Mailinglist Archive: opensuse-security (575 mails)
| < Previous | Next > |
Re: [suse-security] Q: Customizing SuSE80 FW2 router to run service in internal network with dynamic dial-up
- From: Using SuSE <usingsuse80@xxxxxxxxx>
- Date: Sun, 1 Dec 2002 14:01:17 -0800 (PST)
- Message-id: <20021201220117.87186.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
Hello Justin,
--- "Justin T." <justint@xxxxxxx> wrote:
> The spoofing that SuSE applies blocks all internal
> ip addresses from being
> able to access the external IP address of the
> server, regardless of the fact
> that they are received from inside. At least this
> is what I have seen from
> SuSEfirewall2.
I would suspect such a feature already got some
excitement around here, but I'm not able to find
references to it anywhere, as the SuSE mailing list
archives on their own are not indexed and for
worldwide (meta)search I'm probably missing proper
keywords.
> be blocked as it is
> coming from the external and not the internal
> interface.
Then I would ask why not allow internal masqueraded
network to access router with no limitations in
general configuration of FW2 for great majority of
home users who are in control? Is the reason for it to
be protected from malicious employees in small company
networks?
> FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom"
> EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk
> '{ print $2 }' | awk -F :
> '{ print $2 }'`
> possibility of accessing this via the route command,
> however that does not
> give me my actual IP.
You mean according your way it is also suitable in
situation when IP from DSL provider changes because
the network disconects after some time and new IP is
provided on dial-in?
> And the second line that I add is in the
> fw_custom_before_antispoofing()
> section:
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d
> $EXT_IP -j ACCEPT
Thanks, I will surely try it out right now and report.
> suggestions on what might work better please let me
> know.
Me too. Nevertheless, I am happy to get it working at
least as you did.
> really seen any information on
> accessing the external ip with the SuSEfirewall2
> from the internal network
> (other than people saying it isn't good because of
> spoofing...)
Same for me, but I think something like that is good
to have.
Time flies,
Peter.
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
--- "Justin T." <justint@xxxxxxx> wrote:
> The spoofing that SuSE applies blocks all internal
> ip addresses from being
> able to access the external IP address of the
> server, regardless of the fact
> that they are received from inside. At least this
> is what I have seen from
> SuSEfirewall2.
I would suspect such a feature already got some
excitement around here, but I'm not able to find
references to it anywhere, as the SuSE mailing list
archives on their own are not indexed and for
worldwide (meta)search I'm probably missing proper
keywords.
> be blocked as it is
> coming from the external and not the internal
> interface.
Then I would ask why not allow internal masqueraded
network to access router with no limitations in
general configuration of FW2 for great majority of
home users who are in control? Is the reason for it to
be protected from malicious employees in small company
networks?
> FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom"
> EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk
> '{ print $2 }' | awk -F :
> '{ print $2 }'`
> possibility of accessing this via the route command,
> however that does not
> give me my actual IP.
You mean according your way it is also suitable in
situation when IP from DSL provider changes because
the network disconects after some time and new IP is
provided on dial-in?
> And the second line that I add is in the
> fw_custom_before_antispoofing()
> section:
> iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d
> $EXT_IP -j ACCEPT
Thanks, I will surely try it out right now and report.
> suggestions on what might work better please let me
> know.
Me too. Nevertheless, I am happy to get it working at
least as you did.
> really seen any information on
> accessing the external ip with the SuSEfirewall2
> from the internal network
> (other than people saying it isn't good because of
> spoofing...)
Same for me, but I think something like that is good
to have.
Time flies,
Peter.
__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
| < Previous | Next > |