Re:[suse-security]RE:Can't connect hosts behind firewall
Hi Christoph, On 2001.08.20 10:31:35 +0100 Christoph Egger wrote:
On Monday, 20. August 2001 10:55, maf@cybereye.co.uk wrote:
Hi Christoph,
From your logfile:
Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5606 F=0x0000 T=128 (#11) Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45938 F=0x0000 T=64 (#32) Aug 20 11:39:06 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62222 F=0x0000 T=254 (#59)
Looks like the interface ipsec0 is being DENYed by default. Try inserting a couple of rules in your firewall : INPUT : allow everything from interface ipsec0 OUTPUT : allow everything to ipsec0 Maybe you also need to do the routed patches I suggested earlier? Maybe SuSE firewall config needs something like FW_DEV_WORLD = eth1, ipsec0 <---- Will this work??? Hopefully someone who knows if you can do this with SuSE firewall 4.9 will answer here... HTH, Maf. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Monday, 20. August 2001 12:24, maf@cybereye.co.uk wrote:
Hi Christoph,
On 2001.08.20 10:31:35 +0100 Christoph Egger wrote:
On Monday, 20. August 2001 10:55, maf@cybereye.co.uk wrote:
Hi Christoph,
From your logfile:
Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5606 F=0x0000 T=128 (#11) Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45938 F=0x0000 T=64 (#32) Aug 20 11:39:06 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62222 F=0x0000 T=254 (#59)
Looks like the interface ipsec0 is being DENYed by default. Try inserting a couple of rules in your firewall :
INPUT : allow everything from interface ipsec0 OUTPUT : allow everything to ipsec0
Yes, this works!!! A BIG THANK!!!
Maybe you also need to do the routed patches I suggested earlier?
Maybe SuSE firewall config needs something like
FW_DEV_WORLD = eth1, ipsec0 <---- Will this work???
No. -- CU, Christoph
Hi Christoph On 2001.08.20 11:35:52 +0100 Christoph Egger wrote:
On Monday, 20. August 2001 12:24, maf@cybereye.co.uk wrote:
Hi Christoph,
Looks like the interface ipsec0 is being DENYed by default. Try inserting a couple of rules in your firewall :
INPUT : allow everything from interface ipsec0 OUTPUT : allow everything to ipsec0
Yes, this works!!! A BIG THANK!!!
Glad I was finally some help to you. ;-) Now all you need to do is figure out if accepting *everything* on the ipsec0 interface is a good idea or not! Best Wishes, Maf.
-- CU, Christoph
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hello guys, I upgraded to 7.2 two weeks ago from version 7.0. Since my upgrade I cannot get my other Windows and Linux computers to access the internet. The Suse firewall in 7.2 will not even start. What can I do to get everything working again. I also tried my firewall file from 7.0 but it dowsn't work. Any help would be greatly apprreciated. Here some information about my lan. netstat | grep tcp tcp 0 0 ::ffff:213.17.23.:33094 ::ffff:195.96.96.1:pop3 TIME_WAIT 192.168.33.1 is the internet server 192.168.33.2 -192.168.33.4 are clients to the net which cannot connect yet. route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 195.96.100.62 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.33.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 195.96.100.62 0.0.0.0 UG 0 0 0 ppp0 ipchains -L Chain input (policy DENY): target prot opt source destination ports DENY all ------ anywhere 255.255.255.255 n/a DENY udp ------ anywhere anywhere any -> netbios-ns DENY tcp ------ anywhere anywhere any -> netbios-ns DENY udp ------ anywhere anywhere any -> netbios-dgm DENY tcp ------ anywhere anywhere any -> netbios-dgm DENY udp ------ anywhere anywhere any -> bootps DENY udp ------ anywhere anywhere any -> bootpc DENY all ------ BASE-ADDRESS.MCAST.net/8 anywhere n/a ACCEPT all ------ localnet/8 anywhere n/a ACCEPT all ------ 192.168.33.0/24 anywhere n/a ACCEPT all ------ 192.168.33.0/24 255.255.255.255 n/a ACCEPT icmp ------ anywhere anywhere any -> any ACCEPT tcp !y---- anywhere anywhere any -> any ACCEPT udp ------ sun4000.casema.net anywhere domain -> 1023:65535 ACCEPT udp ------ ns1.casema.net anywhere domain -> 1023:65535 ACCEPT tcp ------ anywhere anywhere any -> ssh ACCEPT tcp ------ anywhere anywhere any -> telnet ACCEPT tcp ------ anywhere anywhere any -> smtp ACCEPT tcp ------ anywhere anywhere any -> ident ACCEPT tcp ------ anywhere anywhere any -> http ACCEPT tcp ------ anywhere anywhere any -> ftp DENY all ----l- anywhere anywhere n/a Chain forward (policy ACCEPT): target prot opt source destination ports MASQ all ------ 192.168.33.0/24 anywhere n/a maf king wrote:
Hi Christoph
On 2001.08.20 11:35:52 +0100 Christoph Egger wrote:
On Monday, 20. August 2001 12:24, maf@cybereye.co.uk wrote:
Hi Christoph,
Looks like the interface ipsec0 is being DENYed by default. Try
inserting
a couple of rules in your firewall :
INPUT : allow everything from interface ipsec0 OUTPUT : allow everything to ipsec0
Yes, this works!!! A BIG THANK!!!
