I tried these configs and having the aliases eth0:1 and eth0:2 only in
FW_DEV_DMZ and all I got was SuSE-FW-UNAUTHORIZED-TARGET and by adding eth0
in there as well got me SuSE-FW-DROP-SPOOF messages in my logfile. By
putting the aliases in FW_DEV_EXT, I obtained more progress in that I can
now see SuSE-FW-ACCEPT-TRUST inbound messages from my test machine (emulated
vendor) and destined for the ip address of the eth0:1 alias, but a complete
lack of the FW_FORWARD_MASQ operation happening. According to all the
examples I've looked at, it seems the first ip address in each line of
FW_FORWARD_MASQ must be the outside address coming in (i.e. my vendor who
wants to get to one of my my internal pcanywhere hosts), and the second
address in each FW_FORWARD_MASQ line is the internal address of the
destination internal host. I guess what I need is a was to specify three ip
addresses for each forward_masq operation, first the originating source
address, secondly the external ip alias on the firewall, and thirdly the
interior ip address of the particular pcanywhere host something like:
vendor's ip address = x.y.z.123
external ip of eth0 = a.b.c.100
external ip of eth0:1 = a.b.c.101
external ip of eth0:2 = a.b.c.102
interior pcanywhere host 1 = 192.168.1.10
interior pcanywhere host 2 = 192.168.1.11
interior pcanywhere host 3 = 192.168.1.12
If only the FW_FORWARD_MASQ supported the concept of three addresses such
as:
source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber
then I'd be really happy.
FW_FORWARD_MASQ = "x.y.z.123,a.b.c.100,192.168.1.10,tcp,5631 \
x.y.z.123,a.b.c.100,192,168,1,10,udp,5632 \
x.y.z.123,a.b.c.101,192.168.1.11,tcp,5631 \
x.y.z.123,a.b.c.101,192.168.1.11,udp,5632 \
x.y.z.123,a.b.c.102,192.168.1.12,tcp,5631 \
x.y.z.123,a.b.c.102,192.168.1.12,udp,5632"
but alas, it only supports two ip addresses of originating source and final
internal destination like:
FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \
x.y.z.123,192,168,1,10,udp,5632"
and putting the external firewall address in the first part, doesn't work
If anyone has any other ideas of making such a scenario work, I'd sure
appreciate the help, otherwise I guess I'm going to go back to the single
external ip on the firewall with alternate port numbers for my various
interior pcanywhere hosts and just tell my vendor that his poor little
childish support staff are just going to have to learn how to deal with
using alternate ports in their pca remotes, that this is all I can support
on my end and if he wants to continue to get my business he'll have to do
things my way.
-----Original Message-----
From: Togan Muftuoglu
Sent: Tuesday, November 26, 2002 5:37 PM
To: Suse-Security
Subject: Re: [suse-security] SuSEfirewall2: external ip aliases with
forward / masq?
* Howard, Neal;
I'll try it out tomorrow, it's been a long day here in Texas too and my brain hurts right now!
I know the feeling :-)
I'm guessing I should use the external ip aliases in the first part of each stanza of FW_FORWARD_MASQ instead of putting the vendor's ip address in that place like I was doing?
Now although I said
FW_DEV_EXT="eth0 eth0:1 eth0:2"
It's better to have the aliases eth0:1 and eth0:2 in FW_DEV_DMZ and then FW_FORWARD_MASQ them for the vendor this way it should be both secure and doable (cross your fingers) -- Togan Muftuoglu -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here