Mailinglist Archive: opensuse-security (300 mails)

< Previous Next >
Re: [suse-security] Need help masquerading PPTP/GRE
  • From: Brian Topping <topping@xxxxxxxxx>
  • Date: Tue, 1 Apr 2003 10:13:34 -0800 (PST)
  • Message-id: <200304011813.h31IDY3P013146@xxxxxxxxx>
I should also ask if there is a way to get debug messages for the
masquerade/NAT code, I might be able to figure out what is going on
better. All that I have been able to determine is that the GRE packets
are arriving at the router but not passing through. I realize these are
difficult to help with "over the phone", but if anyone has personal
experience with debugging NAT and knows of other logging flags I should
set, that information would be greatly appreciated!

best,

-b
>
> Good day all!
>
> I'm having some issues with my masquerading setup. I moved the machine
> to a new IP address, and masquerading for PPTP/GRE suddenly stopped
> working from the outside. I've sniffed packets, the authentication is
> happening fine and the initial GRE is sent from the client to the
> server, but the GRE never passes over the masquerade. I've enclosed my
> SuSEFirewall2 config below.
>
> Can anyone assist? I believe the problem may have to do with the fact
> that the router was up for 311 days before i moved it to the new
> ip address and there must have been some change which only showed up
> after reboot. To be sure, I've pulled down the 2.1 version of
> SuSEfirewall2, and I am running a 2.4.10 kernel from the 7.3 distro.
>
> Thanks kindly,
>
> Brian
>
> i=============i
>
> # ###########
> # Scenario 4:
> # This company has got a more complex setup:
> #
> # Internet
> # |
> # | Webserver
> # | |
> # SuSE-Firewall-------
> # |
> # |---Mailserver
> # |
> # |---Database
> # |
> # Internal LAN
> #
> # All Mail is delivered to the firewall. It also provides DNS service to
> # internal and external.
> # There's a DMZ where a Webserver resides (port 80 and port 443) which
> # needs
> # to connect to the Firewall to deliver mail to internal, send syslog
> # messages and do domain lookups. It needs also direct access to the
> # internal
> # database (bad idea!).
> # All mail which is delivered to the firewall, is sent to the internal
> # mailserver. The mailserver sends all mail to the internet to the
> # firewall.
> # Internal PCs which access the internet should be masqueraded.
> # external fw interface: eth2
> # dmz fw interface: eth1
> # internal fw interface: eth0
> # ip of database: 192.168.1.3, tcp port for database is 4545
> # ip of webserver: 200.200.200.200 (this is an official, assigned
> # address!)
> # internal LAN: 192.168.1.0 netmask 255.255.255.0
> #
> # TODO: the nameserver on the firewall needs to be setup
> # "split-brained". See
> # the DNS How-to. The mailserver on the firewall needs to be setup as a
> # forwarder/relayer. The mailserver on the internal network gets the
> # firewall
> # as forwarder/relay configured.
>
> START_FW2="yes"
> FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
> FW_DEV_EXT="eth0"
> FW_DEV_DMZ="eth1"
> FW_DEV_INT="eth2"
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="192.168.0.0/24"
> FW_SERVICES_EXT_TCP="22 25 53 123"
> FW_SERVICES_EXT_UDP="53 123"
> FW_SERVICES_DMZ_TCP="25 53"
> FW_SERVICES_DMZ_UDP="53 123 514"
> FW_SERVICES_INT_TCP="22 25 53 80 123"
> FW_SERVICES_INT_UDP="53 123"
> FW_SERVICE_DNS="yes"
> DNS_PORT="53"
> #FW_FORWARD_MASQ="61.0.0.0/8,192.168.0.100,tcp,8888
> 0/0,192.168.0.2,tcp,1723 0/0,192.168.0.2,tcp,443 "
> FW_FORWARD_MASQ="0/0,192.168.0.100,tcp,8888 0/0,192.168.0.2,tcp,1723
> 0/0,192.168.0.2,tcp,443 "
> FW_FORWARD="204.152.97.10,0/0,tcp,80 204.152.97.10,0/0,tcp,21
> 192.168.1.100,204.152.97.10 204.152.97.10,192.168.1.100
> 204.152.97.10,192.168.0.11,tcp,3306 204.152.97.10,192.168.0.11,tcp,11009
> 0/0,204.152.97.10,tcp,25 204.152.97.10,0/0,tcp,25
> 0/0,204.152.97.0/24,tcp,22 0/0,204.152.97.0/24,tcp,21
> 0/0,204.152.97.0/27,tcp,80 0/0,204.152.97.10,tcp,443
> 0/0,204.152.97.11,tcp,443 204.152.97.10,0/0,tcp,110"
> FW_INPUT="0/0,204.152.97.1,udp,53"
> FW_ALLOW_PING_DMZ="yes"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
>
> #
> # 7.)
