Mailinglist Archive: opensuse-security (670 mails)
| < Previous | Next > |
FW: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
- From: "Trow, Steven" <steven.trow@xxxxxxxxxx>
- Date: Tue, 13 Nov 2001 16:22:38 +0000
- Message-id: <0990668AA4C4D411AB83009027C3B875036FF938@xxxxxxxxxxxxxxxxxxxxxx>
Sorry
Sent this direct to Joerg, should've gone here.
Steve
-----Original Message-----
From: Trow, Steven
Sent: 13 November 2001 16:20
To: 'Joerg Pleumann'
Subject: RE: [suse-security] Problems with SuSEfirewall2 (where #1
worked)
Joerg
What version of firewall2 are you using ? (I had the same sort or probs with
v1.7 and v1.8 for about 3 weeks.)
I upgraded to 2.0 last night (avail now on www.suse.de/~marc dated 11/11/01)
and after removing a couple of erroneous
brackets from the /sbin/SuSEfirewall2 script (around one of the ip tests at
the bottom of the script
(not needed as far as I can tell) do a "sh -x /sbin/SuSEfirewall2 start |
less" on the command line
to find them once you've installed it, look for "command not found" (I've
emailed Marc Heuse at SuSE about this).)
AND after adding my dnsserver address on the firewall:
my.isp's.dnsadr.info/16(to get both servers),my.dns.addr.info,udp,53 to
"FW_FORWARD="
AND after split-braining my dnsserver (denying zone-transfers out of my
domain,
setting up anti-spoofing etc. - it's all there in the Howto, I also run
squid as well to try and
tie things down, redirecting 80---->3128 internally) I finally got it to
work, and was able to
get out on the net with http, and nslookup.
I've still to do a bit more experimentation, but I found that the initial
problem was to do with my dnsserver.
It'd lost the root.hints file because it couldn't get out to do the monthly
dig of it 'cos of FW2. Once I'd got
that fixed the rest followed on quite well, and I managed to get out onto
the net last night with nary an error.
Hope this helps.
Regards
Steve Trow
-----Original Message-----
From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
Sent: 13 November 2001 11:04
To: suse-security@xxxxxxxx
Subject: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
Hello,
as the subject says, I'm having problems with SuSEfirewall2. I just replaced
my working SuSE 7.0/SuSEfirewall1 setup with a new 7.3 installation. My
Linux machine does DSL dial-on-demand and masquerades several other machines
in the internal network, giving them internet access. The masqueraded
machines are allowed to do anything they want. The outside world is allowed
to access ssh and www on the firewall, but nothing else.
As I said, I had a working setup for SuSE 7.0, which basically looked like
this (new key names used here):
FW_DEV_EXT=ppp0
FW_DEV_INT=eth0
FW_ROUTE=yes
FW_MASQUERADE=yes
FW_MASQ_NETS=192.168.0.0/24
FW_PROTECT_FROM_INTERNAL=no
FW_AUTOPROTECT_SERVICES=yes
FW_SERVICES_EXT_TCP=ssh www
I tried to use the same setup with SuSEfirewall1 (the updated package from
the SuSE web site) first. It worked, but I couldn't live with the
restrictions (no FTP, ...), so I tried SuSEfirewall2 with mostly the same
settings. Masquerading seems to work, as well as the firewall itself
(nothing except ssh and www arrives at the machine), but there's one problem
that I can't get rid of: The firewall machine itself is not able to access
either the internal network or the internet. Error messages look like this:
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=217.5.115.7
DST=217.226.71.131 [...]
and
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=194.25.2.129
DST=217.226.71.131 [...]
where the SRC IPs belong to the two DNS is use, and the DST IP is the one
dynamically assigned to me. I tried some additional settings, for example
FW_ALLOW_CLASS_ROUTING, but to no avail.
Any pointers into the right direction would be greatly appreciated.
Regards,
Joerg Pleumann
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
Sent this direct to Joerg, should've gone here.
Steve
-----Original Message-----
From: Trow, Steven
Sent: 13 November 2001 16:20
To: 'Joerg Pleumann'
Subject: RE: [suse-security] Problems with SuSEfirewall2 (where #1
worked)
Joerg
What version of firewall2 are you using ? (I had the same sort or probs with
v1.7 and v1.8 for about 3 weeks.)
I upgraded to 2.0 last night (avail now on www.suse.de/~marc dated 11/11/01)
and after removing a couple of erroneous
brackets from the /sbin/SuSEfirewall2 script (around one of the ip tests at
the bottom of the script
(not needed as far as I can tell) do a "sh -x /sbin/SuSEfirewall2 start |
less" on the command line
to find them once you've installed it, look for "command not found" (I've
emailed Marc Heuse at SuSE about this).)
AND after adding my dnsserver address on the firewall:
my.isp's.dnsadr.info/16(to get both servers),my.dns.addr.info,udp,53 to
"FW_FORWARD="
AND after split-braining my dnsserver (denying zone-transfers out of my
domain,
setting up anti-spoofing etc. - it's all there in the Howto, I also run
squid as well to try and
tie things down, redirecting 80---->3128 internally) I finally got it to
work, and was able to
get out on the net with http, and nslookup.
I've still to do a bit more experimentation, but I found that the initial
problem was to do with my dnsserver.
It'd lost the root.hints file because it couldn't get out to do the monthly
dig of it 'cos of FW2. Once I'd got
that fixed the rest followed on quite well, and I managed to get out onto
the net last night with nary an error.
Hope this helps.
Regards
Steve Trow
-----Original Message-----
From: Joerg Pleumann [mailto:joerg.pleumann@xxxxxxxxxx]
Sent: 13 November 2001 11:04
To: suse-security@xxxxxxxx
Subject: [suse-security] Problems with SuSEfirewall2 (where #1 worked)
Hello,
as the subject says, I'm having problems with SuSEfirewall2. I just replaced
my working SuSE 7.0/SuSEfirewall1 setup with a new 7.3 installation. My
Linux machine does DSL dial-on-demand and masquerades several other machines
in the internal network, giving them internet access. The masqueraded
machines are allowed to do anything they want. The outside world is allowed
to access ssh and www on the firewall, but nothing else.
As I said, I had a working setup for SuSE 7.0, which basically looked like
this (new key names used here):
FW_DEV_EXT=ppp0
FW_DEV_INT=eth0
FW_ROUTE=yes
FW_MASQUERADE=yes
FW_MASQ_NETS=192.168.0.0/24
FW_PROTECT_FROM_INTERNAL=no
FW_AUTOPROTECT_SERVICES=yes
FW_SERVICES_EXT_TCP=ssh www
I tried to use the same setup with SuSEfirewall1 (the updated package from
the SuSE web site) first. It worked, but I couldn't live with the
restrictions (no FTP, ...), so I tried SuSEfirewall2 with mostly the same
settings. Masquerading seems to work, as well as the firewall itself
(nothing except ssh and www arrives at the machine), but there's one problem
that I can't get rid of: The firewall machine itself is not able to access
either the internal network or the internet. Error messages look like this:
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=217.5.115.7
DST=217.226.71.131 [...]
and
[...] SuSE-FW-UNALLOWED-TARGETIN=ppp0 [...] SRC=194.25.2.129
DST=217.226.71.131 [...]
where the SRC IPs belong to the two DNS is use, and the DST IP is the one
dynamically assigned to me. I tried some additional settings, for example
FW_ALLOW_CLASS_ROUTING, but to no avail.
Any pointers into the right direction would be greatly appreciated.
Regards,
Joerg Pleumann
--
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx
| < Previous | Next > |