[opensuse] SuSE 11.2 SuSEfirewall2 Problems.... need help.
I have what I think is a pretty simple set up but for some reason I just cannot get it to work properly. _____ eth1-----{uplink1} __|___ | F/W | {masq intranet}-eth0---|_____| |____eth2-----{uplink2) whenever I try to connect to services on eth1 or two from the intranet my connection times out I checked var logs and found the following. #tail -f /var/log/messages Dec 2 10:45:37 linux-fw kernel: [65074.814640] martian source 68.***.192.234 from 192.168.1.14, on dev eth0 Dec 2 10:45:37 linux-fw kernel: [65074.814663] ll header: 00:c0:9f:19:da:3f:00:b0:d0:24:b5:8d:08:00 I've also copied my SuSEfirewall2 config. any help woudl really be appreciated FW_DEV_EXT="eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="zone:ext" FW_MASQ_NETS="0/0" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="apache2 apache2-ssl ejabberd sshd" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="apache2 ejabberd sshd" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="apache2 apache2-ssl ejabberd sshd" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="192.168.1.0/24,tcp,22" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="192.168.1.0/24,68.164.192.234,tcp,ssh" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="" FW_ALLOW_FW_BROADCAST_INT="" FW_ALLOW_FW_BROADCAST_DMZ="" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="int" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="yes" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_ZONE_DEFAULT="" FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="nf_conntrack_netbios_ns" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" FW_WRITE_STATUS="" FW_RUNTIME_OVERRIDE="" FW_LO_NOTRACK="" -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-12-02 at 10:50 -0800, Rowan R. wrote:
I have what I think is a pretty simple set up but for some reason I just cannot get it to work properly.
_____ eth1-----{uplink1} __|___ | F/W | {masq intranet}-eth0---|_____| |____eth2-----{uplink2)
whenever I try to connect to services on eth1 or two from the intranet my connection times out I checked var logs and found the following.
#tail -f /var/log/messages Dec 2 10:45:37 linux-fw kernel: [65074.814640] martian source 68.***.192.234 from 192.168.1.14, on dev eth0 Dec 2 10:45:37 linux-fw kernel: [65074.814663] ll header: 00:c0:9f:19:da:3f:00:b0:d0:24:b5:8d:08:00
I've also copied my SuSEfirewall2 config. any help woudl really be appreciated
Output of "route" and "ifconfig", please. You can replace your internet public address with a fake one, but then tell us so. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAksXoLoACgkQtTMYHG2NR9VGNwCeKTp5DWVwZkRf0b76WMhezAeU mAkAoIbZCPGtuY+4pg2NWWosWRfuVALo =bBV4 -----END PGP SIGNATURE-----
Output of "route" and "ifconfig", please. You can replace your internet public address with a fake one, but then tell us so.
- -- Cheers, Carlos E. R.
here you go ip route show 68.***.192.232/29 dev eth1 proto kernel scope link src 68.***.192.234 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.5 108.***.55.0/24 dev eth2 proto kernel scope link src 108.***.55.60 169.254.0.0/16 dev eth0 scope link 127.0.0.0/8 dev lo scope link 108.***.0.0/8 dev eth2 scope link src 108.***.55.60 default via 108.0.55.1 dev eth2 linux-fw:~ # ip route show table T1 108.***.0.0/8 dev eth2 scope link src 108.***.55.60 default via 108.***.55.1 dev eth2 linux-fw:~ # ip route show table T2 68.***.192.232/29 dev eth1 scope link src 68.***.192.234 default via 68.***.192.233 dev eth1 linux-fw:~ # ifconfig eth0 Link encap:Ethernet HWaddr 00:C0:9F:19:DA:3F inet addr:192.168.1.5 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6789 errors:0 dropped:0 overruns:0 frame:0 TX packets:175 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:586326 (572.5 Kb) TX bytes:35546 (34.7 Kb) eth1 Link encap:Ethernet HWaddr 00:04:75:E6:73:9F inet addr:68.***.192.234 Bcast:68.***.192.239 Mask:255.255.255.248 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:35835 errors:0 dropped:0 overruns:1 frame:0 TX packets:4012 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4134721 (3.9 Mb) TX bytes:614782 (600.3 Kb) Interrupt:25 Base address:0x4000 eth2 Link encap:Ethernet HWaddr 00:10:4B:C6:0C:98 inet addr:108.***.55.60 Bcast:108.***.55.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:9881 errors:0 dropped:0 overruns:0 frame:0 TX packets:10412 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1037144 (1012.8 Kb) TX bytes:1601838 (1.5 Mb) Interrupt:28 Base address:0xec80 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:134 errors:0 dropped:0 overruns:0 frame:0 TX packets:134 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9917 (9.6 Kb) TX bytes:9917 (9.6 Kb) -- The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom. - Sun Tzu -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Carlos E. R.
-
Rowan R.