Hi I have a connection problem, when running Firewall2. I have the Suse 7.2 distribution. I updated to Kernel 2.4.16. I then dl Firewall2 as rpm from the Suse site and installed it. After that I deinstalled Firewall1 and Personal Firewall. Since I could not get a connection with the T-DSL line I unloaded Firewall2 and let Firewall2 run in test mode. With a primitive IPTables script (mainly ipforwarding and masquerading) i started the pppoed again and I get the following message from the /var/log/firewall. Mar 27 13:32:39 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=62.41.113.136 DST=217.1.132.119 LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=19021 DF PROTO=TCP SPT=80 DPT=1081 WINDOW=31900 RES=0x00 ACK URGP=0 OPT (0101080A032AB4AF00024C5E Actually, the above is all in one line. I include my firewall2 config file below, where i basically tried to allow everything. Thank you for any help Thomas firewall2-configuration file: 2 network cards on Linux router. local net is 192.168.10.xx FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="1:65535" # Common: smtp domain FW_SERVICES_EXT_UDP="1:65535" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="1:65535" #Common: ssh smtp domain FW_SERVICES_INT_UDP="1:65535" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!! FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="0/0,0/0,tcp,1:65535 0/0,0/0,udp,1:65535" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_PING_INTERNET="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-custom.rc.config # #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" __________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/
Hi Thomas,
Since I could not get a connection with the T-DSL line
[ T-DSL = ADSL/pppoe ]
I unloaded Firewall2 and let Firewall2 run in test mode. With a primitive IPTables script (mainly ipforwarding and masquerading) i started the pppoed again and I get the following message from the /var/log/firewall.
Umm, I don't quite understand you, are you using _both_ Firewall2 and a "primitive IPTables script", or do you use the term "primitive..." for your config file below?
Mar 27 13:32:39 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=62.41.113.136 DST=217.1.132.119 LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=19021 DF PROTO=TCP SPT=80 DPT=1081 WINDOW=31900 RES=0x00 ACK URGP=0 OPT (0101080A032AB4AF00024C5E
This means someone tries to connect to your computer's web server, FYI.
FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535"
FW_MASQ_NETS="192.168.10.0" this should accomplish the same.
FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no"
This variable tells the firewall to protect _your_ services from outside computers, e.g. to stop outsiders from accessing your samba shares, web server etc.
FW_SERVICES_EXT_TCP="1:65535" # Common: smtp domain
State only those things you want to give to other people from the internet. For example if you have a web server running and a ssh daemon you want to be accessible from the world, put "ssh, http" here.
FW_SERVICES_EXT_UDP="1:65535" # Common: domain
See FW_SERVICES_EXT_TCP.
FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="1:65535" #Common: ssh smtp domain
Comments from above apply, now from your internal network
FW_SERVICES_INT_UDP="1:65535" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD="0/0,0/0,tcp,1:65535 0/0,0/0,udp,1:65535"
No. This doesn't make sense, as your network is masqueraded. Note, this option is to allow _other_ people access to computers in _your_ network.
FW_FORWARD_MASQ=""
Same as above, this one for masqueraded computers.
FW_KERNEL_SECURITY="yes"
While testing, you might want to set this to "no" until everything works. Robert
Dear Robert, Hello All
I am not running 2 firewalls. Firewall2 is disabled,
but can run in a test mode. While running in test mode
no packet filters are applied, but the packets which
would be stopped are logged into /var/log/firewall.
For reference again: I have updated to Kernel 2.4.16
from Suse 7.2 distribution. I have installed the
firewall2 and subsequently uninstalled firewall1 and
personal firewall.
I applied your comments (Robert comments) to my
firewall configuration file.
Unfortunately it did not work. I still get the same
message which I am printing to your reference again.
This messages is logged, when I try to access the
internet (external) via a PC on the LAN (mine,
thrusted).
Mar 28 15:36:50 linux kernel: SuSE-FW-DROP-DEFAULT
IN=eth1 OUT=ppp0 SRC=192.168.159.11 DST=207.46.28.116
LEN=48 TOS=0x08 PREC=0x00 TTL=127 ID=30798 DF
PROTO=TCP SPT=3995 DPT=80 WINDOW=16384 RES=0x00 SYN
URGP=0 OPT (020405AA01010402)
This message is logged when I try to access the
Internet (external) from the router itself.
