Mailinglist Archive: opensuse-security (396 mails)

[Harald Wallus <wallus@xxxxxxxxxxxxxxx>]

On Tuesday 21 January 2003 18:32, Richard Ems wrote:
> Hi list.
>
> This is my 2nd try.
> I hope this time I get some answers ;-)
>
> I have 3 questions about SuSEfirewall2.
> This is a SuSE Linux 8.1 system.
>
>
>
> 1) What is NEW_FW_MASQ_DEV good for?
>
> I have in my /etc/sysconfig/SuSEfirewall2
>
> FW_DEV_EXT="eth0 eth0:3"
>
> and
>
> FW_MASQ_DEV="$FW_DEV_EXT"
>
>
> but in /sbin/SuSEfirewall2 (from SuSEfirewall2-3.1-26) FW_MASQ_DEV is
> "filtered" and eth0:3 discarded. So after this filtering I have only
> FW_MASQ_DEV="eth0".
>
> Is this needed/wanted? Why?

The SuSEfirewall2 script pay no attention on alias in this device
 definitions.

> ==========
> 2) I'm trying to connect from a public external ip (a) to a private
> internal masqueraded ip, over the public ip address (b) at eth0:3.
>
>    From tcpdump on both the external and internal devices, pakets are
> being correctly forwarded from ext to int, but when responses arrive at
> the internal device they are being dropped on the last forward_int chain
> rule.
>
> For this to work I have set on /etc/sysconfig/SuSEfirewall2
> FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8"
>
> where 1.2.3.4 is the ext source public ip (a)
> and 5.6.7.8 is the public ip address (b)
>
> Does someone have any clue?

Your line is wrong: 192.168.30.15/32,5.6.7.8/32,tcp,22
<Internal IP that have to mask>/<netmask, 32 for a single IP>,<IP of the
public adress, not of the external interface>/<netmask of this source, 32 for
a single IP>,<protocol, it is only allowed tcp or udp>,<port of the public
interface,80 to access a webserver>
It is not possible to do redirect with that options.
There are some restriction of the SuSEfilewall2, but the advantage to config
it with a vi.

> ==========
> 3) What do _ext/_int/_dmz mean on forward_xxx or input_xxx ?
> [forward|input]_pakets_COMING_FORM_xxx
> or
> [forward|input]_pakets_GOING_TO_xxx ???

I think you mean FW_SERVICES_DMZ_TCP and such definitions:
It means that you can access from intern with port >1024 to the
defined port.

I hope that helps you a bit. Perhaps you try first a sample configuration and
extends that.
Another tools is fwbuilder, which I think it looks very nice.
But I have to configure firewalls remotly and thats the reason I prefere
SuSEfirewal.

Greetings
Harald

--
Dr. Harald Wallus
netlike-gmbh
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95  1-90
Email: wallus@xxxxxxxxxxxxxxx  Internet: http://netlike-gmbh.de

-------------------------------------------------------

-- 
Dr. Harald Wallus
netlike-gmbh
Am Listholze 78, D-30177 Hannover 
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95  1-90
Email: wallus@xxxxxxxxxxxxxxx  Internet: http://netlike-gmbh.de