Mailinglist Archive: opensuse-security (511 mails)
| < Previous | Next > |
Re: [suse-security] Re: can't connect hosts behind firewall
- From: Christoph Egger <egger@xxxxxxxxxxxxxx>
- Date: Mon, 20 Aug 2001 11:31:35 +0200
- Message-id: <200108200929.f7K9T5f32663@xxxxxxxxxxxxxxxxxxx>
On Monday, 20. August 2001 10:55, maf@xxxxxxxxxxxxxx wrote:
> Hi Christoph,
>
> On 2001.08.20 08:29:39 +0100 Christoph Egger wrote:
> > Further the routed is somehow blocked by the firewall:
> >
> > .... Kernel log: input DENY eth0 PROTO=17 10.0.1.0:520 10.0.1.255:520
> > L=52
> > S=0x00 I=0 F=0x4000 T=64 (#4)
> > .... Kernel log: input DENY eth1 PROTO=17 62.180.107.61:520
> > 62.180.107.63:520
> > S=0x00 I=0 F=0x4000 T=64 (#5)
> >
> > Shutting the firewall down, routed says:
> >
> > re-installing interface eth0
> > re-installing interface eth1
> >
> > and pinging, DNS, SMB, etc. between the two subnets works perfect.
> >
> > > -----------------------------------------------------------------------
> > >---- -------
> > >
> > > > > > > What do you think, might be the problem?
>
> Well, at least we know the tunnel works - the problem is something to do
> with the firewall.
Exactly.
> I assume the interfaces 62.180.107.6[1,3] are the public addresses of the
> gateways
62.180.107.61 is the public address of gateway 2, where the firewall is set
up. 62.180.107.63 is the broadcast address.
> Since you are getting routed packets blocked, try:
> 1. Poke a hole in the FW for UDP port 520 - you can always tweak it later
> to make it more secure.
> 2. kill routed and test some static routes.
Has no effect.
> If that still doesn't help, put everything back to 'normal' and grab the FW
> logs from a failed ping through the tunnel. Feel free to post them
> directly to me if you don't want to post them to the list.
FW log is attached.
--
CU,
ChristophAug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5606 F=0x0000 T=128 (#11)
Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45938 F=0x0000 T=64 (#32)
Aug 20 11:39:06 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62222 F=0x0000 T=254 (#59)
Aug 20 11:39:07 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5607 F=0x0000 T=128 (#11)
Aug 20 11:39:07 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45939 F=0x0000 T=64 (#32)
Aug 20 11:39:07 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62223 F=0x0000 T=254 (#59)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1563 10.0.1.10:53 L=77 S=0x00 I=5608 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1564 10.0.1.10:53 L=66 S=0x00 I=5609 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1565 10.0.1.10:53 L=65 S=0x00 I=5610 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1566 10.0.1.10:53 L=62 S=0x00 I=5611 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5612 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45940 F=0x0000 T=64 (#32)
Aug 20 11:39:08 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62225 F=0x0000 T=254 (#59)
Aug 20 11:39:09 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1566 192.168.2.1:53 L=62 S=0x00 I=5613 F=0x0000 T=128 (#11)
Aug 20 11:39:09 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=200 S=0x00 I=45941 F=0x0000 T=64 (#32)
Aug 20 11:39:09 ipseca kernel: Packet log: input DENY ipsec0 PROTO=17 192.168.2.1:53 10.0.1.1:1566 L=143 S=0x00 I=62226 F=0x0000 T=63 (#59)
> Hi Christoph,
>
> On 2001.08.20 08:29:39 +0100 Christoph Egger wrote:
> > Further the routed is somehow blocked by the firewall:
> >
> > .... Kernel log: input DENY eth0 PROTO=17 10.0.1.0:520 10.0.1.255:520
> > L=52
> > S=0x00 I=0 F=0x4000 T=64 (#4)
> > .... Kernel log: input DENY eth1 PROTO=17 62.180.107.61:520
> > 62.180.107.63:520
> > S=0x00 I=0 F=0x4000 T=64 (#5)
> >
> > Shutting the firewall down, routed says:
> >
> > re-installing interface eth0
> > re-installing interface eth1
> >
> > and pinging, DNS, SMB, etc. between the two subnets works perfect.
> >
> > > -----------------------------------------------------------------------
> > >---- -------
> > >
> > > > > > > What do you think, might be the problem?
>
> Well, at least we know the tunnel works - the problem is something to do
> with the firewall.
Exactly.
> I assume the interfaces 62.180.107.6[1,3] are the public addresses of the
> gateways
62.180.107.61 is the public address of gateway 2, where the firewall is set
up. 62.180.107.63 is the broadcast address.
> Since you are getting routed packets blocked, try:
> 1. Poke a hole in the FW for UDP port 520 - you can always tweak it later
> to make it more secure.
> 2. kill routed and test some static routes.
Has no effect.
> If that still doesn't help, put everything back to 'normal' and grab the FW
> logs from a failed ping through the tunnel. Feel free to post them
> directly to me if you don't want to post them to the list.
FW log is attached.
--
CU,
ChristophAug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5606 F=0x0000 T=128 (#11)
Aug 20 11:39:06 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45938 F=0x0000 T=64 (#32)
Aug 20 11:39:06 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62222 F=0x0000 T=254 (#59)
Aug 20 11:39:07 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5607 F=0x0000 T=128 (#11)
Aug 20 11:39:07 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45939 F=0x0000 T=64 (#32)
Aug 20 11:39:07 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62223 F=0x0000 T=254 (#59)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1563 10.0.1.10:53 L=77 S=0x00 I=5608 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1564 10.0.1.10:53 L=66 S=0x00 I=5609 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1565 10.0.1.10:53 L=65 S=0x00 I=5610 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1566 10.0.1.10:53 L=62 S=0x00 I=5611 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=1 10.0.1.1:8 192.168.2.1:0 L=60 S=0x00 I=5612 F=0x0000 T=128 (#11)
Aug 20 11:39:08 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=112 S=0x00 I=45940 F=0x0000 T=64 (#32)
Aug 20 11:39:08 ipseca kernel: Packet log: input DENY ipsec0 PROTO=1 192.168.2.1:0 10.0.1.1:0 L=60 S=0x10 I=62225 F=0x0000 T=254 (#59)
Aug 20 11:39:09 ipseca kernel: Packet log: input ACCEPT eth0 PROTO=17 10.0.1.1:1566 192.168.2.1:53 L=62 S=0x00 I=5613 F=0x0000 T=128 (#11)
Aug 20 11:39:09 ipseca kernel: Packet log: input ACCEPT eth1 PROTO=50 62.180.107.60:65535 62.180.107.61:65535 L=200 S=0x00 I=45941 F=0x0000 T=64 (#32)
Aug 20 11:39:09 ipseca kernel: Packet log: input DENY ipsec0 PROTO=17 192.168.2.1:53 10.0.1.1:1566 L=143 S=0x00 I=62226 F=0x0000 T=63 (#59)
| < Previous | Next > |