Re: [suse-security] SuSEfirewall
My network consists of two subnets (with two different network-devices (eth0, eth1)). The computers attached to these subnets should be able to reach the internet (ippp0) (this is already working). But additionally the computers of the two different subnets should be able to reach each other, too.
Turn logging on for denied packets. Try connect from a computer on one subnet to a computer on the other subnet. The examine the log file for denied packets correlating to the connection that failed (use ftp or telnet or something simple - but not ping). The last number on the logged line (with the # in front of it) is the rule which denied the packet. Run ipchains -L input -n --line oon the destination computer and find the denying rule. Then study the SuSEfirewall script a bit (it's well-commented) and find out where you have to hack it to make things go. The script makes a lot of assumptions to keep things simple, and having 2 different internal nets is not supported so you have to fiddle the rules. Volker
Hi Volker, Thank you very much for your advice! I had to add the following commands to let it work: ipchains -A forward -s 192.168.3.0 -s 192.168.11.0 -j ACCEPT ipchains -A forward -s 192.168.11.0 -s 192.168.3.0 -j ACCEPT ipchains -L forward now looks like: Chain forward (policy DENY): target prot opt source destination ports fw_masq all ------ 192.168.11.0/24 0.0.0.0/0 n/a fw_masq all ------ 192.168.3.0/24 0.0.0.0/0 n/a ACCEPT all ------ 192.168.11.0/24 192.168.3.0/24 n/a ACCEPT all ------ 192.168.3.0/24 192.168.11.0/24 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a Is this OK? Now I can ping, telnet, whatever over the two subnets. In addition to this, is there a way to route broadcasts to the other subnet? Yours Daniel -- ************************************************* * Daniel Jung * Daniel.Jung@dj-web.de * * Linux-User: #118180 * http://fly.to/dulcian * *************************************************
ipchains -A forward -s 192.168.3.0 -s 192.168.11.0 -j ACCEPT ipchains -A forward -s 192.168.11.0 -s 192.168.3.0 -j ACCEPT
Correct me if I am wrong but I don't see a destination here all I see is -s 192.x.x.x -s 192.x.x.x have I missed something??
Hi semat, On Mon Sep 11 15:54:06 2000 CEST semat wrote:
ipchains -A forward -s 192.168.3.0 -s 192.168.11.0 -j ACCEPT ipchains -A forward -s 192.168.11.0 -s 192.168.3.0 -j ACCEPT
Correct me if I am wrong but I don't see a destination here all I see is -s 192.x.x.x -s 192.x.x.x have I missed something??
Aehm, sorry, I just hacked the lines a little bit too fast. Replace the second "-s" in each line with a "-d"! Yours Daniel -- ************************************************* * Daniel Jung * Daniel.Jung@dj-web.de * * Linux-User: #118180 * http://fly.to/dulcian * *************************************************
On Mon, Sep 11, 2000 at 11:28 +0200, Daniel Jung wrote:
Now I can ping, telnet, whatever over the two subnets. In addition to this, is there a way to route broadcasts to the other subnet?
You *don't* want to do this. That's what routers are made for -- not to let broadcasts through. Have a look at the Samba doc, especially the "Browsing" chapters. Set up a WINS server. You don't mention what exactly you want to achieve, but I guess you're just misguided and want something else than what you explicitely asked for. :) You should be happy to avoid broadcasts instead of propagating them! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Hi Gerhard, On Mon Sep 11 18:40:53 2000 CEST Gerhard Sittig wrote:
On Mon, Sep 11, 2000 at 11:28 +0200, Daniel Jung wrote:
Now I can ping, telnet, whatever over the two subnets. In addition to this, is there a way to route broadcasts to the other subnet?
You *don't* want to do this. That's what routers are made for -- not to let broadcasts through. Have a look at the Samba doc, especially the "Browsing" chapters. Set up a WINS server. You don't mention what exactly you want to achieve, but I guess you're just misguided and want something else than what you explicitely asked for. :) You should be happy to avoid broadcasts instead of propagating them!
Hey, come down again! I was just a silly question of a stupid guy having forgotten that a router works on a higher level of the OSI-model than a brisge or a repeater. -- ************************************************* * Daniel Jung * Daniel.Jung@dj-web.de * * Linux-User: #118180 * http://fly.to/dulcian * *************************************************
participants (4)
-
Daniel Jung
-
Gerhard Sittig
-
semat
-
Volker Kuhlmann