Hello list, I require a little bit of your help. My Router/Gateway runs with SuSE 8.1 Professional. I installed VMWare from CD. The VMWare Guest-System is W2k-Pro and within this, Overnet/Emule is installed. My Router has two network cards, one for LAN one for DSL. My home network is through the Router and SuSEfirewall masqueraded/protected. Respective a TCP/UDP Port is forwarded to the Guest-System. The NIC's from the Guestsystem are bridged to eth0, the internal nic. I think that all should work, but doesn't do it! Overnet/Emule says "Firewalled." I tried all and I am almost desperate. I have tried to dump the networktrafic on the ports on internal Nic, but nothing happened. As last, I got the idea, if I be too stupid to install a Firewall with masquerading. And so I tested the w2k environment on a real computer. Well, I am not so stupidly! All is working fine. Is this a problem with the modules from vmware network system or did I overlook something in SuSEfirewall2? Goes the traffic for vmware through pre/postrouting? Before I will install a vpn/pptp solution(which is my next idea) between host/guest-system and I retest all again, I would like to ask the list for some help or some ideas. Therefore many thanks and happy Christmas! Mit freundlichen Grüßen M. Neubert -- # Mario Neubert -- IT-Enterprise-Solutions # Obere Mühlenstr. 36, D-04178 Leipzig, Germany # Phone: +49 341 4422391, Fax: +49 341 44219870 # Internet: http://www.mario-neubert.de
* M. Neubert;
Hello list,
I require a little bit of your help. My Router/Gateway runs with SuSE 8.1 Professional. I installed VMWare from CD. The VMWare Guest-System is W2k-Pro and within this, Overnet/Emule is installed. My Router has two network cards, one for LAN one for DSL. My home network is through the Router and SuSEfirewall masqueraded/protected. Respective a TCP/UDP Port is forwarded to the Guest-System. The NIC's from the Guestsystem are bridged to eth0, the internal nic. Is this a problem with the modules from vmware network system or did I overlook something in SuSEfirewall2? Goes the traffic for vmware through pre/postrouting?
What does the logs say they should be telling you why susefirewall is not letting the traffic Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hello Togan, hello List,
Hello list,
I require a little bit of your help. My Router/Gateway runs with SuSE 8.1 Professional. I installed VMWare from CD. The VMWare Guest-System is W2k-Pro and within this, Overnet/Emule is installed. My Router has two network cards, one for LAN one for DSL. My home network is through the Router and SuSEfirewall masqueraded/protected. Respective a TCP/UDP Port is forwarded to the Guest-System. The NIC's from the Guestsystem are bridged to eth0, the internal nic. Is this a problem with the modules from vmware network system or did I overlook something in SuSEfirewall2? Goes the traffic for vmware through pre/postrouting?
What does the logs say they should be telling you why susefirewall is not letting the traffic
The logs says nothing (nothing was droped,rejected,etc...)
Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET
Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows: ################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_DEV_EXT="ppp0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.101.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="0.0.0.0/0,192.168.101.129,tcp,60200:60209 \ 0.0.0.0/0,192.168.101.129,udp,60200:60209 \ 0.0.0.0/0,192.168.101.129,tcp,4662 \ 0.0.0.0/0,192.168.101.129,udp,4672" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="yes" ################################################################ ## Snapp ####################################################### ################################################################
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-----Original Message----- From: M. Neubert [mailto:mario_neubert@gmx.de] Sent: Friday, December 20, 2002 1:41 PM To: 'Togan Muftuoglu'; suse-security@suse.com Subject: RE: [suse-security] VMWare and SuSEfirewall2
Hello Togan, hello List,
Hello list,
I require a little bit of your help. My Router/Gateway runs with SuSE 8.1 Professional. I installed VMWare from CD. The VMWare Guest-System is W2k-Pro and within this, Overnet/Emule is installed. My Router has two network cards, one for LAN one for DSL. My home network is through the Router and SuSEfirewall masqueraded/protected. Respective a TCP/UDP Port is forwarded to the Guest-System. The NIC's from the Guestsystem are bridged to eth0, the internal nic. Is this a problem with the modules from vmware network system or did I overlook something in SuSEfirewall2? Goes the traffic for vmware through pre/postrouting?
What does the logs say they should be telling you why susefirewall is not letting the traffic
The logs says nothing (nothing was droped,rejected,etc...)
Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET
Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows:
I have forget to say, that the network in the guest OS eq. smb,http and so on is working. Only the DNAT wan't working.
################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_DEV_EXT="ppp0"
FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.101.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""
FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP=""
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="123" FW_SERVICES_EXT_IP=""
FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ="0.0.0.0/0,192.168.101.129,tcp,60200:60209 \ 0.0.0.0/0,192.168.101.129,udp,60200:60209 \ 0.0.0.0/0,192.168.101.129,tcp,4662 \ 0.0.0.0/0,192.168.101.129,udp,4672"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="yes" ################################################################ ## Snapp ####################################################### ################################################################
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* M. Neubert;
The logs says nothing (nothing was droped,rejected,etc...)
Check the route table of the Firewall machine and the VMware ? Can they ping each other ? either start SuSefirewall with test parameter or define the FW_LOG so everything is logged ( the second option is secure if the machine is attached to Internet) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"
Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET
Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows:
################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0"
Not sure (since I have not played with VMware very much) idoes VMware machine have a NIC [wmnet] if so try adding that to FW_DEV_INT -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hello again,
Check the route table of the Firewall machine and the VMware ? Can they ping each other ?
