I seem to have the same problem (three NICs in the machine, neither of the two internal ones get any packets forwarded to or from the external one), and I am not using masquerading. IP forwarding does not work with the external NIC even with the firewall removed entirely. Interestingly, it does work between the two internal Nieces, but not to or from the one with the external gateway. I did think it was because the external NIC used dhcp, but I wonder if it is a bug in SuSe 8.0? Anyone want to try with the firewall completely switched off? Might be difficult without a routeable address on the internal machines, but I would be very grateful if anyone else could try it! -- Roger Hayter In message <00e601c200ee$1f7b83c0$f000a8c0@minniemouse>, Jon writes

THere is a switch for "protect from internal I rememebr off hand". You need to put a route in your table if you are not going to NAT.

Regards,

Jon ----- Original Message ----- From: "Vitaly Shishakov" To: Sent: Tuesday, May 21, 2002 10:33 AM Subject: [suse-security] SuSEfirewall2: cannot connect to ext. IP from int. net

...

I am having a similar problem with SuSEfirewall2 (version 2.1).

for example -- i have a SuSE linux machine set up as gw with iptables firewall, masq, etc, running HTTP, SMTP, IMAPD, FTP, SSH, etc.

probably -- that is not the most secure solution -- but currently i can not move that stuff to other machines (and thus create the DMZ) instead -- i have to use it like that is now.

in a similar fashion, i can not connect to it's services from internal (masquaraded) network to number of services via external address -- that is really not convinient.

how can i fix it?

charly123 wrote:

...

Hallo Michael,

I want to talk on Port 6667 (IRC-Server) of my own Server. You will say, I can probably talk to the internal Adress, but I can't do that with a specially-written program. This program talks to the external Adress, but the Firewall blocks that. Why can I disable this security-option.

...

yes, so it is, but I can't change the options of the client-software, it

is

...

written for external users of the IRC-Server. I need the program for log all traffic on the IRC and to look for someone, who want to talk to me as operator. So I need the variable to deaktivate the option "SuSE-FW-NO_ACCESS_INT->FWEXT ". In which configuration-file or script is it activatet?

Best regards,

Jost Schler

___________________________________________________________________________ _

...

________________ Die IRC-Client-Software soll eigentlich auf eine Adresse im Deinem Netzwerk zugreifen, geht jetzt aba ber Deinen Router/Firewall auf eine externe IP. Dann ist es wohl eher 'ne Einstellungsfrage der Client-Software. Ciao Michael

___________________________________________________________________________ _

...

_____

-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here