On Sunday 01 December 2002 14:44, Steffen Dettmer wrote:
* Using SuSE wrote on Sat, Nov 30, 2002 at 19:20 -0800:
First, I was intrigued by the fact that although I can ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network.
<snip>
I undeerstand it to be some anti-spoofing feature of FW to protect it from internal network.
anti-spoofing acts on source, not on destination addresses. There is nothing like "spoofing destination addresses" :)
The spoofing that SuSE applies blocks all internal ip addresses from being able to access the external IP address of the server, regardless of the fact that they are received from inside. At least this is what I have seen from SuSEfirewall2. I noticed the anti-spoofing info in my logs and finally found something that works for me, though I can't guarantee how safe this is. From what I can tell this should allow my internal computers to access the external interface using there IPs, but the outter spoofing would still be blocked as it is coming from the external and not the internal interface. This is from SuSE 8.1, so the filename or directories may be different for you. I edited the /etc/sysconfig/SuSEfirewall2 first and at the bottom added a filename into the FW_CUSTOMRULES line pointing to the SuSEfirewall2-custom (I also moved this into the main /etc/sysconfig directory from the /etc/sysconfig/scripts directory as it is easier to find that way.) FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom" In this file I added two lines: The first line I added at the top after the comments: EXT_IP=`ifconfig | grep -A 1 ppp0 | grep inet | awk '{ print $2 }' | awk -F : '{ print $2 }'` This all being on one line. This is a quick script that I threw together to pull the ip address from the external interface. There is also the possibility of accessing this via the route command, however that does not give me my actual IP. And the second line that I add is in the fw_custom_before_antispoofing() section: iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d $EXT_IP -j ACCEPT This will allow all input from eth0 (the ethernet card for my internal network) with IP addresses in the 192.168.1.0 network to access the external IP address. Now this has been working nicely for me, however if anyone has some more suggestions on what might work better please let me know. Hope that might help someone because I haven't really seen any information on accessing the external ip with the SuSEfirewall2 from the internal network (other than people saying it isn't good because of spoofing...) Justin T