Heya :) On Sunday 01 December 2002 23:01, Using SuSE wrote:
Hello Justin,
--- "Justin T."
wrote: The spoofing that SuSE applies blocks all internal ip addresses from being able to access the external IP address of the server, regardless of the fact that they are received from inside. At least this is what I have seen from SuSEfirewall2.
I would suspect such a feature already got some excitement around here, but I'm not able to find references to it anywhere, as the SuSE mailing list archives on their own are not indexed and for worldwide (meta)search I'm probably missing proper keywords.
I guess that might be why I couldn't really find anything on this then.
be blocked as it is coming from the external and not the internal interface.
Then I would ask why not allow internal masqueraded network to access router with no limitations in general configuration of FW2 for great majority of home users who are in control? Is the reason for it to be protected from malicious employees in small company networks?
On most firewalls when you tell them that the internal net is trusted then it will do that and allow them full control. I'm not sure why SuSE doesn't allow this, though I can see if it is set to be used in a more office environment, but for a general home network or trusted office this really can cause some problems.
FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk '{ print $2 }' | awk -F : '{ print $2 }'` possibility of accessing this via the route command, however that does not give me my actual IP.
You mean according your way it is also suitable in situation when IP from DSL provider changes because the network disconects after some time and new IP is provided on dial-in?
Yup. It takes the external IP address that is given by the ISP and uses it, so that won't be a problem (I had seen some setups, but they were all for static IPs, this one however is good for dynamic IPs.)
And the second line that I add is in the fw_custom_before_antispoofing() section: iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $EXT_IP -j ACCEPT
Thanks, I will surely try it out right now and report.
I hope it helps, even if it doesn't work, maybe it is a step in the right direction. Justin T