SuSE Firewall2 and DMZ
Hi! I am in trouble because of my SuSE firewall2 settings. I have a firewall with six network adapters. One of them points to the DMZ, one of them points to the internal network and the others point to untrusted external worlds. There is a web server and a mail server running on the DMZ. Everybody can access the web server and the mail server (from the external world or from the internal network). The DMZ has a private IP address. Everybody use the proper IP address of the firewall to access the services on the DMZ server. It works fine. I wanted to use the same method for the internal network. And there is a strange behaviour. I know thta the firewall does not route between the DMZ and the internal net by default (bot he the DMZ and the internal net are masqueraded) so I used the FW_FORWARD optiona to access mail and web services from internal on DMZ. The IP address of the DMZ server is 192.168.122.2 and the internal net is 192.168.120.0/24 where 192.168.120.1 point to the interface of the firewall. I tried the 192.168.120.1 in my WEB browser (from the internal network) and it did not work. After that I tried the 192.168.122.2 and it worked. But why? I think I must use the IP address of the firewall to access services behind the firewall with FW_FORWARD and FW_FORWARD_MASQ options. Can anobody explain how it works? I already checked the relevant pdf documentations but they did not help. If I try to access theWEB server from the internet and I specify the IP address of the firewall, then it works fine. But it does not work from the internal network on the same way. And there is a second more serious problem. OK, I use the 192.168.122.2 from internal network to access web and mail. I tried to check my e-mails with IMAP from the internal network. It worked but there were a long delay. The firewall log showed: Jun 18 00:28:49 (none) kernel: SuSE-FW-ACCEPT-TRUST IN=eth0 OUT=eth1 SRC=192.168.120.30 DST=192.168.122.2 LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=19187 DF PROTO=TCP SPT=4177 DPT=143 WINDOW=44032 RES=0x00 SYN URGP=0 OPT (020405B4) Jun 18 00:28:49 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57671 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034647B10000000001030300) Jun 18 00:28:52 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57672 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034648DD0000000001030300) Jun 18 00:28:58 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57673 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03464B350000000001030300) I think the SuSE-FW-DROP-DEFAULT cause the delay. Any help would be apprecieted. Best regards, Sandor Toth Ps: I use SuSE 8.2 Prof My routing table is: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.12.2.64 0.0.0.0 255.255.255.248 U 0 0 0 eth2 192.168.102.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5 192.168.14.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.120.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.121.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4 192.168.106.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.12.2.65 0.0.0.0 UG 0 0 0 eth2 My SuSE firewall settings are: FW_QUICKMODE="no" FW_DEV_EXT="eth2 eth3 eth4 eth5 ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.120.0/24 192.168.122.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="tcp" FW_SERVICES_INT_TCP="domain ssh 224" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="tcp" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.120.0/24,192.168.122.2,tcp,23 \ 192.168.120.0/24,192.168.122.2,tcp,80 \ 192.168.120.0/24,192.168.122.2,tcp,139 \ 192.168.120.0/24,192.168.122.2,tcp,25 \ 192.168.120.0/24,192.168.122.2,tcp,110 \ 192.168.120.0/24,192.168.122.2,tcp,143" FW_FORWARD_MASQ="\ 192.168.14.0/24,192.168.120.19,tcp,3389 \ 192.168.14.0/24,192.168.120.18,tcp,7781 \ 192.168.14.0/24,192.168.120.18,tcp,445 \ 192.168.14.0/24,192.168.122.2,tcp,23 \ 192.168.14.0/24,192.168.120.18,tcp,1522 \ 192.168.14.0/24,192.168.120.13,tcp,80 \ 192.168.14.0/24,192.168.120.30,tcp,6000 \ 192.168.14.0/24,192.168.120.18,tcp,139 \ 0/0,192.168.122.2,tcp,25 \ 0/0,192.168.122.2,tcp,110 \ 0/0,192.168.122.2,tcp,143 \ 0/0,192.168.122.2,tcp,80 \ 192.168.102.101,192.168.120.30,tcp,6000 \ 192.168.102.102,192.168.120.30,tcp,6000" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""
On Thu, Jun 19, 2003 at 11:20:53AM +0200, Sandor Toth wrote:
If I try to access theWEB server from the internet and I specify the IP address of the firewall, then it works fine. But it does not work from the internal network on the same way.
And there is a second more serious problem. OK, I use the 192.168.122.2 from internal network to access web and mail. I tried to check my e-mails with IMAP from the internal network. It worked but there were a long delay. The firewall log showed:
SuSE-FW-ACCEPT-TRUST SRC=192.168.120.30 DST=192.168.122.2 PROTO=TCP DPT=143 ok thats imap SuSE-FW-DROP-DEFAULT SRC=192.168.122.2 DST=192.168.120.30 PROTO=TCP DPT=113 and thats the imap server asking for ident information,
accessing the OUTside interface of the firewall from the INside just to redirect it again to the DMZ is a bit difficult. best setup some sort of "split brain" DNS (one shot solution: add it with the 192.X address into /etc/hosts), and use the server name. this is dropped by the firewall, and after the full timeout the serer continues... better reject-with-tcp-reset this particular port (ident,113), then the imap server (and every other server which still asks for ident information before service continues) notices imediately that there is no, and will be no, response... I thought SuSEFirewall did this by default? -hth Lars
participants (2)
-
Lars Ellenberg
-
Sandor Toth