Mar 28 15:35:47 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=217.5.115.7 DST=80.131.55.127
LEN=533 TOS=0x00 PREC=0x00 TTL=56 ID=8252 PROTO=UDP
SPT=53 DPT=1027 LEN=513
Mar 28 15:35:52 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=194.25.2.129 DST=80.131.55.127
LEN=533 TOS=0x00 PREC=0x00 TTL=250 ID=50647 DF
PROTO=UDP SPT=53 DPT=1028 LEN=513
The difference between those lines is just the IP
I am putting again my firewall2 configuration file.
Please apply any changes directly with the changed
command line or just change the command line.
Thank you very much
Greetings Thomas
Ps: I am not sure about the external devices. I have
one external card which is eth0. But I tried this
setting with just eth0 too and it did not work. That
is why I did put ppp0 as well.
I have not updated the pppoed which came with the 7.2
distribution of Suse (Kernel 2.4.4). Maybe there is a
compatibility issue between the new kernel 2.4.16 and
iptables for the kernel 2.4.4 (just a guess).
The same applies for the pppoed, but that should not
interfere with packet filtering and the line works!
Firewall2 configuration file: Pls apply any changes
directly or just copy the line and change it to the
correct value. Thank you very much....:-))
FW_DEV_EXT="ppp0 eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.159.0"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain
FW_SERVICES_EXT_UDP="ssh http" # Common: domain
FW_SERVICES_EXT_IP="" # For VPN/Routing which END
at the firewall!!
#
FW_SERVICES_DMZ_TCP="" # Common: smtp domain
FW_SERVICES_DMZ_UDP="" # Common: domain
FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at
the firewall!!
#
FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp
domain
FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog
FW_SERVICES_INT_IP="" # For VPN/Routing which END at
the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services
below when starting
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_INTERNET="yes"
##
# END of rc.firewall
##
#
#
#-------------------------------------------------------------------------#
#
#
# EXPERT OPTIONS - all others please don't change
these! #
#
#
#-------------------------------------------------------------------------#
#
#
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE
GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/rc.config.d/firewall2-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
--- Robert Klein
Hi Thomas,
Since I could not get a connection with the T-DSL line
[ T-DSL = ADSL/pppoe ]
I unloaded Firewall2 and let Firewall2 run in test mode. With a primitive IPTables script (mainly ipforwarding and masquerading) i started the pppoed again and I get the following message from the /var/log/firewall.
Umm, I don't quite understand you, are you using _both_ Firewall2 and a "primitive IPTables script", or do you use the term "primitive..." for your config file below?
Mar 27 13:32:39 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=62.41.113.136 DST=217.1.132.119 LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=19021 DF PROTO=TCP SPT=80 DPT=1081 WINDOW=31900 RES=0x00 ACK URGP=0 OPT (0101080A032AB4AF00024C5E
This means someone tries to connect to your computer's web server, FYI.
FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535"
FW_MASQ_NETS="192.168.10.0"
this should accomplish the same.
FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no"
This variable tells the firewall to protect _your_ services from outside computers, e.g. to stop outsiders from accessing your samba shares, web server etc.
FW_SERVICES_EXT_TCP="1:65535" # Common: smtp domain
State only those things you want to give to other people from the internet. For example if you have a web server running and a ssh daemon you want to be accessible from the world, put "ssh, http" here.
FW_SERVICES_EXT_UDP="1:65535" # Common: domain
See FW_SERVICES_EXT_TCP.
FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="1:65535" #Common: ssh smtp domain
Comments from above apply, now from your internal network
FW_SERVICES_INT_UDP="1:65535" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD="0/0,0/0,tcp,1:65535 0/0,0/0,udp,1:65535"
No. This doesn't make sense, as your network is masqueraded. Note, this option is to allow _other_ people access to computers in _your_ network.
FW_FORWARD_MASQ=""
Same as above, this one for masqueraded computers.
