Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Solved, Re: [SLE] Firewall oddity
- From: Simon Roberts <thorpflyer@xxxxxxxxx>
- Date: Sat, 12 Nov 2005 16:48:33 +0000 (UTC)
- Message-id: <20051112164831.96641.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Thanks Darryl for the pointers, I finally worked out what's going on
(with a little more help from ethereal and by setting the "log
everything" mode on the firewall).
The problem was that for some reason setting dhcp as an allowed service
doesn't quite do the job. You have to add bootpc and bootps to the
"allowed broadcast" field too.
I'm not sure how this ever worked, given that the broadcast field in
Yast's firewall wizard isn't something I'd played with before, and I'm
also unsure why Yast isn't smart enough to set that field when I told
it that I wanted to allow dhcp. Maybe 10.0 is smarter, or maybe I did
something unimaginably fiendish to confuse it :)
Anyway, now, with bootpc and bootps as allowed broadcasts, it works
again.
Thanks for your help,
Cheers,
Simon
--- Darryl Gregorash <raven@xxxxxxxxxxxxx> wrote:
> On 11/11/2005 01:20 PM, Simon Roberts wrote:
> >Root control to Major Tom... OOps, sorry, getting distracted.
> >
> >I have a somwhat odd situation with the SuSE resident firewall
> (and/or
> >perhaps the Yast tool that configures it).
> >
> >I run a few servers on my system, including DHCP, DNS, Samba. I
> >configured the firewall to allow access to these, and for a while
> all
> >was well. Recently, however, DHCP "just stopped." I traced the
> problem
> >to the firewall blocking the DHCP port. I've tried restarting the
> >firewall, and a number of other ways to kick it from Yast, but the
> only
> >way my DHCP works right now is if I turn the firewall off.
> >
> >Any suggestions? Should I resort to manual (file-based)
> configuration,
> >and if so, where do I start finding out how to do that?
> You should not need to dispense with DHCP; where do you need the DHCP
> service available, the internal network, or the DMZ? Wherever it is
> needed, ensure you open port 67 for INPUT on that interface; I cannot
> recall if it is TCP or UDP, so make sure to open both protocols.
> These
> are the variables that may need to be set in the firewall
> configuration:
>
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> and
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
>
>
> If you are still having problems, please post the outputs of the
> following:
>
> iptables -L
> cat /etc/sysconfig/SuSEfirewall2 | egrep "^[^#]"
> cat /etc/sysconfig/network/dhcp | egrep "^[^#]"
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
(with a little more help from ethereal and by setting the "log
everything" mode on the firewall).
The problem was that for some reason setting dhcp as an allowed service
doesn't quite do the job. You have to add bootpc and bootps to the
"allowed broadcast" field too.
I'm not sure how this ever worked, given that the broadcast field in
Yast's firewall wizard isn't something I'd played with before, and I'm
also unsure why Yast isn't smart enough to set that field when I told
it that I wanted to allow dhcp. Maybe 10.0 is smarter, or maybe I did
something unimaginably fiendish to confuse it :)
Anyway, now, with bootpc and bootps as allowed broadcasts, it works
again.
Thanks for your help,
Cheers,
Simon
--- Darryl Gregorash <raven@xxxxxxxxxxxxx> wrote:
> On 11/11/2005 01:20 PM, Simon Roberts wrote:
> >Root control to Major Tom... OOps, sorry, getting distracted.
> >
> >I have a somwhat odd situation with the SuSE resident firewall
> (and/or
> >perhaps the Yast tool that configures it).
> >
> >I run a few servers on my system, including DHCP, DNS, Samba. I
> >configured the firewall to allow access to these, and for a while
> all
> >was well. Recently, however, DHCP "just stopped." I traced the
> problem
> >to the firewall blocking the DHCP port. I've tried restarting the
> >firewall, and a number of other ways to kick it from Yast, but the
> only
> >way my DHCP works right now is if I turn the firewall off.
> >
> >Any suggestions? Should I resort to manual (file-based)
> configuration,
> >and if so, where do I start finding out how to do that?
> You should not need to dispense with DHCP; where do you need the DHCP
> service available, the internal network, or the DMZ? Wherever it is
> needed, ensure you open port 67 for INPUT on that interface; I cannot
> recall if it is TCP or UDP, so make sure to open both protocols.
> These
> are the variables that may need to be set in the firewall
> configuration:
>
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> and
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
>
>
> If you are still having problems, please post the outputs of the
> following:
>
> iptables -L
> cat /etc/sysconfig/SuSEfirewall2 | egrep "^[^#]"
> cat /etc/sysconfig/network/dhcp | egrep "^[^#]"
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands send e-mail to suse-linux-e-help@xxxxxxxx
> Also check the archives at http://lists.suse.com
> Please read the FAQs: suse-linux-e-faq@xxxxxxxx
>
>
>
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
| < Previous | Next > |