Home | Content | Search | Navigation | Indexes
 

Mailinglist Archive: opensuse-security (511 mails)

< Previous Next >
Re: [suse-security] can't connect hosts behind firewall
  • From: Christoph Egger <egger@xxxxxxxxxxxxxx>
  • Date: Fri, 17 Aug 2001 12:10:41 +0200
  • Message-id: <200108171008.f7HA8Kf03933@xxxxxxxxxxxxxxxxxxx>

On Friday, 17. August 2001 09:20, egger@xxxxxxxxxxxxxx wrote:
> On Thursday, 16. August 2001 17:41, maf@xxxxxxxxxxxxxx wrote:
> > Hi Christoph
> >
> > On 2001.08.16 15:35:07 +0100 Christoph Egger wrote:
> > > On Thursday, 16. August 2001 14:26, egger@xxxxxxxxxxxxxx wrote:
> > > > Hi!

Problem description:
-------------------------------------------------------------------------------
> My _test_ - LAN looks like this:
>
>
> 192.168.2.0/24
>
> | Host1 with 192.168.2.1
>
> Gateway 1 (eth0) with 192.168.2.91
> Gateway 1 (eth1)
>
>
> Internet
>
>
> Gateway 2 (eth1) with SuSE 7.2 firewall
> Gateway 2 (eth0) with 10.0.1.10
>
> | Host2 with 10.0.1.21
>
> 10.0.1.0/24
>
> I can do a ping from 192.168.2.1 to 10.0.1.10, but not to 10.0.1.21 and
> vice versa. It seems that the gateway 2 swellows packets.
----------------------------------------------------------------------------------
> > > > What do you think, might be the problem?
> > >
> > > I forgot to mention, that the SuSE firewall 7.2 definitely causes my
> > > problem.
> > >
> > > FreeSWAN works fine for me as long as the firewall is down. But calling
> > > "/etc/init.d/SuSEfirewall_init start" and restarting FreeSWAN to not
> > > loose its firewall rules already causes my problem.
> >
> > Sounds like you may be having some sort of masquerading problem. Have a
> > look in yuor logs and see what packets the firewall drops.
>
> Masquerading isn't activated at all.

Here more details: I am using the 2.4.4-4GB Suse standard kernel coming with
SuSE 7.2 distribution.

The SuSE firewall sets some values in various files in /proc/sys/net/ipv4/

echo 1 > icmp_echo_ignore_broadcasts
echo 1 > typ_syncookies
echo 1 > ip_always_defrag
echo 0 > conf/*/accept_redirects
echo 0 > conf/*/accept_source_route
echo 1 > icmp_ignore_bogus_error_responses
echo 5 > icmp_echoreply_rate
echo 5 > icmp_destunreach_rate
echo 5 > icmp_paramprob_rate
echo 6 > icmp_timeexceed_rate
echo 20 > ipfrage_time
echo 1 > igmp_max_memberships
echo "1024 29999" > ip_local_port_range
echo 1 > conf/*/log_martians
echo 0 > conf/*/mc_forwarding
echo 1 > conf/*/rp_filter (manually disabled by me to keep it "0")
echo 0 > conf/*/bootp_relay
echo 0 > conf/*/proxy_arp
echo 0 > conf/*/secure_redirects
echo 1 > route/flush

Is there something, which might cause my above described problem?

--
CU,
Christoph

< Previous Next >
Follow Ups
References