Glad I was finally some help to you. ;-)
Now all you need to do is figure out if accepting *everything* on the ipsec0 interface is a good idea or not!
Best Wishes, Maf.
-- CU, Christoph
The Suse firewall in 7.2 will not even start. it seems you are using a 2.4.x kernel from suse 7.2 and susefirewall 1, which only supports ipchains, and not iptables. try to use the 2.2.x kernel, delivered with suse 7.2 What can I do to get everything working again. I also tried my firewall file from 7.0 but it dowsn't work. because of the wrong kernel, I think
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Monday, 20. August 2001 13:50, markus@gaugusch.dhs.org wrote:
The Suse firewall in 7.2 will not even start.
it seems you are using a 2.4.x kernel from suse 7.2 and susefirewall 1,
That's true.
which only supports ipchains,
Also true.
and not iptables.
Also true. But there is a SuSEfirewall2.
try to use the 2.2.x kernel, delivered with suse 7.2
What can I do to get everything working again. I also tried my firewall file from 7.0 but it dowsn't work.
because of the wrong kernel, I think
No. The 2.4.x kernel has a ipchains module, which is a wrapper for iptables. I use ipchains successfully on 2.4.x. -- CU, Christoph
it seems you are using a 2.4.x kernel from suse 7.2 and susefirewall 1, That's true. Also true. But there is a SuSEfirewall2. why are you not using susefirewall2? ok, it seems you didn't know :)
No. The 2.4.x kernel has a ipchains module, which is a wrapper for iptables. I use ipchains successfully on 2.4.x. this is true, but there is no ip_masq_ftp for 2.4.x anymore, which makes the whole thing quite useless
Markus -- _____________________________ /"\ Markus Gaugusch ICQ 11374583 \ / ASCII Ribbon Campaign markus@gaugusch.dhs.org X Against HTML Mail / \
On Monday, 20. August 2001 14:01, markus@gaugusch.dhs.org wrote:
it seems you are using a 2.4.x kernel from suse 7.2 and susefirewall 1,
That's true. Also true. But there is a SuSEfirewall2.
why are you not using susefirewall2? ok, it seems you didn't know :)
No. The 2.4.x kernel has a ipchains module, which is a wrapper for iptables. I use ipchains successfully on 2.4.x.
this is true, but there is no ip_masq_ftp for 2.4.x anymore, which makes the whole thing quite useless
At least for everyone, who can't live without masquerading... :-) -- CU, Christoph
On Monday, 20. August 2001 13:40, jayhen@wanadoo.nl wrote:
Hello guys,
I upgraded to 7.2 two weeks ago from version 7.0. Since my upgrade I cannot get my other Windows and Linux computers to access the internet.
The Suse firewall in 7.2 will not even start.
Sure, that you use the ipchains module, that is compiled against the kernel version you use? Otherwise the firewall will never start even when you say yes to START_FW in /etc/rc.config -- CU, Christoph
participants (4)
-
Christoph Egger -
jayhen -
maf king -
Markus Gaugusch