FW_KERNEL_SECURITY="yes"
While testing, you might want to set this to "no" until everything works.
Robert
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/
Hi Peter,
Ps: I am not sure about the external devices. I have one external card which is eth0. But I tried this setting with just eth0 too and it did not work. That is why I did put ppp0 as well.
Your external device is ppp0. You may leave eth0 out. FW_DEV_EXT="ppp0" FW_MASQ_NETS="192.168.159.0/24" as Thorsten Preuss already has noted in another mail. Sorry, I've been asleep here.. He's also right about not needing the IP_FORWARD variable in /etc/rc.config anymore. Sorry for the confusion.. Thanks Thorsten, for setting me right. NB: Those entries below were _examples_. You have to insert those services you have running _on_ your firewall. Add only those services you want to be accessible from outside *EXT* or from inside *INT* your network. For example, I have some installations using the following entries: FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 " FW_SERVICES_INT_TCP="ssh" This means, I want ssh access to the firewall from the outside as well as the inside (entry ssh). Furthermore, this machine is the entry to a VPN (virtual private network), (UDP port 500 for key exchange and IP protocol 50 is used to transport the encrypted packets). Leave those fields empty, if you don't have any services running on the firewall (I'd recommend at least "ssh" or in FW_SERVICES_INT_TCP --- you might want to do some configuring from another computer in your network. Saves the monitor for the firewall :) Robert
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain FW_SERVICES_EXT_UDP="ssh http" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp domain FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
Hello
First, thanks a lot for all the answers.
Unfortunately it does not work yet and sincerely I
have no clue anymore why it should not work.
Anyway again all the data and the new modified
configuration file for the firewall2. I also will
print the messages I get in the logfile
/var/log/firewall when running the firewall2 in test
mode.
Kernel 2.4.16 (updated from 2.4.4, Suse 7.2)
Firewall2 installed, then firewall1 and personal
firewall uninstalled.
One question at this point. Do I need personal
firewall installed?
Or can it be that I have not the correct rights for
some files?
external card on eth0 - 192.168.0.1/255.255.255.255
internal card on eth1 - 192.168.159.0/24
Firewall2-Configuration file: If you find something
wrong could you pls correct the corresponding line....
After this you will find the messages again which I
get when trying to connect to the internet (just plain
www)
FW_DEV_EXT="ppp0" # <-- is that right? Well with eth0
it did not work either.....
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.159.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="ssh" # Common: smtp domain
FW_SERVICES_EXT_UDP="" # Common: domain
FW_SERVICES_EXT_IP="" # For VPN/Routing which END
at the firewall!!
#
FW_SERVICES_DMZ_TCP="" # Common: smtp domain
FW_SERVICES_DMZ_UDP="" # Common: domain
FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at
the firewall!!
#
FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp
domain
FW_SERVICES_INT_UDP="" #Common: domain syslog
FW_SERVICES_INT_IP="" # For VPN/Routing which END at
the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services
below when starting
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_INTERNET="yes"
##
# END of rc.firewall
##
#
#
#-------------------------------------------------------------------------#
#
#
# EXPERT OPTIONS - all others please don't change
these! #
#
#
#-------------------------------------------------------------------------#
#
#
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE
GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/rc.config.d/firewall2-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Well now the messages: One for trying to connect from
a machine on the LAN (trusted, local) and one messages
for trying to connect from my Linux router to the
internet.
Mar 28 21:35:12 linux kernel:
SuSE-FW-UNALLOWED-ROUTING IN=ppp0 OUT=eth1
SRC=207.46.28.116 DST=192.168.159.11 LEN=40 TOS=0x08
PREC=0x00 TTL=52 ID=10637 DF PROTO=TCP SPT=80 DPT=4022
WINDOW=17400 RES=0x00 ACK URGP=0
Mar 28 21:35:21 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=80.135.123.51 DST=217.89.17.95
LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=7443 DF PROTO=TCP
SPT=3413 DPT=1214 WINDOW=45680 RES=0x00 SYN URGP=0 OPT
(020405AC0103030301010402)
Thank you for your help
Greeting Thomas
--- Robert Klein
Hi Peter,
Ps: I am not sure about the external devices. I have one external card which is eth0. But I tried this setting with just eth0 too and it did not work. That is why I did put ppp0 as well.
