Mailinglist Archive: opensuse-security (396 mails)
| < Previous | Next > |
Re: [suse-security] SuSEfirewall2: ping from masqueraded net
- From: Richard Ems <r.ems.mtg@xxxxxxx>
- Date: Sat, 11 Jan 2003 13:26:42 +0100
- Message-id: <3E200D82.8060604@xxxxxxx>
Togan Muftuoglu wrote:
Yes, FW_ALLOW_HIGHPORTS_UDP is set to "yes" !
I think I wasn't clear enough.
My internal net has no access to the internet.
Only http/ftp access through a squid proxy server.
But I would like to allow ping and traceroute from the internal net, and ONLY ping and traceroute.
How can I achieve this using FW_MASQ_NETS if it doesn't allow me to give icmp as a protocol. Or are icmp packets from the int. net always masqueraded and I dont need any tweaking?
Here my /etc/sysconfig/SuSEfirewall2:
FW_QUICKMODE="no"
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.2/32"
Here I would like to write something like:
---> FW_MASQ_NETS="192.168.10.2/32 192.168.20.0/24,0/0,icmp" !!!
====
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh"
FW_SERVICES_INT_UDP="ntp"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.53.103.103,udp,123 192.53.103.104,udp,123"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
--
Richard Ems
... e-mail: r.ems@xxxxxxx
... Computer Science, University of Hamburg
Unix IS user friendly. It's just selective about who its friends are.
* Richard Ems; <r.ems.mtg@xxxxxxx> on 10 Jan, 2003 wrote:
Hi list!
SuSE Linux 8.1, SuSEfirewall2-3.1-26
I'm trying to ping and traceroute from the internal masqueraded net.
But the internal masq. net should only ping/traceroute, nothing else.
The problem is that in FW_MASQ_NETS only tcp and udp are accepted, icmp is not. Why?
So setting
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
and
FW_ALLOW_FW_TRACEROUTE="yes"
isn't enough, the internal net isn't masqueraded as it should.
Any ideas how to do this?
how is your FW_ALLOW_HIGHPORTS_UDP set if "yes" it should work
Yes, FW_ALLOW_HIGHPORTS_UDP is set to "yes" !
I think I wasn't clear enough.
My internal net has no access to the internet.
Only http/ftp access through a squid proxy server.
But I would like to allow ping and traceroute from the internal net, and ONLY ping and traceroute.
How can I achieve this using FW_MASQ_NETS if it doesn't allow me to give icmp as a protocol. Or are icmp packets from the int. net always masqueraded and I dont need any tweaking?
Here my /etc/sysconfig/SuSEfirewall2:
FW_QUICKMODE="no"
FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.10.2/32"
Here I would like to write something like:
---> FW_MASQ_NETS="192.168.10.2/32 192.168.20.0/24,0/0,icmp" !!!
====
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh"
FW_SERVICES_INT_UDP="ntp"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.53.103.103,udp,123 192.53.103.104,udp,123"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="yes"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
--
Richard Ems
... e-mail: r.ems@xxxxxxx
... Computer Science, University of Hamburg
Unix IS user friendly. It's just selective about who its friends are.
| < Previous | Next > |