Mailinglist Archive: opensuse-security (547 mails)
| < Previous | Next > |
Re: [suse-security] SuSEfirewall www-server inside the DMZ
- From: Nix <suse@xxxxxxxxxxxxxxx>
- Date: Thu, 23 Nov 2000 04:19:01 +1100
- Message-id: <5.0.1.4.0.20001123041305.00a64300@xxxxxxxxxxxxxxxxxxxx>
This is possible using IPMASQADM to reverse masquerade the incoming http
connections.
(sorta like nat on one port only)
Of course you could use one of the port redirectors like rinetd but then you apache logs
would show up as haveing all connections from your firewall. This is obviously NOT what you want.
b4 u use ipmasqadm, make sure you have normal outbound masq working. If you don't, then it will
never work.
The setup of this is quite simple, and I have done almost exactly this on SuSE 6.4 for a client.
It was 6 months ago, and it's 4:15 am and I've just got back to my hotel after going clubbing/drinking
since 10pm, so email me back if this is unclear, or you can't figure this out from the docs...
Note: You will have to dl ipmasqadm i think, or maybe it comes with suse... not sure...
Cheers
Nix
At 11:06 AM 22/11/2000 +0100, you wrote:
(sorta like nat on one port only)
Of course you could use one of the port redirectors like rinetd but then you apache logs
would show up as haveing all connections from your firewall. This is obviously NOT what you want.
b4 u use ipmasqadm, make sure you have normal outbound masq working. If you don't, then it will
never work.
The setup of this is quite simple, and I have done almost exactly this on SuSE 6.4 for a client.
It was 6 months ago, and it's 4:15 am and I've just got back to my hotel after going clubbing/drinking
since 10pm, so email me back if this is unclear, or you can't figure this out from the docs...
Note: You will have to dl ipmasqadm i think, or maybe it comes with suse... not sure...
Cheers
Nix
At 11:06 AM 22/11/2000 +0100, you wrote:
Hi, All :)
I hope sombody can help me with my configuration.
Following scenario:
public Internet
|
|
|
|
| eth0 - only one official Internet Address
| which is directly connected
| to the internet leased line modem.
|
<firewall> -- eth2 -- DMZ 192.168.0.0/24 ---------- <www.server
192.168.0.111>
|
| eth1 -- 192.168.30.0/24, 192.168.31.0/24 ...
|
|
|
<internal private networks>
I use the <firewall> to allow accessing the Internet
from the internal networks.
This part is functioning well :)
Now I like to configure a www.server with an private IP number
which is reachable from public Internet (only http should be allowed).
I can Ping the www.server successfully from the firewall pc but i'm not
able to get a http: connection with netscape. Also it's not possible
to get a connetion from the public internet.
My SuSE Firewall Settings are :
FW_DEV_WORLD="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.30.0/24 192.168.31.0/24"
FW_MASQ_DEV="$FW_DEV_WORLD"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no"
FW_SERVICES_EXTERNAL_TCP="smtp domain nntp http"
FW_SERVICES_EXTERNAL_UDP="domain"
FW_SERVICES_DMZ_TCP="http"
FW_SERVICES_DMZ_UDP="domain"
FW_SERVICES_INTERNAL_TCP="smtp domain ftp http nntp"
FW_SERVICES_INTERNAL_UDP="domain"
FW_TRUSTED_NETS=""
FW_SERVICES_TRUSTED_TCP=""
FW_SERVICES_TRUSTED_UDP=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD_TCP=""
FW_FORWARD_UDP=""
FW_FORWARD_MASQ_TCP="0/0,192.168.0.111,80"
FW_FORWARD_MASQ_UDP=""
FW_REDIRECT_TCP=""
FW_REDIRECT_UDP=""
FW_LOG_DENY_CRIT="yes"
FW_LOG_DENY_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user
vdolive"
This is the output from
tcpdump -i eth2
when trying to connet with netscape to the www.server from the
firewall.pc
10:19:21.570488 arp who-has 192.168.0.111 tell firewall.pc
(0:10:5a:49:52:7)
10:19:21.570719 arp reply 192.168.0.111 is-at 0:50:fc:22:44:12
(0:10:5a:49:52:7)
10:19:21.570750 firewall.pc.rkb-oscs > 192.168.0.111.http: S
3675399427:3675399427(0) win 32120 <mss 1460,sackOK,timestamp 804153
0,nop,wscale 0> (DF)
10:19:21.571016 192.168.0.111.http > firewall.pc.rkb-oscs: S
3200249163:3200249163(0) ack 3675399428 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
10:19:24.563563 firewall.pc.rkb-oscs > 192.168.0.111.http: S
3675399427:3675399427(0) win 32120 <mss 1460,sackOK,timestamp 804453
0,nop,wscale 0> (DF)
10:19:24.563823 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1
win 17520 <nop,nop,timestamp 671854 804453> (DF)10:19:24.806624
192.168.0.111.http > firewall.pc.rkb-oscs: S 3200249163:3200249163(0) ack
3675399428 win 17520 <mss 1460,nop,wscale 0,nop,nop,timestamp 0 0,nop,n
op,sackOK> (DF)
10:19:30.563561 firewall.pc.rkb-oscs > 192.168.0.111.http: S
3675399427:3675399427(0) win 32120 <mss 1460,sackOK,timestamp 805053
0,nop,wscale 0> (DF)
10:19:30.563822 192.168.0.111.http > firewall.pc.rkb-oscs: . 1:1(0) ack 1
win 17520 <nop,nop,timestamp 671915 805053> (DF)
10:19:31.368814 192.168.0.111.http > firewall.pc.rkb-oscs: S
3200249163:3200249163(0) ack 3675399428 win 17520 <mss 1460,nop,wscale
0,nop,nop,timestamp 0 0,nop,nop,sackOK> (DF)
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
| < Previous | Next > |