Joerg
What version of firewall2 are you using ? (I had the same sort or probs with v1.7 and v1.8 for about 3 weeks.)
I upgraded to 2.0 last night (avail now on www.suse.de/~marc dated 11/11/01) and after removing a couple of erroneous brackets from the /sbin/SuSEfirewall2 script (around one of the ip tests at the bottom of the script (not needed as far as I can tell) do a "sh -x /sbin/SuSEfirewall2 start | less" on the command line to find them once you've installed it, look for "command not found" (I've emailed Marc Heuse at SuSE about this).)
AND after adding my dnsserver address on the firewall: my.isp's.dnsadr.info/16(to get both servers),my.dns.addr.info,udp,53 to "FW_FORWARD="
AND after split-braining my dnsserver (denying zone-transfers out of my domain, setting up anti-spoofing etc. - it's all there in the Howto, I also run squid as well to try and tie things down, redirecting 80---->3128 internally) I finally got it to work, and was able to get out on the net with http, and nslookup.
I've still to do a bit more experimentation, but I found that the initial problem was to do with my dnsserver. It'd lost the root.hints file because it couldn't get out to do the monthly dig of it 'cos of FW2. Once I'd got that fixed the rest followed on quite well, and I managed to get out onto the net last night with nary an error.
Hope this helps.
Regards
Steve Trow -----Original Message----- From: Joerg Pleumann [mailto:joerg.pleumann@trantor.de] Sent: 13 November 2001 11:04 To: suse-security@suse.com Subject: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
Hello,
as the subject says, I'm having problems with SuSEfirewall2. I just replaced my working SuSE 7.0/SuSEfirewall1 setup with a new 7.3 installation. My Linux machine does DSL dial-on-demand and masquerades several other machines in the internal network, giving them internet access. The masqueraded machines are allowed to do anything they want. The outside world is allowed to access ssh and www on the firewall, but nothing else.
As I said, I had a working setup for SuSE 7.0, which basically looked like this (new key names used here):
FW_DEV_EXT=ppp0 FW_DEV_INT=eth0 FW_ROUTE=yes FW_MASQUERADE=yes FW_MASQ_NETS=192.168.0.0/24 FW_PROTECT_FROM_INTERNAL=no FW_AUTOPROTECT_SERVICES=yes FW_SERVICES_EXT_TCP=ssh www
I tried to use the same setup with SuSEfirewall1 (the updated package from the SuSE web site) first. It worked, but I couldn't live with the restrictions (no FTP, ...), so I tried SuSEfirewall2 with mostly the same settings. Masquerading seems to work, as well as the firewall itself (nothing except ssh and www arrives at the machine), but there's one
that I can't get rid of: The firewall machine itself is not able to access either the internal network or the internet. Error messages look like
Joerg
Sorry - replied to you personally - I've also fwd'd to the list to see what
burns/flames I get.
I also am at the office, which is the reason why I couldn't be more
precise about the /sbin/SuSEfirewall2 v2.0 script bugs.
Steve
-----Original Message-----
From: Joerg Pleumann [mailto:joerg.pleumann@trantor.de]
Sent: 13 November 2001 16:30
To: Trow, Steven
Subject: Re: [suse-security] Problems with SuSEfirewall2 (where #1
worked)
Hi Steven,
I'm currently at my office, but I'll check your suggestions as soon as I get
home. Thanks for replying -- I'll send you mail about any success/failure I
encounter.
Regards,
Jörg
----- Original Message -----
From: "Trow, Steven"
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=217.5.115.7 DST=217.226.71.131 [...]
and
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=194.25.2.129 DST=217.226.71.131 [...]
where the SRC IPs belong to the two DNS is use, and the DST IP is the one dynamically assigned to me. I tried some additional settings, for example FW_ALLOW_CLASS_ROUTING, but to no avail.
Any pointers into the right direction would be greatly appreciated.
Regards,
Joerg Pleumann
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com