-----Original Message----- From: M. Neubert [mailto:mario_neubert@gmx.de] Sent: Friday, December 20, 2002 1:41 PM To: 'Togan Muftuoglu'; suse-security@suse.com Subject: RE: [suse-security] VMWare and SuSEfirewall2

Hello Togan, hello List,

...

...

Hello list,

I require a little bit of your help. My Router/Gateway runs with SuSE 8.1 Professional. I installed VMWare from CD. The VMWare Guest-System is W2k-Pro and within this, Overnet/Emule is installed. My Router has two network cards, one for LAN one for DSL. My home network is through the Router and SuSEfirewall masqueraded/protected. Respective a TCP/UDP Port is forwarded to the Guest-System. The NIC's from the Guestsystem are bridged to eth0, the internal nic. Is this a problem with the modules from vmware network system or did I overlook something in SuSEfirewall2? Goes the traffic for vmware through pre/postrouting?

What does the logs say they should be telling you why susefirewall is not letting the traffic

The logs says nothing (nothing was droped,rejected,etc...)

...

Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET

Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows:

I have forget to say, that the network in the guest OS eq. smb,http and so on is working. Only the DNAT wan't working.

################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_DEV_EXT="ppp0"

FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.101.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no"

FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""

FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP=""

FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP=""

FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes"

FW_FORWARD=""

FW_FORWARD_MASQ="0.0.0.0/0,192.168.101.129,tcp,60200:60209 \ 0.0.0.0/0,192.168.101.129,udp,60200:60209 \ 0.0.0.0/0,192.168.101.129,tcp,4662 \ 0.0.0.0/0,192.168.101.129,udp,4672"

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"

FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="yes" ################################################################ ## Snapp ####################################################### ################################################################

...

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Hello again,

Check the route table of the Firewall machine and the VMware ? Can they ping each other ?

Yes, and the network(smb,http,...) is working.Please see my last message.

either start SuSefirewall with test parameter or define the FW_LOG so everything is logged ( the second option is secure if the machine is attached to Internet)

FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"

Why? If the packet is accepted then it's ok. The counter's in PREROUTING/forward_ext increments permanently, so forwarding works but nothing goes realy out of eth0. I think, the INPUT/OUTPUT chain should't affected.

...

...

Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET

Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows:

################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0"

Not sure (since I have not played with VMware very much) idoes VMware machine have a NIC [wmnet] if so try adding that to FW_DEV_INT

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-----Original Message----- From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Sent: Friday, December 20, 2002 3:19 PM To: suse-security@suse.com Subject: Re: [suse-security] VMWare and SuSEfirewall2

* M. Neubert; on 20 Dec, 2002 wrote:

...

...

so everything is logged ( the second option is secure if the machine is attached to Internet)

FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"

Why? If the packet is accepted then it's ok. The counter's in PREROUTING/forward_ext increments permanently, so forwarding works but nothing goes realy out of eth0. I think, the INPUT/OUTPUT chain should't affected.

My initial thought was to see if the packet is passing thru the chains since you mention ping is reachable and http samba works then I do not know.

I may have missed it have you tried to see the traffic via iptraf, tcpdump, ethereal etc. If not you may want to try one them. If you already did and they do not appear weird

I tried it and nothing appeared on eth0.

One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause.

Your "AFAIK" is correct but my AFAIK is, that only one kernel param can be a possible problem. This is ip_local_port_range="1024 29999". I don't know exactly which effects he has. The tcp/udp ports are in this range. Does the kernel only for this portrange forwarding/masquerading or will he not use this ports for forwarding/masq because they are reserved for local use? I think more/less that this parameter doesn't play any role. The Thread possibly becomes OT. Does somebody a good preferably SuSE referential place for this topic, or should we stay here, because it's somehow(SuSEfirewall) security related. Yours truly... Mit freundlichen Grüßen M. Neubert -- # Mario Neubert -- IT-Enterprise-Solutions # Obere Mühlenstr. 36, D-04178 Leipzig, Germany # Phone: +49 341 4422391, Fax: +49 341 44219870 # Internet: http://www.mario-neubert.de

-----Original Message----- From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Sent: Friday, December 20, 2002 5:37 PM To: suse-security@suse.com Subject: Re: [suse-security] VMWare and SuSEfirewall2

...

...

One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause.

Your "AFAIK" is correct but my AFAIK is, that only one kernel param can be a possible problem. This is ip_local_port_range="1024 29999". I don't know exactly which effects he has. The tcp/udp ports are in

...

Does the kernel only for this portrange forwarding/masquerading or will he not use this ports for forwarding/masq because they are reserved for local use? I think more/less that this parameter doesn't

* M. Neubert; on 20 Dec, 2002 wrote: this range. play any role.

http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html could be help

Approximately half hour ago I was here as I wanted to follow your hint :-)

The Thread possibly becomes OT. Does somebody a good preferably SuSE referential place for this topic, or should we stay here, because it's somehow(SuSEfirewall) security related.

My call would be keep it here as it is related to SuSEfirewall2 which

is

a security package

Exactly, that is also my opinion.

Sorry VMware and SuSEfirewall2 I haven't played but looks like I want

to

play :-)

Is that a challenge for you? ;-) Mit freundlichen Grüßen M. Neubert -- # Mario Neubert -- IT-Enterprise-Solutions # Obere Mühlenstr. 36, D-04178 Leipzig, Germany # Phone: +49 341 4422391, Fax: +49 341 44219870 # Internet: http://www.mario-neubert.de