[opensuse] Cannot access two internal nets with SuSeFirewall2
Hi all, My server with Opensuse 11.0 has 3 network adapters, eth3 as external interface (public IP), eth0 (172.26.0.1) and eth2 (192.168.1.1) as internal. I am trying to link the two internal nets (172.26.x.x and 192.168.1.x) so users from both networks can use the printers in both nets. My SuSeFirewall2 config is as follow: - FW_DEV_EXT="any eth3" - FW_DEV_INT="eth0 eth2" - FW_ROUTE="yes" - FW_MASQUERADE="yes" - FW_MASQ_DEV="zone:ext zone:int" - FW_MASQ_NETS="172.26.0.0/16,192.168.1.0/24 192.168.1.0/24,172.26.0.0/16 192.168.1.0/24 172.26.0.0/16" - FW_PROTECT_FROM_INT="no" From network 172.26.x.x I can ping up to eth2 but no futher, and the same with network 192.168.2.x My Google searches have not shown any result. What do I miss in my configuration ? Thanks, -- Louis -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
wanakom@gmail.com wrote:
Hi all,
My server with Opensuse 11.0 has 3 network adapters, eth3 as external interface (public IP), eth0 (172.26.0.1) and eth2 (192.168.1.1) as internal.
I am trying to link the two internal nets (172.26.x.x and 192.168.1.x) so users from both networks can use the printers in both nets.
My SuSeFirewall2 config is as follow: - FW_DEV_EXT="any eth3" - FW_DEV_INT="eth0 eth2" - FW_ROUTE="yes" - FW_MASQUERADE="yes" - FW_MASQ_DEV="zone:ext zone:int" - FW_MASQ_NETS="172.26.0.0/16,192.168.1.0/24 192.168.1.0/24,172.26.0.0/16 192.168.1.0/24 172.26.0.0/16" - FW_PROTECT_FROM_INT="no"
From network 172.26.x.x I can ping up to eth2 but no futher, and the same with network 192.168.2.x What about ssh ? Can you ssh from one net to another ?
My Google searches have not shown any result. What do I miss in my configuration ? Are you sure it's a firewall configuration ? It could be the configuration of your print-server system. Many printing servers, by default, only allow printing from the network it is connected to. Just check it to make sure. If you are sure it is a firewall configuration, could you provide the firewall log right after a printing attempt ? Also state witch machine is printing to witch machine.
Thanks,
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Rui Rui Santos wrote:
same with network 192.168.2.x
What about ssh ? Can you ssh from one net to another ?
My Google searches have not shown any result. What do I miss in my configuration ?
Are you sure it's a firewall configuration ? It could be the configuration of your print-server system. Many printing servers, by default, only allow printing from the network it is connected to. Just check it to make sure. I cannot even ping machines or another server in the other network. No
Nope. In fact, when I ping from a wxp machine, the answer is "Destination protocol unreachable". limitation has been set to the print-servers.
If you are sure it is a firewall configuration, could you provide the firewall log right after a printing attempt ? Also state witch machine is printing to witch machine.
After sending a ping to the printer 172.26.6.10 from machine 192.168.1.14, the firewall log output is as follow : Sep 3 11:15:32 ml110 kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth2 SRC=192.168.1.14 DST=172.26.6.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=32021 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=14592 If I understand it, the firewall drops it because if stop the icmp protocol. But I specified FW_PROTECT_FROM_INT="no". Shall I specify what protocols are allowed in spite of no protection for "int" ? If so, what variables shall I look for ? -- Louis -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
wanakom@gmail.com wrote:
Hi Rui
Rui Santos wrote:
same with network 192.168.2.x
What about ssh ? Can you ssh from one net to another ?
Nope. In fact, when I ping from a wxp machine, the answer is "Destination protocol unreachable".
My Google searches have not shown any result. What do I miss in my configuration ?
Are you sure it's a firewall configuration ? It could be the configuration of your print-server system. Many printing servers, by default, only allow printing from the network it is connected to. Just check it to make sure. I cannot even ping machines or another server in the other network. No limitation has been set to the print-servers. If you are sure it is a firewall configuration, could you provide the firewall log right after a printing attempt ? Also state witch machine is printing to witch machine.
