Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
RE: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
- From: "Trow, Steven" <steven.trow@xxxxxxxxxx>
- Date: Tue, 13 Nov 2001 16:34:33 +0000
- Message-id: <0990668AA4C4D411AB83009027C3B875036FF939@xxxxxxxxxxxxxxxxxxxxxx>
Joerg
Sorry - replied to you personally - I've also fwd'd to the list to see what
burns/flames I get.
I also am at the office, which is the reason why I couldn't be more
precise about the /sbin/SuSEfirewall2 v2.0 script bugs.
Steve
-----Original Message-----
From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
Sent: 13 November 2001 16:30
To: Trow, Steven
Subject: Re: [suse-security] Problems with SuSEfirewall2 (where #1
worked)
Hi Steven,
I'm currently at my office, but I'll check your suggestions as soon as I get
home. Thanks for replying -- I'll send you mail about any success/failure I
encounter.
Regards,
Jörg
----- Original Message -----
From: "Trow, Steven" <steven.trow@xxxxxxxxxx>
To: "'Joerg Pleumann'" <joerg.pleumann@xxxxxxxxxx>
Sent: Tuesday, November 13, 2001 5:20 PM
Subject: RE: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
> Joerg
>
> What version of firewall2 are you using ? (I had the same sort or probs
with
> v1.7 and v1.8 for about 3 weeks.)
>
> I upgraded to 2.0 last night (avail now on www.suse.de/~marc dated
11/11/01)
> and after removing a couple of erroneous
> brackets from the /sbin/SuSEfirewall2 script (around one of the ip tests
at
> the bottom of the script
> (not needed as far as I can tell) do a "sh -x /sbin/SuSEfirewall2 start |
> less" on the command line
> to find them once you've installed it, look for "command not found" (I've
> emailed Marc Heuse at SuSE about this).)
>
> AND after adding my dnsserver address on the firewall:
> my.isp's.dnsadr.info/16(to get both servers),my.dns.addr.info,udp,53 to
> "FW_FORWARD="
>
> AND after split-braining my dnsserver (denying zone-transfers out of my
> domain,
> setting up anti-spoofing etc. - it's all there in the Howto, I also run
> squid as well to try and
> tie things down, redirecting 80---->3128 internally) I finally got it to
> work, and was able to
> get out on the net with http, and nslookup.
>
> I've still to do a bit more experimentation, but I found that the initial
> problem was to do with my dnsserver.
> It'd lost the root.hints file because it couldn't get out to do the
monthly
> dig of it 'cos of FW2. Once I'd got
> that fixed the rest followed on quite well, and I managed to get out onto
> the net last night with nary an error.
>
> Hope this helps.
>
> Regards
>
> Steve Trow
> -----Original Message-----
> From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
> Sent: 13 November 2001 11:04
> To: suse-security@xxxxxxxx
> Subject: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
>
>
> Hello,
>
> as the subject says, I'm having problems with SuSEfirewall2. I just
replaced
> my working SuSE 7.0/SuSEfirewall1 setup with a new 7.3 installation. My
> Linux machine does DSL dial-on-demand and masquerades several other
machines
> in the internal network, giving them internet access. The masqueraded
> machines are allowed to do anything they want. The outside world is
allowed
> to access ssh and www on the firewall, but nothing else.
>
> As I said, I had a working setup for SuSE 7.0, which basically looked like
> this (new key names used here):
>
> FW_DEV_EXT=ppp0
> FW_DEV_INT=eth0
> FW_ROUTE=yes
> FW_MASQUERADE=yes
> FW_MASQ_NETS=192.168.0.0/24
> FW_PROTECT_FROM_INTERNAL=no
> FW_AUTOPROTECT_SERVICES=yes
> FW_SERVICES_EXT_TCP=ssh www
>
> I tried to use the same setup with SuSEfirewall1 (the updated package from
> the SuSE web site) first. It worked, but I couldn't live with the
> restrictions (no FTP, ...), so I tried SuSEfirewall2 with mostly the same
> settings. Masquerading seems to work, as well as the firewall itself
> (nothing except ssh and www arrives at the machine), but there's one
problem
> that I can't get rid of: The firewall machine itself is not able to access
> either the internal network or the internet. Error messages look like
this:
>
> [...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=217.5.115.7
> DST=217.226.71.131 [...]
>
> and
>
> [...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=194.25.2.129
> DST=217.226.71.131 [...]
>
> where the SRC IPs belong to the two DNS is use, and the DST IP is the one
> dynamically assigned to me. I tried some additional settings, for example
> FW_ALLOW_CLASS_ROUTING, but to no avail.