> # Do you want to protect the firewall from the internal network?
> # REQUIRES: FW_DEV_INT
> #
> # If you set this to "yes", internal machines may only access services
> # on
> # the machine you explicitly allow. They will be also affected from the
> # FW_AUTOPROTECT_SERVICES option.
> # If you set this to "no", any user can connect (and attack) any service
> # on
> # the firewall.
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> # "yes" is a good choice
> FW_PROTECT_FROM_INTERNAL="no"
>
> #
> # 8.)
> # Do you want to autoprotect all running network services on the
> # firewall?
> #
> # If set to "yes", all network access to services TCP and UDP on this
> # machine
> # will be prevented (except to those which you explicitly allow, see
> # below:
> # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_AUTOPROTECT_SERVICES="no"
> # For VPN/Routing which END at the firewall!!
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_EXT_IP=""
> # For VPN/Routing which END at the firewall!!
> FW_SERVICES_INT_IP=""
>
> #
> # 10.)
> # Which services should be accessible from trusted hosts/nets?
> #
> # Define trusted hosts/networks (doesnt matter if they are internal or
> # external) and the TCP and/or UDP services they are allowed to use.
> #
> # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
> # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
> # Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp"
> # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
> #
> FW_TRUSTED_NETS=""
>
> #
> # 12.)
> # Are you running some of the services below?
> # They need special attention - otherwise they won´t work!
> #
> # Set services you are running to "yes", all others to "no", defaults to
> # "no"
> #
> FW_SERVICE_AUTODETECT="no" # Autodetect the services below when
> starting
> #
> # if you use dhclient to get an ip address you have to set this to "yes"
> # !
> FW_SERVICE_DHCLIENT="no"
> #
> # set to "yes" if this server is a DHCP server
> FW_SERVICE_DHCPD="no"
> #
> # set to "yes" if this server is running squid. You still have to open
> # the
> # tcp port 3128 to allow remote access to the squid proxy service.
> FW_SERVICE_SQUID="no"
> #
> # set to "yes" if this server is running a samba server. You still have
> # to open
> # the tcp port 139 to allow remote access to SAMBA.
> FW_SERVICE_SAMBA="no"
>
> #
> # 15.)
> # Which accesses to services should be redirected to a localport on the
> # firewall machine?
> #
> # This can be used to force all internal users to surf via your squid
> # proxy,
> # or transparently redirect incoming webtraffic to a secure webserver.
> #
> # Choice: leave empty or use the following explained syntax of
> # redirecting
> # rules, seperated by a space.
> # A redirecting rule consists of 1) source IP/net, 2) destination
> # IP/net,
> # 3) protocol (tcp or udp) 3) original destination port and 4) local
> # port to
> # redirect the traffic to, seperated by a colon. e.g.:
> # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
> #
> FW_REDIRECT=""
>
> #
> # 16.)
> # Which logging level should be enforced?
> # You can define to log packets which were accepted or denied.
> # You can also the set log level, the critical stuff or everything.
> # Note that logging *_ALL is only for debugging purpose ...
