SuSE firewall with 3 interfaces == frustration
Hello all, I am attempting to deploy the following firewall:: eth0-external interface to Cisco IP 1.2.3.62 Mask 255.255.255.248 eth1-DMZ interface IP 10.0.0.1 Mask 255.255.255.0 eth2-internal interface to 192.168.1.0/24. IP 192.168.1.1 Mask 255.255.255.0 The dmz interface has a private IP, but is connected to a switch with my web and mail servers on it, complete with public IP's. I cannot spare two public IP's for the firewall box alone. I have connected a web server to this interface but it is unreachable with ICMP, web requests, etc. I suspect that my routing configuration is incorrect. Despite what I thought was a basic understanding of subnetting and static routing in general, I cannot achieve the proper config!!! Anyone see my errors?? Thanks, Gabriel Rivera -------------------------------------- Output of route -n on firewall: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 1.2.3.46 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 1.2.3.45 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 1.2.3.44 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 1.2.3.43 0.0.0.0 255.255.255.255 UH 0 0 0 eth1 1.2.3.41 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 1.2.3.40 0.0.0.0 255.255.255.248 U 0 0 eth0 10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 eth1 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 eth2 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 1.2.3.41 0.0.0.0 UG 0 0 0 eth0 route.conf from firewall: default 1.2.3.41 1.2.3.41 0.0.0.0 255.255.255.255 eth0 1.2.3.43 0.0.0.0 255.255.255.255 eth1 1.2.3.44 0.0.0.0 255.255.255.255 eth1 1.2.3.45 0.0.0.0 255.255.255.255 eth1 1.2.3.46 0.0.0.0 255.255.255.255 eth1 192.168.1.0 0.0.0.0 255.255.255.0 eth2 Output of route -n on webserver: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 1.2.3.4.0 0.0.0.0 255.255.255.248 U 0 0 0 eth0 route.conf from webserver: default 10.0.0.1 10.0.0.1 0.0.0.0 255.255.255.255 eth0
* gabriel rivera wrote on Fri, Jun 15, 2001 at 04:42 -0500:
The dmz interface has a private IP, but is connected to a switch with my web and mail servers on it, complete with public IP's.
You setup an alias address on this interface, I assume?
I suspect that my routing configuration is incorrect. Despite what I thought was a basic understanding of subnetting and static routing in general, I cannot achieve the proper config!!! Anyone see my errors??
10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 eth0 1.2.3.4.0 0.0.0.0 255.255.255.248 U 0 0 0 eth0 ^^^^^^^^^ :-)
route.conf from webserver:
default 10.0.0.1 10.0.0.1 0.0.0.0 255.255.255.255 eth0
If the webserver (apache) is bound to a specific IP (and of course not the internal :)) it should work. PING from outside, too, I assume, But I think you cannot PING the "internet" from your Webserver, ain't? That's why PING uses 10.0.0.1 (the alias) as source IP since it's the nearest interface. You can cirumvence this, when configuring the firewall to do masquerading for 10.0.0.1 to !10.0.0.0/8. I cannot tell you if susefirewall can be configured in such a way. Maybe you need some additional rules via ipchains. Try that first, without filtering, since it's hard to debug a complex ruleset :) I hope I understood you right and could point you in the right direction... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
hi all, is the .rpm for ssh on-line someplace?? I only found the 7.1 version and it's compiled with glib c 2.2... kind regards, avi -------------------------------------------------------------------------- Avi Bercovich bercovic@swi.psy.uva.nl Sinjeur Semeynsstraat 9 Dept. of Social Science Informatics (SWI) 1183LD Amstelveen University of Amsterdam
hi all,
is the .rpm for ssh on-line someplace?? I only found the 7.1 version and it's compiled with glib c 2.2...
Go to ftp.suse.de/pub/suse/i386/update/7.0/sec1/. crypto packages for the distributions before and including 7.0 can't be found on ftp.suse.com.
kind regards,
avi
Thanks,
Roman.
--
- -
| Roman Drahtmüller
The dmz interface has a private IP, but is connected to a switch with my web and mail servers on it, complete with public IP's.