After sending a ping to the printer 172.26.6.10 from machine 192.168.1.14, the firewall log output is as follow :
Sep 3 11:15:32 ml110 kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth2 SRC=192.168.1.14 DST=172.26.6.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=32021 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=14592 You are right. ping can have additional restrictions. Can you try with an ssh, ftp or telnet connection and provide the log ?
If I understand it, the firewall drops it because if stop the icmp protocol. But I specified FW_PROTECT_FROM_INT="no". Shall I specify what protocols are allowed in spite of no protection for "int" ? If so, what variables shall I look for ?
I believe your FW_MASQ_DEV="zone:ext zone:int" setting is incorrect. You should not need any masquerade on "zone:int". Routing alone should take care of all communications between you internal/dmz nets. Try the settings: FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0"
-- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Rui Santos wrote:
I believe your FW_MASQ_DEV="zone:ext zone:int" setting is incorrect. You should not need any masquerade on "zone:int". Routing alone should take care of all communications between you internal/dmz nets.
Try the settings: FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0"
After trying Herbert solution, I still had to specifiy "zone:int". I guess routing alone will only work if no firewall was in between, isn´t it ? -- Louis -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
wanakom@gmail.com wrote:
Rui Santos wrote:
I believe your FW_MASQ_DEV="zone:ext zone:int" setting is incorrect. You should not need any masquerade on "zone:int". Routing alone should take care of all communications between you internal/dmz nets.
Try the settings: FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0"
After trying Herbert solution, I still had to specifiy "zone:int". I guess routing alone will only work if no firewall was in between, isn´t it ?
It appears I was wrong. Thanks for the feedback anyway :) Will remember it in the Future... As I will Herbert solution. -- Rui Santos http://www.ruisantos.com/ Veni, vidi, Linux! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
wanakom@gmail.com schrieb:
My server with Opensuse 11.0 has 3 network adapters, eth3 as external interface (public IP), eth0 (172.26.0.1) and eth2 (192.168.1.1) as internal.
I am trying to link the two internal nets (172.26.x.x and 192.168.1.x) so users from both networks can use the printers in both nets.
My SuSeFirewall2 config is as follow: - FW_DEV_EXT="any eth3" - FW_DEV_INT="eth0 eth2" - FW_ROUTE="yes" - FW_MASQUERADE="yes" - FW_MASQ_DEV="zone:ext zone:int" - FW_MASQ_NETS="172.26.0.0/16,192.168.1.0/24 192.168.1.0/24,172.26.0.0/16 192.168.1.0/24 172.26.0.0/16" - FW_PROTECT_FROM_INT="no"
From network 172.26.x.x I can ping up to eth2 but no futher, and the same with network 192.168.2.x
You need the following option to link all subnets belonging to the same class together: FW_ALLOW_CLASS_ROUTING="yes" Cheers, Herbert -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Herbert Graeber wrote:
wanakom@gmail.com schrieb:
My server with Opensuse 11.0 has 3 network adapters, eth3 as external interface (public IP), eth0 (172.26.0.1) and eth2 (192.168.1.1) as internal.
I am trying to link the two internal nets (172.26.x.x and 192.168.1.x) so users from both networks can use the printers in both nets.
My SuSeFirewall2 config is as follow: - FW_DEV_EXT="any eth3" - FW_DEV_INT="eth0 eth2" - FW_ROUTE="yes" - FW_MASQUERADE="yes" - FW_MASQ_DEV="zone:ext zone:int" - FW_MASQ_NETS="172.26.0.0/16,192.168.1.0/24 192.168.1.0/24,172.26.0.0/16 192.168.1.0/24 172.26.0.0/16" - FW_PROTECT_FROM_INT="no"
From network 172.26.x.x I can ping up to eth2 but no futher, and the same with network 192.168.2.x
You need the following option to link all subnets belonging to the same class together:
FW_ALLOW_CLASS_ROUTING="yes"
Cheers, Herbert
Hi Herbert. Super. I have set the value to "int" and now everything is going smooth. A full reading of the SuSeFirewall2 file is a must ;-) Thanks a lot. -- Louis -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Herbert Graeber -
Rui Santos -
wanakom@gmail.com