Hi All, I use Apache, SSHD, BIND 8 and SuSEfirewall on SuSE 8.1 Pro, one network card. When firewall is down, nslookup translates all DNS queries well (forwarders are set correctly). When firewall starts, no query is translated (either from local database nor from forwarded server). In /var/log/messages there's NO record about droping packets during running nslookup. Please, how to set up BIND and SuSEfirewall to cooperate? Thank you very much. This is my /etc/sysconfig/SuSEfirewall2: W_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain www https ssh" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="domain" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" _______________________________________________________________ Marek Libra Phone:+420 776 039 948 Email: xlibra@fi.muni.cz Faculty of Informatics, Masaryk University Brno, Czech Republic _______________________________________________________________
Ditto, I have the same problem. I can't get ping yahoo.com to translate to a valid IP address. I get a 'network unreachable' error message. SSH can't connect as well and the DMZ'ed server can't be pinged from outside the border network. Using ping on the server I can ping the router and internal routers. Where is documentation for the firewall located by its installation? Given the manual and information, I can read them for myself. As a first step I would like to return the firewall 2 settings to the original settings in the 8.1 distribution. Next I would then like to try variations from that starting point. Does anyone have know how to easily return to the original setup? Note I have been doing updates to the 8.1 system each month. A comment about the mailing list. I noted that the reply-to address from the list is set to the senders. Would it not be a better idea to set it to be the list? Marek Libra wrote:
Hi All,
I use Apache, SSHD, BIND 8 and SuSEfirewall on SuSE 8.1 Pro, one network card.
When firewall is down, nslookup translates all DNS queries well (forwarders are set correctly).
When firewall starts, no query is translated (either from local database nor from forwarded server).
In /var/log/messages there's NO record about droping packets during running nslookup.
Please, how to set up BIND and SuSEfirewall to cooperate?
Thank you very much.
This is my /etc/sysconfig/SuSEfirewall2: W_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain www https ssh" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="domain" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no"
_______________________________________________________________ Marek Libra Phone:+420 776 039 948 Email: xlibra@fi.muni.cz Faculty of Informatics, Masaryk University Brno, Czech Republic _______________________________________________________________
-- ------------ Wolter Works - Always Innovating ------------- - Industry and Commerce Internet Invention - Internet Marketing Product Concepts & Implementation mailto:johnswolter@wolterworks.com John Wolter, President 1531 Jones Drive Ann Arbor, MI 48105-1871 USA 1-734-665-1263 Copyright 2003 John S. Wolter Neither this information block, the typed name of the sender, nor anything else in this message is intended to constitute an electronic signature unless a specific statement to the contrary is included in this message.
The 03.10.17 at 09:17, John S. Wolter wrote:
Where is documentation for the firewall located by its installation? Given the manual and information, I can read them for myself.
SuSE Linux Administration Guide (paper, html, pdf...) /usr/share/doc/packages/SuSEfirewall2/* The comments in the configuration file is good info: /etc/sysconfig/SuSEfirewall2 And Mr Togan is writing a doc: I think it is somewhere in 'http://sourceforge.net/projects/susefaq'
A comment about the mailing list. I noted that the reply-to address from the list is set to the senders. Would it not be a better idea to set it to be the list?
No. This is explained in the faq and the confirmation email you received when you subscribed to the list. Read it :-) For example, what would happen if somebody goes on vacation and starts bouncing back mail to the list? The bounces themselves would again bounce and generate another bounce... thousands of emails. -- Cheers, Carlos Robinson
The 03.10.17 at 13:43, Marek Libra wrote:
I use Apache, SSHD, BIND 8 and SuSEfirewall on SuSE 8.1 Pro, one network card.
Do you serve those services to the outside? If not, you can close them in the firewall.
When firewall is down, nslookup translates all DNS queries well (forwarders are set correctly).
Do you intend DNS to serve outside queries (from the outside world to your machine)?
When firewall starts, no query is translated (either from local database nor from forwarded server).
Well, if it supposed to query 'eth0', it wouldn't - I mean, not local. Start 'iptraf', watch all interfaces, and see traffic flow.
In /var/log/messages there's NO record about droping packets during running nslookup.
They would show in the '/var/log/warn' if you enable them in the firewall - if they are in fact dropped.
FW_SERVICES_EXT_TCP="domain www https ssh" FW_SERVICES_EXT_UDP="domain"
Are you serving https to the outside? And ssh?
FW_ALLOW_INCOMING_HIGHPORTS_TCP="domain" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain" The firewall complains that highports should be open, but it works - unless you serve queries to the outside.
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes"
FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes"
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
Correct. -- Cheers, Carlos Robinson
participants (3)
-
Carlos E. R.
-
John S. Wolter
-
Marek Libra