>
> Any pointers into the right direction would be greatly appreciated.
>
> Regards,
>
> Joerg Pleumann
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
Sorry - replied to you personally - I've also fwd'd to the list to see what
burns/flames I get.
I also am at the office, which is the reason why I couldn't be more
precise about the /sbin/SuSEfirewall2 v2.0 script bugs.
Steve
-----Original Message-----
From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
Sent: 13 November 2001 16:30
To: Trow, Steven
Subject: Re: [suse-security] Problems with SuSEfirewall2 (where #1
worked)
Hi Steven,
I'm currently at my office, but I'll check your suggestions as soon as I get
home. Thanks for replying -- I'll send you mail about any success/failure I
encounter.
Regards,
Jörg
----- Original Message -----
From: "Trow, Steven" <steven.trow@xxxxxxxxxx>
To: "'Joerg Pleumann'" <joerg.pleumann@xxxxxxxxxx>
Sent: Tuesday, November 13, 2001 5:20 PM
Subject: RE: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
> Joerg
>
> What version of firewall2 are you using ? (I had the same sort or probs
with
> v1.7 and v1.8 for about 3 weeks.)
>
> I upgraded to 2.0 last night (avail now on www.suse.de/~marc dated
11/11/01)
> and after removing a couple of erroneous
> brackets from the /sbin/SuSEfirewall2 script (around one of the ip tests
at
> the bottom of the script
> (not needed as far as I can tell) do a "sh -x /sbin/SuSEfirewall2 start |
> less" on the command line
> to find them once you've installed it, look for "command not found" (I've
> emailed Marc Heuse at SuSE about this).)
>
> AND after adding my dnsserver address on the firewall:
> my.isp's.dnsadr.info/16(to get both servers),my.dns.addr.info,udp,53 to
> "FW_FORWARD="
>
> AND after split-braining my dnsserver (denying zone-transfers out of my
> domain,
> setting up anti-spoofing etc. - it's all there in the Howto, I also run
> squid as well to try and
> tie things down, redirecting 80---->3128 internally) I finally got it to
> work, and was able to
> get out on the net with http, and nslookup.
>
> I've still to do a bit more experimentation, but I found that the initial
> problem was to do with my dnsserver.
> It'd lost the root.hints file because it couldn't get out to do the
monthly
> dig of it 'cos of FW2. Once I'd got
> that fixed the rest followed on quite well, and I managed to get out onto
> the net last night with nary an error.
>
> Hope this helps.
>
> Regards
>
> Steve Trow
> -----Original Message-----
> From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
> Sent: 13 November 2001 11:04
> To: suse-security@xxxxxxxx
> Subject: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
>
>
> Hello,
>
> as the subject says, I'm having problems with SuSEfirewall2. I just
replaced
> my working SuSE 7.0/SuSEfirewall1 setup with a new 7.3 installation. My
> Linux machine does DSL dial-on-demand and masquerades several other
machines
> in the internal network, giving them internet access. The masqueraded
> machines are allowed to do anything they want. The outside world is
allowed
> to access ssh and www on the firewall, but nothing else.
>
> As I said, I had a working setup for SuSE 7.0, which basically looked like
> this (new key names used here):
>
> FW_DEV_EXT=ppp0
> FW_DEV_INT=eth0
> FW_ROUTE=yes
> FW_MASQUERADE=yes
> FW_MASQ_NETS=192.168.0.0/24
> FW_PROTECT_FROM_INTERNAL=no
> FW_AUTOPROTECT_SERVICES=yes
> FW_SERVICES_EXT_TCP=ssh www
>
> I tried to use the same setup with SuSEfirewall1 (the updated package from
> the SuSE web site) first. It worked, but I couldn't live with the
> restrictions (no FTP, ...), so I tried SuSEfirewall2 with mostly the same
> settings. Masquerading seems to work, as well as the firewall itself
> (nothing except ssh and www arrives at the machine), but there's one
problem
> that I can't get rid of: The firewall machine itself is not able to access
> either the internal network or the internet. Error messages look like
this:
>
> [...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=217.5.115.7
> DST=217.226.71.131 [...]
>
> and
>
> [...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=194.25.2.129
> DST=217.226.71.131 [...]
>
> where the SRC IPs belong to the two DNS is use, and the DST IP is the one
> dynamically assigned to me. I tried some additional settings, for example
> FW_ALLOW_CLASS_ROUTING, but to no avail.
>
> Any pointers into the right direction would be greatly appreciated.
>
> Regards,
>
> Joerg Pleumann
>
>
>
> --
> To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
> For additional commands, e-mail: suse-security-help@xxxxxxxx
>
| < Previous | Next > |