Your external device is ppp0. You may leave eth0 out.
FW_DEV_EXT="ppp0"
FW_MASQ_NETS="192.168.159.0/24"
as Thorsten Preuss already has noted in another mail. Sorry, I've been asleep here.. He's also right about not needing the IP_FORWARD variable in /etc/rc.config anymore. Sorry for the confusion.. Thanks Thorsten, for setting me right.
NB: Those entries below were _examples_. You have to insert those services you have running _on_ your firewall. Add only those services you want to be accessible from outside *EXT* or from inside *INT* your network. For example, I have some installations using the following entries:
FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 "
FW_SERVICES_INT_TCP="ssh"
This means, I want ssh access to the firewall from the outside as well as the inside (entry ssh). Furthermore, this machine is the entry to a VPN (virtual private network), (UDP port 500 for key exchange and IP protocol 50 is used to transport the encrypted packets).
Leave those fields empty, if you don't have any services running on the firewall (I'd recommend at least "ssh" or in FW_SERVICES_INT_TCP --- you might want to do some configuring from another computer in your network. Saves the monitor for the firewall :)
Robert
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain FW_SERVICES_EXT_UDP="ssh http" # Common: domain FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp domain FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/
* Monica Peter;
FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp
are you running a web server on your firewall machine that you want to connect if not remove http -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Hi Thomas,
One question at this point. Do I need personal firewall installed?
No.
Or can it be that I have not the correct rights for some files?
Yes.
external card on eth0 - 192.168.0.1/255.255.255.255 internal card on eth1 - 192.168.159.0/24
ppp0 as external device is ok. The "only" thing that's going over your eth0 are the pppoe packets. (That is the data to and from ppp0, encapsulated in ethernet packets.) I couldn't find anything wrong with the firewall rules now, so.. let me think. One problem could be the "test" mode. Hmm, Where do you start the firewall? It should be _after_ the connection has been established. If you haven't already altered the ip-up/-down scripts, do the following: Open the file /etc/ppp/ip-up.local in an editor. If it does _not_ exist, put the following five lines in there #!/bin/sh START_FW2="yes" export START_FW2 /sbin/SuSEfirewall2 start /sbin/ifconfig ppp0 mtu 1452 If it does exit, leave the first of those lines out, append the others at the end! Now edit the file /etc/ppp/ip-down.local. If it does _not_ exist, put the following four lines there: #!/bin/sh START_FW2="yes" export START_FW2 /sbin/SuSEfirewall2 stop If thefile does exist, leave the first line out and append the others at the end. Try this and tell what happens..
Well now the messages: One for trying to connect from a machine on the LAN (trusted, local) and one messages for trying to connect from my Linux router to the internet.
Mar 28 21:35:12 linux kernel: SuSE-FW-UNALLOWED-ROUTING IN=ppp0 OUT=eth1 SRC=207.46.28.116 DST=192.168.159.11 LEN=40 TOS=0x08 PREC=0x00 TTL=52 ID=10637 DF PROTO=TCP SPT=80 DPT=4022 WINDOW=17400 RES=0x00 ACK URGP=0
This is strange. Perhaps the test mode doesn't allow routing
Mar 28 21:35:21 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=80.135.123.51 DST=217.89.17.95 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=7443 DF PROTO=TCP SPT=3413 DPT=1214 WINDOW=45680 RES=0x00 SYN URGP=0 OPT (020405AC0103030301010402)
This is someone trying to connect to a kazaa server on your router. (DPT=1214) Robert
* Robert Klein wrote on Thu, Mar 28, 2002 at 15:31 +0100:
FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535"
FW_MASQ_NETS="192.168.10.0" this should accomplish the same.
Are you sure that the second rule won't masquerade all IP traffic, even if it isn't TCP nor UDP? In this case, this would masquerade (and by this, allow) IPSec and other IP Protocols as well, which may not desired (especially masquerading IPSec make no sense, since it won't work at all). just BTW. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Monica Peter
-
Robert Klein
-
Steffen Dettmer
-
Togan Muftuoglu