Yes, and the network(smb,http,...) is working.Please see my last message.
either start SuSefirewall with test parameter or define the FW_LOG so everything is logged ( the second option is secure if the machine is attached to Internet)
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"
Why? If the packet is accepted then it's ok. The counter's in PREROUTING/forward_ext increments permanently, so forwarding works but nothing goes realy out of eth0. I think, the INPUT/OUTPUT chain should't affected.
Have you defined the guest OS subnet somehere in the firewall configuration ie FW_MASQ_NETS or FW_TRUSTED_NET
Yes and the guest OS is in the same subnet and also on the same interface as the real test-pc. My config follows:
################################################################ ## Snipp ####################################################### ################################################################ FW_DEV_INT="eth0"
Not sure (since I have not played with VMware very much) idoes VMware machine have a NIC [wmnet] if so try adding that to FW_DEV_INT
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* M. Neubert;
so everything is logged ( the second option is secure if the machine is attached to Internet)
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"
Why? If the packet is accepted then it's ok. The counter's in PREROUTING/forward_ext increments permanently, so forwarding works but nothing goes realy out of eth0. I think, the INPUT/OUTPUT chain should't affected.
My initial thought was to see if the packet is passing thru the chains since you mention ping is reachable and http samba works then I do not know. I may have missed it have you tried to see the traffic via iptraf, tcpdump, ethereal etc. If not you may want to try one them. If you already did and they do not appear weird One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----Original Message----- From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Sent: Friday, December 20, 2002 3:19 PM To: suse-security@suse.com Subject: Re: [suse-security] VMWare and SuSEfirewall2
* M. Neubert;
on 20 Dec, 2002 wrote: so everything is logged ( the second option is secure if the machine is attached to Internet)
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes"
Why? If the packet is accepted then it's ok. The counter's in PREROUTING/forward_ext increments permanently, so forwarding works but nothing goes realy out of eth0. I think, the INPUT/OUTPUT chain should't affected.
My initial thought was to see if the packet is passing thru the chains since you mention ping is reachable and http samba works then I do not know.
I may have missed it have you tried to see the traffic via iptraf, tcpdump, ethereal etc. If not you may want to try one them. If you already did and they do not appear weird
I tried it and nothing appeared on eth0.
One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause.
Your "AFAIK" is correct but my AFAIK is, that only one kernel param can be a possible problem. This is ip_local_port_range="1024 29999". I don't know exactly which effects he has. The tcp/udp ports are in this range. Does the kernel only for this portrange forwarding/masquerading or will he not use this ports for forwarding/masq because they are reserved for local use? I think more/less that this parameter doesn't play any role. The Thread possibly becomes OT. Does somebody a good preferably SuSE referential place for this topic, or should we stay here, because it's somehow(SuSEfirewall) security related. Yours truly... Mit freundlichen Grüßen M. Neubert -- # Mario Neubert -- IT-Enterprise-Solutions # Obere Mühlenstr. 36, D-04178 Leipzig, Germany # Phone: +49 341 4422391, Fax: +49 341 44219870 # Internet: http://www.mario-neubert.de
* M. Neubert;
One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause.
Your "AFAIK" is correct but my AFAIK is, that only one kernel param can be a possible problem. This is ip_local_port_range="1024 29999". I don't know exactly which effects he has. The tcp/udp ports are in this range. Does the kernel only for this portrange forwarding/masquerading or will he not use this ports for forwarding/masq because they are reserved for local use? I think more/less that this parameter doesn't play any role.
http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html could be help
The Thread possibly becomes OT. Does somebody a good preferably SuSE referential place for this topic, or should we stay here, because it's somehow(SuSEfirewall) security related.
My call would be keep it here as it is related to SuSEfirewall2 which is a security package Sorry VMware and SuSEfirewall2 I haven't played but looks like I want to play :-) -- Togan Muftuoglu
-----Original Message----- From: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Sent: Friday, December 20, 2002 5:37 PM To: suse-security@suse.com Subject: Re: [suse-security] VMWare and SuSEfirewall2
One thing with FW_SECURITY is if you enable it once AFAIK you can only bring to the initial stage by rebooting. That can be the cause.
Your "AFAIK" is correct but my AFAIK is, that only one kernel param can be a possible problem. This is ip_local_port_range="1024 29999". I don't know exactly which effects he has. The tcp/udp ports are in
Does the kernel only for this portrange forwarding/masquerading or will he not use this ports for forwarding/masq because they are reserved for local use? I think more/less that this parameter doesn't
* M. Neubert;
on 20 Dec, 2002 wrote: this range. play any role. http://ipsysctl-tutorial.frozentux.net/chunkyhtml/index.html could be help
Approximately half hour ago I was here as I wanted to follow your hint :-)
The Thread possibly becomes OT. Does somebody a good preferably SuSE referential place for this topic, or should we stay here, because it's somehow(SuSEfirewall) security related.
My call would be keep it here as it is related to SuSEfirewall2 which
is
a security package
Exactly, that is also my opinion.
Sorry VMware and SuSEfirewall2 I haven't played but looks like I want
to
play :-)
Is that a challenge for you? ;-) Mit freundlichen Grüßen M. Neubert -- # Mario Neubert -- IT-Enterprise-Solutions # Obere Mühlenstr. 36, D-04178 Leipzig, Germany # Phone: +49 341 4422391, Fax: +49 341 44219870 # Internet: http://www.mario-neubert.de
* M. Neubert;
Exactly, that is also my opinion.
Sorry VMware and SuSEfirewall2 I haven't played but looks like I want
to
play :-)
Is that a challenge for you? ;-)
Yes when I have time I want to discover W2K ps Please drop me from the CC as the mailinglist message is arriving -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (2)
-
M. Neubert
-
Togan Muftuoglu