Mailinglist Archive: opensuse-security (575 mails)

< Previous Next >
Re: [suse-security] SuseFirewall2 DMZ
  • From: Andreas J Mueller <andy@xxxxxxxxxx>
  • Date: Fri, 8 Nov 2002 16:03:36 +0100
  • Message-id: <12950872661.20021108160336@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----

Hi Frédéric!

> if my public ip is 193.252.183.24 and i select URL
> http://193.252.183.24 in explore i must see my server web ?

That depends. *g* If you want to access your web server from a
machine connected to the internal network (192.168.1.0/24), you need
to give the _private_ IP address of the web server: http://192.168.5.2
If I would want to access your web server, I'd give the _public_ IP
address of your firewall: http://193.252.183.24

There are two reasons for this: Access to the external/public IP of
the firewall is prohibited from the internal network for security
reasons, you will see a SuSE-FW-NO_ACCESS_INT->FW_EXT if you log
dropped packets. Futhermore, the firewall does only DNAT (redirect)
connections coming in from the masquerading interface (ppp0) to the
web server in the DMZ.

To be able to access your web server in the DMZ from the
192.168.1.0/24 net, you need to forward connections between the DMZ
and the internal net. SuSEfirewall2 does not route anything between
different subnets by default. Masquerading is not involved here,
therefore you need at least to set

FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"

This will allow access to port 80 on your web server from any machine
in the 192.168.1.0/24 net. And, please set

FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"

to be able to see what exactly is going wrong.

Regards, Andy

- --
Andreas J. Mueller email: <andy@xxxxxxxxxx>
PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)

iQC9AwUBPcvSV/obN5o9QdlBAQEsnQU/eqHZxsw042zzMexHI+Oy+s5+22EsBii5
WHYO3RaLijOir4QuYj/J4j3UP478/HLl3S1R2t5cxrkViV6Zrkj1YcR67TaJ4hhX
C7QbssvzCnKZ4wcu+q88wJr6r0ACrodk321JzVWEDH0uq/L28lY6ENBmmHullzjk
AN5qjjL4A8ygKasv3ZK8lgZ/TDJ57mA+BpFhiNFsaYjn438ThT/qpBLdZVkGZzdP
=NpL/
-----END PGP SIGNATURE-----


< Previous Next >
References