Hallöle! Since two weeks I am trying to understand the SuSEFirewall2.... I think I read enough, but I found no solution for my problem. I have a Suse 9.0 system with an ethernet card with 4 ports. The Server is router and wins server between two Windows-Domains The ports are managed like this: eth0 Link encap:Ethernet HWaddr _____________ inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0 # Domain 1: Windows 2003 Server - Domain "W2003" eth1 Link encap:Ethernet HWaddr _____________ inet addr:192.168.200.248 Bcast:192.168.200.255 Mask:255.255.255.0 # Domain 2: Windows NT 4.0 - Domain "Hart" eth2 Link encap:Ethernet HWaddr _____________ inet addr:192.168.3.10 Bcast:192.168.3.255 Mask:255.255.255.0 # To Router (192.168.3.1) eth3 Link encap:Ethernet HWaddr _____________ inet addr:192.168.4.10 Bcast:192.168.4.255 Mask:255.255.255.0 # To (Secure) WLan (192.168.4.1) # SuSEFirewall2-Konfiguration: FW_QUICKMODE="no" FW_DEV_EXT="eth2" FW_DEV_INT="eth0 eth1 eth3" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth2" FW_MASQ_NETS="192.168.0.0/16" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh 22 53 80 139 445" FW_SERVICES_INT_UDP="53 137 138" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" In this Konfiguration and even if I change FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" both to "no" (what I dislike to do!) the following "errors" occur, if I try to get data from one PC to another: (that means, in "Netzwerkumgebung" the PC's will not be visible, and there is no chance to get to them, but the Internet is working well on every PC) Jul 5 15:32:46 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14931 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:48 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14933 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14935 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:27 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16608 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16610 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16613 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16620 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16621 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16622 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16624 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16626 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:58 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16628 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17801 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:32 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17803 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:34 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17805 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28159 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28161 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:45 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28171 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:57 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17822 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:59 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17826 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:11:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17828 PROTO=UDP SPT=138 DPT=138 LEN=182 Please help me! Tell me why! What am I doing wrong?? Mit freundlichen Grüssen, With kind regards, Veuillez agréer mes salutations distinguées, Jochen Haßfurter -------------------------------- Atelier MO Stefan Mock & Jochen Haßfurter GbR Büro: Industriestraße 3 97332 Volkach Germany Tel. 0.93.81 7.15.20.92 Fax 0.93.81 7.15.20.93 Kreativ-Zentrum: Am Kapellenberg 2 97332 Volkach Germany Tel. 0.93.81 7.15.20.91 Fax 0.93.81 8.47.59.99 www.ateliermo.de
Vielleicht hilft
FW_FORWARD = "yes" ?
Max
----- Original Message -----
From: "Jochen Haßfurter"
Hallöle!
Since two weeks I am trying to understand the SuSEFirewall2.... I think I read enough, but I found no solution for my problem.
I have a Suse 9.0 system with an ethernet card with 4 ports. The Server is router and wins server between two Windows-Domains
The ports are managed like this:
eth0 Link encap:Ethernet HWaddr _____________ inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
# Domain 1: Windows 2003 Server - Domain "W2003"
eth1 Link encap:Ethernet HWaddr _____________ inet addr:192.168.200.248 Bcast:192.168.200.255 Mask:255.255.255.0
# Domain 2: Windows NT 4.0 - Domain "Hart"
eth2 Link encap:Ethernet HWaddr _____________ inet addr:192.168.3.10 Bcast:192.168.3.255 Mask:255.255.255.0
# To Router (192.168.3.1)
eth3 Link encap:Ethernet HWaddr _____________ inet addr:192.168.4.10 Bcast:192.168.4.255 Mask:255.255.255.0
# To (Secure) WLan (192.168.4.1)
# SuSEFirewall2-Konfiguration:
FW_QUICKMODE="no"
FW_DEV_EXT="eth2"
FW_DEV_INT="eth0 eth1 eth3"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth2"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh 22 53 80 139 445"
FW_SERVICES_INT_UDP="53 137 138"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.0.0/16"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
In this Konfiguration and even if I change
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
both to "no" (what I dislike to do!)
the following "errors" occur, if I try to get data from one PC to another: (that means, in "Netzwerkumgebung" the PC's will not be visible, and there is no chance to get to them, but the Internet is working well on every PC)
Jul 5 15:32:46 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14931 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:48 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14933 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14935 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:27 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16608 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16610 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16613 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16620 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16621 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16622 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16624 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16626 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:58 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16628 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17801 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:32 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17803 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:34 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17805 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28159 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28161 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:45 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28171 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:57 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17822 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:59 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17826 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:11:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17828 PROTO=UDP SPT=138 DPT=138 LEN=182
Please help me! Tell me why! What am I doing wrong??
Mit freundlichen Grüssen, With kind regards, Veuillez agréer mes salutations distinguées,
Jochen Haßfurter
--------------------------------
Atelier MO Stefan Mock & Jochen Haßfurter GbR
Büro: Industriestraße 3 97332 Volkach Germany
Tel. 0.93.81 7.15.20.92 Fax 0.93.81 7.15.20.93
Kreativ-Zentrum: Am Kapellenberg 2 97332 Volkach Germany
Tel. 0.93.81 7.15.20.91 Fax 0.93.81 8.47.59.99
www.ateliermo.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Set FW_ALLOW_CLASS_ROUTING="yes" to allow routing between ifaces of the same
class (int/ext/dmz)
Quoting Jochen Haßfurter
Hallöle!
