SuSEfirewall2: ping from masqueraded net
Hi list! SuSE Linux 8.1, SuSEfirewall2-3.1-26 I'm trying to ping and traceroute from the internal masqueraded net. But the internal masq. net should only ping/traceroute, nothing else. The problem is that in FW_MASQ_NETS only tcp and udp are accepted, icmp is not. Why? So setting FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" and FW_ALLOW_FW_TRACEROUTE="yes" isn't enough, the internal net isn't masqueraded as it should. I would like to do something like FW_MASQ_NETS="192.168.1.0/24,0/0,icmp" but SuSEfirewall2 will throw an error on this: lines 1583 to 1586 from /sbin/SuSEfirewall2: 1583 test "$PROTO" = tcp -o "$PROTO" = udp || { 1584 echo "Error: The protocol with FW_MASQ_NETS must be tcp or udp -> $NETS" 1585 NET2="" 1586 } Any ideas how to do this? Would it be possible to extend the script to allow also icmp as a valid protocol? Thanks, Richard -- Richard Ems ... e-mail: r.ems@gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.
* Richard Ems;
Hi list!
SuSE Linux 8.1, SuSEfirewall2-3.1-26
I'm trying to ping and traceroute from the internal masqueraded net. But the internal masq. net should only ping/traceroute, nothing else. The problem is that in FW_MASQ_NETS only tcp and udp are accepted, icmp is not. Why?
So setting
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
and
FW_ALLOW_FW_TRACEROUTE="yes"
isn't enough, the internal net isn't masqueraded as it should.
Any ideas how to do this?
how is your FW_ALLOW_HIGHPORTS_UDP set if "yes" it should work -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Togan Muftuoglu wrote:
* Richard Ems;
on 10 Jan, 2003 wrote: Hi list!
SuSE Linux 8.1, SuSEfirewall2-3.1-26
I'm trying to ping and traceroute from the internal masqueraded net. But the internal masq. net should only ping/traceroute, nothing else. The problem is that in FW_MASQ_NETS only tcp and udp are accepted, icmp is not. Why?
So setting
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
and
FW_ALLOW_FW_TRACEROUTE="yes"
isn't enough, the internal net isn't masqueraded as it should.
Any ideas how to do this?
how is your FW_ALLOW_HIGHPORTS_UDP set if "yes" it should work
Yes, FW_ALLOW_HIGHPORTS_UDP is set to "yes" ! I think I wasn't clear enough. My internal net has no access to the internet. Only http/ftp access through a squid proxy server. But I would like to allow ping and traceroute from the internal net, and ONLY ping and traceroute. How can I achieve this using FW_MASQ_NETS if it doesn't allow me to give icmp as a protocol. Or are icmp packets from the int. net always masqueraded and I dont need any tweaking? Here my /etc/sysconfig/SuSEfirewall2: FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.10.2/32" Here I would like to write something like: ---> FW_MASQ_NETS="192.168.10.2/32 192.168.20.0/24,0/0,icmp" !!! ==== FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh" FW_SERVICES_INT_UDP="ntp" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.53.103.103,udp,123 192.53.103.104,udp,123" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" -- Richard Ems ... e-mail: r.ems@gmx.net ... Computer Science, University of Hamburg Unix IS user friendly. It's just selective about who its friends are.
participants (2)
-
Richard Ems
-
Togan Muftuoglu