Hi list, I think this will be an easy question for you: I've DSL set up on eth1/ppp0 and my LAN connected on eth0 - SuSEfirewall2 (SuSE Linux 8.1) is running. Routing/NAT is enabled and everything's working fine (I didn't touched the settings in the config file, I used only YaST). I've configured my linux pc as a isdn-dialin-server and the dialin is working just fine except that as long as the firewall is activated I can't ping the pc which dialed in and pinging from the other way round isn't possible, too - nor is any other kind of network communication (SSH, HTTP, etc.). The firewall seems to block the dialed in computer (ippp0). Which settings do I have to set up that when a other PC dials in it can access at least my linux pc over SSH (Port 22) and HTTP (80). Best regards and thanks in advance, Helge Jung
Hi Helge,
I've configured my linux pc as a isdn-dialin-server and the dialin is working just fine except that as long as the firewall is activated I can't ping the pc which dialed in and pinging from the other way round isn't possible, too - nor is any other kind of network communication (SSH, HTTP, etc.). The firewall seems to block the dialed in computer (ippp0). Which settings do I have to set up that when a other PC dials in it can access at least my linux pc over SSH (Port 22) and HTTP (80).
The easiest way would be to treat your dialup connection as an external connection as well. Thus, the only thing you have to do is to edit /etc/sysconfig/SuSefirewall2 and change FW_DEV_WORLD="ppp0 ippp0" and FW_SERVICES_EXTERNAL_TCP="ssh www". However, this would also open ssh and http connections over the internet. Therefore I would not change FW_SERVICES_EXTERNAL_TCP but add the IP/net of the computer you're dialing in to FW_TRUSTED_NETS and change FW_SERVICES_TRUSTED_TCP="ssh www" to allow those two protocols only from your dialing in computer but not from the internet. yours Jörn ------------------------------------------------------------ Jörn Ott Telefon: (0 22 24) 94 08 - 73 EDV Service & Beratung Telefax: (0 22 24) 94 08 -74 Lohfelder Str. 33 E-Mail: mailto:white@ott-service.de 53604 Bad Honnef WWW: http://www.ott-service.de/
The easiest way would be to treat your dialup connection as an external connection as well. Thus, the only thing you have to do is to edit /etc/sysconfig/SuSefirewall2 and change FW_DEV_WORLD="ppp0 ippp0" and FW_SERVICES_EXTERNAL_TCP="ssh www". However, this would also open ssh and http connections over the internet.
That's ok, SSH and HTTP should be accessible over the internet as well for the moment. I did some testing: In both cases the dsl-line was disconnected (cinternet --interface-name dsl0 ; cinternet -stop) and only the logging of critical packets discarded was enabled. The first test was without any changes to the configuration file (excerpts from tail -f /var/log/messages | grep -i ippp0). After the successful isdn-login there was repeated this line without doing anything neither at the server nor the client side: Nov 16 12:53:27 server kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.5.200 DST=255.255.255.255 LEN=206 TOS=0x00 PREC=0x00 TTL=128 ID=4926 PROTO=UDP SPT=138 DPT=138 LEN=186 I assume I can discard the line because it seems to be some kind of broadcast (255.255.255.255) to me. Ok, the next line is repeated several times when trying to ping the server (192.168.5.1) from the client (192.168.5.200): Nov 16 12:53:58 server kernel: SuSE-FW-DROP-ANTI-SPOOF IN=ippp0 OUT= MAC= SRC=192.168.5.200 DST=192.168.5.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4929 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=256 I can understand if the firewall blocks this for anti-portscan reasons (but where can I switch it off - I want to ping the server from the internal network). Now I tried to access the webserver running at the server and I got several times this line: Nov 16 12:54:45 server kernel: SuSE-FW-DROP-ANTI-SPOOF IN=ippp0 OUT= MAC= SRC=192.168.5.200 DST=192.168.5.1 LEN=44 TOS=0x08 PREC=0x00 TTL=128 ID=4936 PROTO=TCP SPT=3188 DPT=80 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020405B4) The second test was performed after I changed the FW_TRUSTED_NETS from emptry string to "192.168.5.1 192.168.5.157 192.168.5.158 192.168.5.186 192.168.5.188 192.168.5.192 192.168.5.200" (what is what I understood you wanted me to do) which are all IPs in my LAN (the last one is the one for the isdn-dialin) and restarted the firewall. The message after the login was the same as in the first test (the WinXP client ist maybe doing some kind of broadcast after dialin, ok) but when trying to ping the server from the client I now got the following line: Nov 16 13:04:42 server kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.5.200 DST=192.168.5.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=4982 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=256 Trying to access the webserver resulted in the following line: Nov 16 13:05:31 server kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.5.200 DST=192.168.5.1 LEN=44 TOS=0x08 PREC=0x00 TTL=128 ID=4987 PROTO=TCP SPT=3196 DPT=80 WINDOW=2144 RES=0x00 SYN URGP=0 OPT (020405B4) It seems that specifing the trusted nets blocked the access to the server completely (but why can I surf over the server and can access the SSH server as well as the HTTP server on 192.168.5.1 from 192.168.5.186 ? I'll post my complete /etc/sysconfig/SuSEfirewall2 without the comments and empty lines for your viewing pleasure ;-) Thanks in advance, Helge. --- START --- /etc/sysconfig/SuSEfirewall2 ----------------------------- FW_QUICKMODE="no" FW_DEV_EXT="ppp0 ippp0" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ppp0" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="10000 28070:28079 http https ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.5.1 192.168.5.157 192.168.5.158 192.168.5.186 192.168.5.188 192.168.5.192 192.168.5.200" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" --- END ----- /etc/sysconfig/SuSEfirewall2 -----------------------------
participants (2)
-
Helge Jung (ECO-Logic) -
Jörn Ott