Weird Susefirewall2 problem, some http hosts don't work - timeout on server, without firewall everything OK???
Hello, This is my first message here, so excuse my bad English. First of all, we have little network here, 192.168.x.x static IP addresses. That's not problem, I configured Susefirewall2 to work with masquerading, and everything works fine except one thing. Some hosts doesn't answer to http requests. When I shut down firewall, those hosts work. It's hosts on one provider, on IP addresses 217.26.64.x and 62.108.96.x. I get only (in Konqueror): An error occured while loading http://xxx.xxx.net Timeout on server Timed out while waiting to connect to xxx.xxx.net I suppose those servers send some ping or some other requests, and don't answer because of that. All other http requests go fine (for example google etc). I'll try to explain our network - it's on cable connection, we have real IP (seen in headers of this e-mail), in computer with firewall are 2 network cards, one with real IP and other with IP of local network. I have this configuration in /etc/sysconfig/SuSEfirewall2 (for debugging I have opened some options), with real values changed with 'xxx': --------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.xxx.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="ssh" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD_MASQ="xxx.xxx.xxx.xxx,192.168.xxx.xxx,tcp,xxx,xxx,xxx.xxx.xxx.xxx xxx.xxx.0.0/16,xxx.xxx.xxx.xxx,tcp,xxx,xxx,xxx.xxx.xxx.xxx" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="yes" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="yes" FW_REJECT="no" All other not commented have "" as value/ --------------------------------------- I use DNS server from provider, no DNS is configured, but it works fine (except for those few hosts). I have no possibillity to work with traceroute and ping, because provider blocks this kind of traffic, but because everything works when I stop firewall, I suppose it's problem here, not by them. Any solution what to change to have those hosts to work? If you have any other questions, please provide them. P.S. In /var/log/warn I have something like this: Oct 27 12:40:00 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=00:50:ba:ed:ee:55:00:30:b8:80:27:7e:08:00 SRC=217.26.64.130 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=29209 DF PROTO=TCP SPT=80 DPT=32891 WINDOW=32120 RES=0x00 ACK FIN URGP=0 OPT (0101080A019F312900116EF5) And in /var/log/messages: Oct 27 12:40:00 xxx kernel: SuSE-FW-ACCEPT IN=eth1 OUT= MAC=00:50:ba:ed:ee:55:00:30:b8:80:27:7e:08:00 SRC=217.26.64.130 DST=xxx.xxx.xxx.xxx LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=29210 DF PROTO=TCP SPT=80 DPT=32890 WINDOW=32120 RES=0x00 ACK FIN URGP=0 OPT (0101080A019F312900116EF5) -- Regards, Slavoljub Filipovic
Still no suggestions on my question? -- Regards, Slavoljub Filipovic
The 03.10.28 at 10:32, Slavoljub Filipovic wrote:
Still no suggestions on my question?
We can not even try to replicate your problem, as you removed all IP numbers and http adresses of the public web pages you try to access. I'm sorry, but my crystall ball is out for repairs. :-p -- Cheers, Carlos Robinson
We can not even try to replicate your problem, as you removed all IP numbers and http addresses of the public web pages you try to access. I'm sorry, but my crystall ball is out for repairs. :-p
Ok, sorry, I thought it's enough info - my mistake... I know noone have a crystal ball that works :) I'm trying to repair this problem with my cable internet provider, it seems that (after all) problem is by some of their firewalls on routers. BTW. I forgot also to say - it's on Suse 8.1 Anyway, thanks for help (something like that, I appreciate it!) BTW. I didn't wanted to make big traffic to that provider, therefore I removed IP addresses (I left only one as you can see in first message,part of /var/log...) -- Regards, Slavoljub Filipovic
The 03.10.28 at 14:17, Slavoljub Filipovic wrote:
We can not even try to replicate your problem, as you removed all IP numbers and http addresses of the public web pages you try to access. I'm sorry, but my crystall ball is out for repairs. :-p
Ok, sorry, I thought it's enough info - my mistake... I know noone have a crystal ball that works :)
Right, and it is a pity :-)
I'm trying to repair this problem with my cable internet provider, it seems that (after all) problem is by some of their firewalls on routers.
Ah, that makes sense. Then I'll assume your problems is going to be solved.
BTW. I forgot also to say - it's on Suse 8.1
Anyway, thanks for help (something like that, I appreciate it!)
Welcome.
BTW. I didn't wanted to make big traffic to that provider, therefore I removed IP addresses (I left only one as you can see in first message,part of /var/log...)
I understand; but you see, if you say that some web pages works, and some others don't, there is no way we can check if it is a general problem, or it is your problem only. The first thing that occurred to me was that there was something wrong with those servers. Next time, try a traceroute command, and perhaps you get more info of where you are reaching. Unless it is only some port that is being blocked, like 80. -- Cheers, Carlos Robinson
participants (2)
-
Carlos E. R.
-
Slavoljub Filipovic