No luck ! Just to confirm the last message, I should have the following: FW_DEV_EXT="eth1" (this is a public address -lets say eee.eee.eee.1) FW_DEV_INT="eth0" (this is a private address -lets say iii.iii.iii.1) FW_DEV_DMZ="eth2" (this is also a private address -lets say ddd.ddd.ddd.1) FW_MASQ_NETS= iii.iii.iii.0/24 ddd.ddd.ddd.0/24 FW_FORWARD="0/0,ddd.ddd.ddd.2" (ddd.ddd.ddd.2 is the mailserver on the far side of the DMZ) FW_FORWARD_MASQ="0/0,ddd.ddd.ddd.2,tcp,25" The rest, although not needed, shouldn't matter (FW_SERVICE_*_*) if there or not. When I did this, I still get an ACCEPT message in the syslog but no connection through to the DMZ postfix server. Does it matter if an application on the firewall using port 25 is running also ? I can telnet from the firewall to the DMZ on port 25. I can telnet from the DMZ to port 25 on the firewall (not really used or usefull but it is open). Connections from the outside, the message in the syslog is SuSE_FW_ACCEPT versus how I had it before. (FW_FORWARD_MASQ to an internal ip gave a SuSE_FW_ACCEPT_REVERSE_MASQ in the syslog) @$%$U*^&*&^*^(&*( HELP !!!!!!!
----- Original Message ----- From: "Thomas Schweiger"
To: Sent: Monday, September 15, 2003 5:25 PM Subject: Re: [suse-security] SuSEfirewall2 and Reverse Masq HELP ! On Mon, 15 Sep 2003, Chris de Orla wrote:
I want to reverse masquerade on port 25 from the internet to a DMZ address.
[...]
If I make the reverse-masq to something on the internal network, it connects no problem, anything on the DMZ does not and no failures in syslog.
What am I missing here ?
I am running SuSE 7.3 and iptables 1.2.8
Below is my firewall2.rc.config :
FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="eth2"
eth2: Is it a private net-address? (e. g. 192.168.0.1 = yyy.yyy.yyy.yyy)
FW_ROUTE="yes" FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="xxx.xx.x.x/24"
I asume xxx.xxx.xxx.xxx as your private LAN net-address? (e. g. 192.168.1.1)
You should include yyy.yyy.yyy.yyy/aa or at least the ports the DMZ should reach in the internet.
FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="123 25" ^^^^ You don't need this, because the service (smtpd) is not running on the firewall.
FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="25" ^^^^ Here the same. You don't need this.
FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 123 25 10000" ^^^^ And again.
FW_SERVICES_INT_UDP="123" FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD=""
Here you have to put in the services which should be routed from LAN to DMZ (in general packets from private network to private network or from official IPs to official IPs which don't need NAT oder DNAT)
FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"
This should be ok, if y.y.y.y is a private IP-address in the DMZ.
All the FW_*_*-parameters are just for this case, if the services are running _ON_ the firewall.
#
#
#-------------------------------------------------------------------------#
# # # EXPERT OPTIONS - all others please don't change these! # # #
#-------------------------------------------------------------------------#
# #
[...]
Best regards, Thomas Schweiger
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here