> #
> # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
> # FW_LOG_*_ALL defaults to "no"
> #
> FW_LOG_DROP_CRIT="yes"
> #
> FW_LOG_DROP_ALL="yes"
> #
> FW_LOG_ACCEPT_CRIT="yes"
> #
> FW_LOG_ACCEPT_ALL="yes"
> #
> # only change/activate this if you know what you are doing!
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option
> --log-prefix SuSE-FW"
>
> #
> # 17.)
> # Do you want to enable additional kernel TCP/IP security features?
> # If set to yes, some obscure kernel options are set.
> # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
> # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
> # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
> # rp_filter, routing flush)
> # Tip: Set this to "no" until you have verified that you have got a
> # configuration which works for you. Then set this to "yes" and keep it
> # if everything still works. (It should!) ;-)
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_KERNEL_SECURITY="no"
>
> #
> # 18.)
> # Keep the routing set on, if the firewall rules are unloaded?
> # REQUIRES: FW_ROUTE
> #
> # If you are using diald, or automatic dialing via ISDN, if packets need
> # to be sent to the internet, you need to turn this on. The script will
> # then
> # not turn off routing and masquerading when stopped.
> # You *might* also need this if you have got a DMZ.
> # Please note that this is *insecure*! If you unload the rules, but are
> # still
> # connected, you might your internal network open to attacks!
> # The better solution is to remove "/sbin/SuSEfirewall2 stop" or
> # "/sbin/init.d/firewall stop" from the ip-down script!
> #
> #
> # Choices "yes" or "no", defaults to "no"
> #
> FW_STOP_KEEP_ROUTING_STATE="no"
>
> #
> # 19.)
> # Allow (or don't) ICMP echo pings on either the firewall or the dmz
> # from
> # the internet? The internet option is for allowing the DMZ and the
> # internal
> # network to ping the internet.
> # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET
> #
> # Choice: "yes" or "no", defaults to "no" if not set
> #
> FW_ALLOW_PING_FW="yes"
> #
> FW_ALLOW_PING_EXT="no"
>
> ##
> # END of rc.firewall
> ##
>
> # #
> #-------------------------------------------------------------------------#
> # #
> # EXPERT OPTIONS - all others please don't change these!
> # #
> # #
> #-------------------------------------------------------------------------#
> # #
>
> #
> # 20.)
> # Allow (or don't) ICMP time-to-live-exceeded to be send from your
> # firewall.
> # This is used for traceroutes to your firewall (or traceroute like
> # tools).
> #
> # Please note that the unix traceroute only works if you say "yes" to
> # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you
> # say
> # additionally "yes" to FW_ALLOW_PING_FW
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_FW_TRACEROUTE="yes"
>
> #
> # 21.)
> # Allow ICMP sourcequench from your ISP?
> #
> # If set to yes, the firewall will notice when connection is choking,
> # however
> # this opens yourself to a denial of service attack. Choose your poison.
> #
> # Choice: "yes" or "no", defaults to "yes"
> #
> FW_ALLOW_FW_SOURCEQUENCH="yes"
>
> #
> # 22.)
> # Allow/Ignore IP Broadcasts?
> #
> # If set to yes, the firewall will not filter broadcasts by default.
> # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
> # option is used.
> # If you do not want to allow them however ignore the annoying log
> # entries,
> # set FW_IGNORE_FW_BROADCAST to yes.
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_FW_BROADCAST="no"
> #
> FW_IGNORE_FW_BROADCAST="yes"
>
> #
> # 23.)
> # Allow same class routing per default?
> # REQUIRES: FW_ROUTE
> #
> # Do you want to allow routing between interfaces of the same class
> # (e.g. between all internet interfaces, or all internal network
> # interfaces)
> # be default (so without the need setting up FW_FORWARD definitions)?
> #
> # Choice: "yes" or "no", defaults to "no"
> #
> FW_ALLOW_CLASS_ROUTING="no"
>
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


< Previous Next >
References