Dear Robert, Hello All
I am not running 2 firewalls. Firewall2 is disabled,
but can run in a test mode. While running in test mode
no packet filters are applied, but the packets which
would be stopped are logged into /var/log/firewall.
For reference again: I have updated to Kernel 2.4.16
from Suse 7.2 distribution. I have installed the
firewall2 and subsequently uninstalled firewall1 and
personal firewall.
I applied your comments (Robert comments) to my
firewall configuration file.
Unfortunately it did not work. I still get the same
message which I am printing to your reference again.
This messages is logged, when I try to access the
internet (external) via a PC on the LAN (mine,
thrusted).
Mar 28 15:36:50 linux kernel: SuSE-FW-DROP-DEFAULT
IN=eth1 OUT=ppp0 SRC=192.168.159.11 DST=207.46.28.116
LEN=48 TOS=0x08 PREC=0x00 TTL=127 ID=30798 DF
PROTO=TCP SPT=3995 DPT=80 WINDOW=16384 RES=0x00 SYN
URGP=0 OPT (020405AA01010402)
This message is logged when I try to access the
Internet (external) from the router itself.
Mar 28 15:35:47 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=217.5.115.7 DST=80.131.55.127
LEN=533 TOS=0x00 PREC=0x00 TTL=56 ID=8252 PROTO=UDP
SPT=53 DPT=1027 LEN=513
Mar 28 15:35:52 linux kernel: SuSE-FW-UNALLOWED-TARGET
IN=ppp0 OUT= MAC= SRC=194.25.2.129 DST=80.131.55.127
LEN=533 TOS=0x00 PREC=0x00 TTL=250 ID=50647 DF
PROTO=UDP SPT=53 DPT=1028 LEN=513
The difference between those lines is just the IP
I am putting again my firewall2 configuration file.
Please apply any changes directly with the changed
command line or just change the command line.
Thank you very much
Greetings Thomas
Ps: I am not sure about the external devices. I have
one external card which is eth0. But I tried this
setting with just eth0 too and it did not work. That
is why I did put ppp0 as well.
I have not updated the pppoed which came with the 7.2
distribution of Suse (Kernel 2.4.4). Maybe there is a
compatibility issue between the new kernel 2.4.16 and
iptables for the kernel 2.4.4 (just a guess).
The same applies for the pppoed, but that should not
interfere with packet filtering and the line works!
Firewall2 configuration file: Pls apply any changes
directly or just copy the line and change it to the
correct value. Thank you very much....:-))
FW_DEV_EXT="ppp0 eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.159.0"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="ssh http" # Common: smtp domain
FW_SERVICES_EXT_UDP="ssh http" # Common: domain
FW_SERVICES_EXT_IP="" # For VPN/Routing which END
at the firewall!!
#
FW_SERVICES_DMZ_TCP="" # Common: smtp domain
FW_SERVICES_DMZ_UDP="" # Common: domain
FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at
the firewall!!
#
FW_SERVICES_INT_TCP="ssh http" #Common: ssh smtp
domain
FW_SERVICES_INT_UDP="ssh http" #Common: domain syslog
FW_SERVICES_INT_IP="" # For VPN/Routing which END at
the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services
below when starting
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options
--log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_INTERNET="yes"
##
# END of rc.firewall
##
#
#
#-------------------------------------------------------------------------#
#
#
# EXPERT OPTIONS - all others please don't change
these! #
#
#
#-------------------------------------------------------------------------#
#
#
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE
GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT
/etc/rc.config.d/firewall2-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
--- Robert Klein
Hi Thomas,
Since I could not get a connection with the T-DSL line
[ T-DSL = ADSL/pppoe ]
I unloaded Firewall2 and let Firewall2 run in test mode. With a primitive IPTables script (mainly ipforwarding and masquerading) i started the pppoed again and I get the following message from the /var/log/firewall.
Umm, I don't quite understand you, are you using _both_ Firewall2 and a "primitive IPTables script", or do you use the term "primitive..." for your config file below?
Mar 27 13:32:39 linux kernel: SuSE-FW-UNALLOWED-TARGET IN=ppp0 OUT= MAC= SRC=62.41.113.136 DST=217.1.132.119 LEN=52 TOS=0x08 PREC=0x00 TTL=52 ID=19021 DF PROTO=TCP SPT=80 DPT=1081 WINDOW=31900 RES=0x00 ACK URGP=0 OPT (0101080A032AB4AF00024C5E
This means someone tries to connect to your computer's web server, FYI.
FW_DEV_EXT="ppp0 eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.0/24,0/0,tcp,1:65535 \ 192.168.10.0/24,0/0,udp,1:65535"
FW_MASQ_NETS="192.168.10.0"
this should accomplish the same.
FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no"
This variable tells the firewall to protect _your_ services from outside computers, e.g. to stop outsiders from accessing your samba shares, web server etc.
FW_SERVICES_EXT_TCP="1:65535" # Common: smtp domain
State only those things you want to give to other people from the internet. For example if you have a web server running and a ssh daemon you want to be accessible from the world, put "ssh, http" here.
FW_SERVICES_EXT_UDP="1:65535" # Common: domain
See FW_SERVICES_EXT_TCP.
FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="1:65535" #Common: ssh smtp domain
Comments from above apply, now from your internal network
FW_SERVICES_INT_UDP="1:65535" #Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!!
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD="0/0,0/0,tcp,1:65535 0/0,0/0,udp,1:65535"
No. This doesn't make sense, as your network is masqueraded. Note, this option is to allow _other_ people access to computers in _your_ network.
FW_FORWARD_MASQ=""
Same as above, this one for masqueraded computers.
FW_KERNEL_SECURITY="yes"
While testing, you might want to set this to "no" until everything works.
Robert
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
__________________________________________________ Do You Yahoo!? Yahoo! Movies - coverage of the 74th Academy Awards� http://movies.yahoo.com/