Since two weeks I am trying to understand the SuSEFirewall2.... I think I read enough, but I found no solution for my problem.
I have a Suse 9.0 system with an ethernet card with 4 ports. The Server is router and wins server between two Windows-Domains
The ports are managed like this:
eth0 Link encap:Ethernet HWaddr _____________ inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
# Domain 1: Windows 2003 Server - Domain "W2003"
eth1 Link encap:Ethernet HWaddr _____________ inet addr:192.168.200.248 Bcast:192.168.200.255 Mask:255.255.255.0
# Domain 2: Windows NT 4.0 - Domain "Hart"
eth2 Link encap:Ethernet HWaddr _____________ inet addr:192.168.3.10 Bcast:192.168.3.255 Mask:255.255.255.0
# To Router (192.168.3.1)
eth3 Link encap:Ethernet HWaddr _____________ inet addr:192.168.4.10 Bcast:192.168.4.255 Mask:255.255.255.0
# To (Secure) WLan (192.168.4.1)
# SuSEFirewall2-Konfiguration:
FW_QUICKMODE="no"
FW_DEV_EXT="eth2"
FW_DEV_INT="eth0 eth1 eth3"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth2"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh 22 53 80 139 445"
FW_SERVICES_INT_UDP="53 137 138"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.0.0/16"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
In this Konfiguration and even if I change
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
both to "no" (what I dislike to do!)
the following "errors" occur, if I try to get data from one PC to another: (that means, in "Netzwerkumgebung" the PC's will not be visible, and there is no chance to get to them, but the Internet is working well on every PC)
Jul 5 15:32:46 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14931 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:48 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14933 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14935 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:27 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16608 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16610 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16613 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16620 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16621 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16622 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16624 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16626 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:58 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16628 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17801 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:32 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17803 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:34 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17805 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28159 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28161 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:45 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28171 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:57 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17822 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:59 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17826 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:11:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17828 PROTO=UDP SPT=138 DPT=138 LEN=182
Please help me! Tell me why! What am I doing wrong??
Mit freundlichen Grüssen, With kind regards, Veuillez agréer mes salutations distinguées,
Jochen Haßfurter
--------------------------------
Atelier MO Stefan Mock & Jochen Haßfurter GbR
Büro: Industriestraße 3 97332 Volkach Germany
Tel. 0.93.81 7.15.20.92 Fax 0.93.81 7.15.20.93
Kreativ-Zentrum: Am Kapellenberg 2 97332 Volkach Germany
Tel. 0.93.81 7.15.20.91 Fax 0.93.81 8.47.59.99
www.ateliermo.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
------------------------------------------------------------ 0909 2468 El acceso telefonico a Internet del Portal Hay 3 maneras de cambiarte http://www.montevideo.com.uy/0909
How to configure SuSE Firewall and NFS/NIS serving - any pointers? -- Simon Oliver
How to configure SuSE Firewall and NFS/NIS serving - any pointers?
First look, if your nfs/nis runs propper. You have to bind a port to the mount-daemon otherwise it changes with every restart of the service. Look at manpage for options e.g. at: http://www.netadmintools.com/html/8mountd.man.html You have ports for mount-daemon, nfs, lockdaemon, rpc-port. These should only be open from inside your network but not from outside. Here you get a portlist (hope it is correct): http://cert.uni-stuttgart.de/archive/bugtraq/1999/01/msg00176.html or with "rpcinfo -p localhost", wich leads you e.g. to: 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100021 1 udp 32768 nlockmgr 100021 3 udp 32768 nlockmgr 100021 4 udp 32768 nlockmgr 100007 2 udp 997 ypbind 100007 1 udp 997 ypbind 100007 2 tcp 1000 ypbind 100007 1 tcp 1000 ypbind 100024 1 udp 32785 status 100024 1 tcp 39510 status 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100005 1 udp 32786 mountd 100005 1 tcp 39511 mountd 100005 2 udp 32786 mountd 100005 2 tcp 39511 mountd 100005 3 udp 32786 mountd 100005 3 tcp 39511 mountd The ports depend on the port the mountdaemon is binded to. The rest ist almost the same. Philippe
Philippe, thanks for you help. I tried searching on google but got a lot of mixed results. I've used netstat in the past but didn't know about rpcinfo. I did find a useful resource at http://www.lowth.com/LinWiz/nfs_help.html but it is a little out of date (SuSE 7.3). This recommends tying down nfsd (and associated services) to specific ports so that less holes need to be opened in the firewall. Tying down the ports seems quite messy according to the guide, and I'm worried that an automatic update could overwrite one of the altered files and cause something to stop working. Also, are there any known problems with tying down rpc services to specific ports rather than using random ports? Regards -- Simon Oliver
participants (5)
-
Jochen Haßfurter
-
Maximilian Steinbauer
-
muralito@montevideo.com.uy
-
Philippe Vogel
-
Simon Oliver