Mailinglist Archive: opensuse-security (396 mails)
| < Previous | Next > |
Re: [suse-security] 3 SuSEfirewall2 questions
- From: Steffen Dettmer <steffen@xxxxxxx>
- Date: Wed, 22 Jan 2003 09:29:46 +0100
- Message-id: <20030122092946.E3328@xxxxxxxxx>
* Richard Ems wrote on Tue, Jan 21, 2003 at 18:32 +0100:
> 1) What is NEW_FW_MASQ_DEV good for?
I don't know. Isn't there documentation for SuSEfirewall2?
> FW_DEV_EXT="eth0 eth0:3"
> "filtered" and eth0:3 discarded. So after this filtering I have only
> FW_MASQ_DEV="eth0".
eth0:3 isn't a device but an alias IP. eth0 and eth0:anything is
always the same device (you cannot know on which of the logical
device a packet get's received :))
> 2) I'm trying to connect from a public external ip (a) to a private
> internal masqueraded ip, over the public ip address (b) at eth0:3.
>
> From tcpdump on both the external and internal devices, pakets are
> being correctly forwarded from ext to int, but when responses arrive at
> the internal device they are being dropped on the last forward_int chain
> rule.
I didn't understood you setup completly, but shouldn't the
response packet get masqueraded?
> For this to work I have set on /etc/sysconfig/SuSEfirewall2
> FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8"
huh, what does the "tcp" in a masq rule? I do not know
SuSEfirewall2 at all, but Masq is done on IP level and works
without knowledge of the encapsulated protocol, so you can also
ping through masq :)
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
> 1) What is NEW_FW_MASQ_DEV good for?
I don't know. Isn't there documentation for SuSEfirewall2?
> FW_DEV_EXT="eth0 eth0:3"
> "filtered" and eth0:3 discarded. So after this filtering I have only
> FW_MASQ_DEV="eth0".
eth0:3 isn't a device but an alias IP. eth0 and eth0:anything is
always the same device (you cannot know on which of the logical
device a packet get's received :))
> 2) I'm trying to connect from a public external ip (a) to a private
> internal masqueraded ip, over the public ip address (b) at eth0:3.
>
> From tcpdump on both the external and internal devices, pakets are
> being correctly forwarded from ext to int, but when responses arrive at
> the internal device they are being dropped on the last forward_int chain
> rule.
I didn't understood you setup completly, but shouldn't the
response packet get masqueraded?
> For this to work I have set on /etc/sysconfig/SuSEfirewall2
> FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8"
huh, what does the "tcp" in a masq rule? I do not know
SuSEfirewall2 at all, but Masq is done on IP level and works
without knowledge of the encapsulated protocol, so you can also
ping through masq :)
oki,
Steffen
--
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.
| < Previous | Next > |