Mailinglist Archive: opensuse-security (511 mails)

< Previous Next >
Re: can't connect hosts behind firewall
  • From: Christoph Egger <egger@xxxxxxxxxxxxxx>
  • Date: Mon, 20 Aug 2001 09:29:39 +0200
  • Message-id: <200108200727.f7K7R9f30454@xxxxxxxxxxxxxxxxxxx>
On Friday, 17. August 2001 12:52, egger@xxxxxxxxxxxxxx wrote:
> On Friday, 17. August 2001 09:20, egger@xxxxxxxxxxxxxx wrote:
> > On Thursday, 16. August 2001 17:41, maf@xxxxxxxxxxxxxx wrote:
> > > Hi Christoph
> > >
> > > On 2001.08.16 15:35:07 +0100 Christoph Egger wrote:
> > > > On Thursday, 16. August 2001 14:26, egger@xxxxxxxxxxxxxx wrote:
> > > > > Hi!
>
> Problem description:
> ---------------------------------------------------------------------------
>----
>
> > My _test_ - LAN looks like this:
> >
> >
> > 192.168.2.0/24
> >
> > | Host1 with 192.168.2.1
> >
> > Gateway 1 (eth0) with 192.168.2.91
> > Gateway 1 (eth1)
> >
> >
> > Internet
> >
> >
> > Gateway 2 (eth1) with SuSE 7.2 firewall
> > Gateway 2 (eth0) with 10.0.1.10
> >
> > | Host2 with 10.0.1.21
> >
> > 10.0.1.0/24

Within Gateway 1 (eth1) and Gateway 2 (eth1) there is a IPsec tunnel created
by FreeSWAN 1.91.

> > I can do a ping from 192.168.2.1 to 10.0.1.10, but not to 10.0.1.21 and
> > vice versa. It seems that the gateway 2 swellows packets.

Further the routed is somehow blocked by the firewall:

.... Kernel log: input DENY eth0 PROTO=17 10.0.1.0:520 10.0.1.255:520 L=52
S=0x00 I=0 F=0x4000 T=64 (#4)
.... Kernel log: input DENY eth1 PROTO=17 62.180.107.61:520 62.180.107.63:520
S=0x00 I=0 F=0x4000 T=64 (#5)

Shutting the firewall down, routed says:

re-installing interface eth0
re-installing interface eth1

and pinging, DNS, SMB, etc. between the two subnets works perfect.
> ---------------------------------------------------------------------------
>-------
>
> > > > > What do you think, might be the problem?
> > > >
> > > > I forgot to mention, that the SuSE firewall 7.2 definitely causes my
> > > > problem.
> > > >
> > > > FreeSWAN works fine for me as long as the firewall is down. But
> > > > calling "/etc/init.d/SuSEfirewall_init start" and restarting FreeSWAN
> > > > to not loose its firewall rules already causes my problem.
> > >
> > > Sounds like you may be having some sort of masquerading problem. Have
> > > a look in yuor logs and see what packets the firewall drops.
> >
> > Masquerading isn't activated at all.
>
> Here more details: I am using the 2.4.4-4GB Suse standard kernel coming
> with SuSE 7.2 distribution.
>
> The SuSE firewall sets some values in various files in /proc/sys/net/ipv4/
>
> echo 1 > icmp_echo_ignore_broadcasts
> echo 1 > typ_syncookies
> echo 1 > ip_always_defrag
> echo 0 > conf/*/accept_redirects
> echo 0 > conf/*/accept_source_route
> echo 1 > icmp_ignore_bogus_error_responses
> echo 5 > icmp_echoreply_rate
> echo 5 > icmp_destunreach_rate
> echo 5 > icmp_paramprob_rate
> echo 6 > icmp_timeexceed_rate
> echo 20 > ipfrage_time
> echo 1 > igmp_max_memberships
> echo "1024 29999" > ip_local_port_range
> echo 1 > conf/*/log_martians
> echo 0 > conf/*/mc_forwarding
> echo 1 > conf/*/rp_filter (manually disabled by me to keep it "0")
> echo 0 > conf/*/bootp_relay
> echo 0 > conf/*/proxy_arp
> echo 0 > conf/*/secure_redirects
> echo 1 > route/flush
>
> Is there something, which might cause my above described problem?

Hm... no answer to my problem yet. Seems that doesn't help.
So here my SuSE 7.2 firewall (version 4.9) configuration in
/etc/rc.config.d/firewall.rc.config

FW_DEV_WORLD=eth1
FW_DEV_INT=eth0
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="no"
FW_MASQ_NETS=""
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="yes"
FW_SERVICES_EXTERNAL_TCP=""
FW_SERVICES_EXTERNAL_UDP="500"
FW_SERVICES_EXTERNAL_IP="udp 50"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INTERNAL_TCP=""
FW_SERVICES_INTERNAL_UDP="500"
FW_SERVICES_INTERNAL_IP="udp 50"
FW_TRUSTED_NETS=""
FW_SERVICES_TRUSTED_TCP=""
FW_SERVICES_TRUSTED_UDP=""
FW_SERVICES_TRUSTED_IP=""
FW_SERVICES_TRUSTED_ACL=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD_TCP=""
FW_FORWARD_UDP=""
FW_FORWARD_IP=""
FW_FORWARD_MASQ_TCP=""
FW_FORWARD_MASQ_UDP=""
FW_REDIRECT_TCP=""
FW_REDIRECT_UDP=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW=yes
FW_ALLOW_FW_TRACEROUTE=yes

All other variables are set to the default values.
I hope, that this is enough, that someone can help me.

BTW: Setting FW_AUTOPROTECT_GLOBAL_SERVICES to "no" doesn't solve my
problem.


--
CU,
Christoph

< Previous Next >
Follow Ups
References