Re: [suse-security] IPv6 und Firewall-Probleme

* Nicolas Keller wrote on Sat, Jun 09, 2001 at 12:40 +0200:

Ich hoffe, ich habe mit diesem Problem die richtige Mailingliste (und Sprache?)

know, you missed that this is an english list. I'll translate some parts.

Ich habe seit vorgestern SuSE 7.2 installiert und einige Mühe gehabt, unter dem Kernel 2.4 einen Masquarading Server aufzusetzen. Mittlerweile läuft er zufriedenstellend - dank dem SuSEfirewall2 Skript. Trotz allem habe ich noch

| I've installed SuSE 7.2 and had problems settingup | masquerading. Thanks to SuSEfirewall2 know it runs in a | satisfying way

******************* dmesg ********************* eth1: NE2000 found at 0x340, using IRQ 5. PPP generic driver version 2.4.1 SuSE-FW-UNALLOWED-ROUTINGIN=eth0 OUT=ppp0 SRC=194.127.177.80 DST=212.227.126.138 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=32210 DF PROTO=TCP SPT=2256 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)

I never used susefirewall, but this looks just like a a dropped packet because the source address is unexpected on eth0 (guessed).

IPv6 v0.8 for NET4.0 IPv6 over IPv4 tunneling driver Registered PPPoX v0.5 Registered PPPoE v0.6.5 Installing knfsd (copyright (C) 1996 okir@monad.swb.de). eth0: no IPv6 routers present eth1: no IPv6 routers present eth0: no IPv6 routers present eth1: no IPv6 routers present

this is quite normal since your ISP won't route IPv6 (please note the difference between IPv4 which is the protocol currently in "use".

SuSE-FW-UNALLOWED-TARGETIN=ppp0 OUT= MAC= SRC=194.25.2.129 \ DST=217.84.122.54 LEN=132 TOS=0x00 PREC=0x00 TTL=60 \ ID=6059 PROTO=UDP SPT=53 DPT=1028 LEN=112 SuSE-FW-UNALLOWED-TARGETIN=ppp0 OUT= MAC= SRC=217.5.115.7 \ DST=217.84.122.54 LEN=132 TOS=0x00 PREC=0x00 TTL=56 \ ID=1892 PROTO=UDP SPT=53 DPT=1027 LEN=112 SuSE-FW-ACCEPTIN=ppp0 OUT= MAC= SRC=64.245.54.152 DST=217.84.122.54 \ LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=46764 DF PROTO=TCP SPT=3718 \ DPT=41178 WINDOW=32120 RES=0x00 SYN URGP=0 \ OPT (020405B40402080A06D425BB0000000001030300) SuSE-FW-ACCEPTIN=ppp0 OUT= MAC= SRC=64.245.54.123 DST=217.84.122.54 \ LEN=60 TOS=0x00 PREC=0x00 TTL=40 ID=45093 DF PROTO=TCP SPT=4397 \ DPT=41178 WINDOW=32120 RES=0x00 SYN URGP=0 \ OPT (020405B40402080A06E98CE30000000001030300) ******************* dmesg *********************

1. Warum bekomme ich SuSE-FW-UNALLOWED-ROUTINGIN, SuSE-FW-UNALLOWED-TARGETIN und SuSE-FW-ACCEPTIN Meldungen? Stimmt da etwas nicht?

| Why do I get that SuSE-FW-UNALLOWED-ROUTINGIN, | SuSE-FW-UNALLOWED-TARGETIN and SuSE-FW-ACCEPTIN messages? Is | there some misconfiguration?

2. Wie bekomme ich die Meldungen wie "eth0: no IPv6 routers present" weg? Ist das überhaupt "schlimm"?

| Is the message "eth0: no IPv6 routers present" a problem? No, in your case it's nothing to worry about.

3. Ich bekomme keine Verbindung zu meinem Apache Server - anscheinend kann der Server den Namen nicht auflösen.

| I don't get a connection to my web server. It seems that the | name get not resolved. This is not security related. Try connection by IP address.

Alle Namensauflösungen sind aber korrekt in der hosts Datei eingetragen und die search Variable

| All resolvings (I think "hosts") are correctly in hosts and |the search variable is set. AFAIK search from resolv.conf has no effect on hosts but only for DNS queries. This is not security related.

Szenario: Ich habe einen SuSE 7.2 Server mit zwei Netzwerkkarten (eine Realtek und eine NE2000 komp). eth0 geht ins interne Netz und eth1 zu meinem TDSL Modem.

| I have a server with two network adapters. Eth0 for the | internal net, and eth1 for the TSDL modem.

Ich habe bis auf das firewall2 Skript nur Pakete benutzt, die bei SuSE 7.2 dabei waren. Nebenbei läuft auf dem Server noch Apache und Squid

| I run only packet from SuSE 7.2 except firewall2. Apache and | squid are running. This is not security related. Please note, that AFIAK squid uses only DNS for resolving, but not the /etc/host file. This may cause your connection problems. You better include error messages next time.

(wobei man sich hier natürlich dann streiten kann, ob ich Squid brauche wenn ich Masquarading mache).

| (somebody may discuss if I need squid when I have masquerading) Maybe, and maybe this can taken as security related, but I don't feel and need for this discussion...

Als Anhang gibt's noch meine rc.firewall2.conf.

| rc.firewall2.conf is attached. (now it's inline :) )

Schon mal dank an alle Helfer :) & ein schönes Wochenende!

| Thanks in advance and have a nice weekend. Same to you.

Nicolas Keller

******************* firewall2.rc.config *******************

FW_DEV_EXT="ppp0 eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="194.127.177.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="smtp domain" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.