You setup an alias address on this interface, I assume?
No: I am attempting to use only one IP on this card: SuseFW DMZ nic switched to webservers IP 10.0.0.1 <=======> IP 1.2.3.43 to 1.2.3.46 Mask 255.255.255.0 mask 255.255.255.248 I am assuming that the netmask for the webservers do not change although They are on a separate physical network from 2 other hosts on their subnet. These are CIDR IP's from my ISP. Also, should the gateway for the servers in the DMZ be external interface or dmz interface of my SuSEfirewall machine? -gabriel
* gabriel rivera wrote on Fri, Jun 15, 2001 at 18:05 -0500:
SuseFW DMZ nic switched to webservers IP 10.0.0.1 <=======> IP 1.2.3.43 to 1.2.3.46 Mask 255.255.255.0 mask 255.255.255.248
I am assuming that the netmask for the webservers do not change although They are on a separate physical network from 2 other hosts on their subnet. These are CIDR IP's from my ISP.
In this configuration the firewall would not be able to do even a PING, since both machines are in different networks. You would need a i.e. 10.0.0.2 alias on Webserver or maybe some host route to the firewall (I'm not sure if you can configure that, maybe you get a "network unreachble" when trying this).
Also, should the gateway for the servers in the DMZ be external interface or dmz interface of my SuSEfirewall machine?
For DMZ configurations, you have either two firewalls (the DMZ is the network between both firewalls) or a firewall with tree network apdapters (you have one external, one internal and one DMZ network in this case). Configuration of the second possibility is slightly more difficult but of course it's cheaper. If you have i.e. eight IPs from the leased line, you could request more IPs of course :) You can split your 8 netblock into 2 4er netblock, each has only two useable IPs. When dropping broadcast (usually not needed) you could use 3 addresses. The lowest IP of the network is usually the network itself. You can use that IP too, if you use hostroutes only. Then you could configure for .0-.7 as: - Net1: .0-.3 leased line router .1, your firewall .2 - net2: .4/32 (hostroute) to webserver - net3: .5/32 (hostroute) to mailserver(?) 4: .6 5: .7 Behind the firewall you get 4 usable IPs. To make routeing work, you could give eth0 and eth1 the same IP (.2) and work via hostroutes, or use some IPs from 10.x.x.x... oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
* gabriel rivera wrote on Fri, Jun 15, 2001 at 18:05 -0500:
SuseFW DMZ nic switched to webservers IP 10.0.0.1 <=======> IP 1.2.3.43 to 1.2.3.46 Mask 255.255.255.0 mask 255.255.255.248
I am assuming that the netmask for the webservers do not change although They are on a separate physical network from 2 other hosts on their subnet. These are CIDR IP's from my ISP.
In this configuration the firewall would not be able to do even a PING, since both machines are in different networks. You would need a i.e. 10.0.0.2 alias on Webserver or maybe some host route to the firewall (I'm not sure if you can configure that, maybe you get a "network unreachble" when trying this).
The host routes work nicely: everything is butter now, and I save a live IP.
You can split your 8 netblock into 2 4er netblock, each has only two useable IPs. When dropping broadcast (usually not needed) you could use 3 addresses.
Every resource I have found shows that this will not work: When I attempt to configure this way the network breaks. Anyone have documentation on this? -gabriel
Please reply via PM and not to the list (in case you want to continue), since this thread became off topic. * gabriel rivera wrote on Sun, Jun 17, 2001 at 23:19 -0500:
* Steffen Dettmer:
You can split your 8 netblock into 2 4er netblock, each has only two useable IPs. When dropping broadcast (usually not needed) you could use 3 addresses.
Every resource I have found shows that this will not work: When I attempt to configure this way the network breaks. Anyone have documentation on this?
Could you describe such resources? For some customers I configured that in this way. 2 4er nets: the first one between firewall and upstream router, the second one between firewall and a machine doing masquerading and/or VPN. Of course the upstream router needs to know about this (since it must have a route to the second net with firewall as gateway). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Avi Bercovich
-
gabriel rivera
-
Roman Drahtmueller
-
Steffen Dettmer