separate config variables, one set for unicast
> messages and another for broadcast.
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
| < Previous | Next > |