haveing spuriouse problems with routing I think some are my

isp but I am a newbie and hoped you might help here is the symptom May 19 07:19:39 redroute1 kernel: SuSE-FW-ILLEGAL-ROUTING IN=ipsec0 OUT=eth0 SRC=192.168.10.150 DST=192.168.0.47 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=147 DF PROTO=ICMP TYPE=8 CODE=0 ID=46600 SEQ=512 May 19 07:19:40 redroute1 kernel: SuSE-FW-ILLEGAL-ROUTING IN=ipsec0 OUT=eth0 SRC=192.168.10.150 DST=192.168.0.47 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=148 DF PROTO=ICMP TYPE=8 CODE=0 ID=46600 SEQ=768 It seems sometimes I can ping and sometimes I can not. Most problems seem to take place on a connection after I try to connect to a drive on the right side of the connection from the left here is other information up-client:) # connection to my client subnet coming up # If you are doing a custom version, firewall commands go here. iptables -I FORWARD 1 -o ipsec0 -s 192.168.10.0/24 -d 192.169.0.0/24 -j ACCEPT iptables -I FORWARD 1 -i ipsec0 -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT ;; down-client:) # connection to my client subnet going down # If you are doing a custom version, firewall commands go here. iptables -D FORWARD -o ipsec0 -s 192.168.10.0/24 -d 192.168.0.0/24 -j ACCEPT iptables -D FORWARD -i ipsec0 -s 192.168.0.0/24 -d 192.168.10.0/24 -j ACCEPT config setup # THIS SETTING MUST BE CORRECT or almost nothing will work; #%defaultroute is okay for most simple cases. interfaces=%defaultroute # Debug-logging controls: "none" for (almost) none, "all" for lots. klipsdebug=all plutodebug=none # Use auto= parameters in conn descriptions to control startup actions. plutoload=%search plutostart=%search # Close down old connection when new one using same ID shows up. uniqueids=yes #Enable NAT-Traversal #nat_traversal=yes conn %default authby=rsasig keyingtries=1 ikelifetime=240m keylife=20m compress=yes disablearrivalcheck=no leftrsasigkey=%cert rightrsasigkey=%cert conn dowagiac-redoak left=12.47.77.50 leftsubnet=192.168.0.0/24 leftcert=redroute1cert.pem right=%defaultroute rightsubnet=192.168.10.0/24 rightcert=redroute10cert.pem # To authorize this connection, but not actually start it, at startup, # uncomment this. auto=add pfs=yes # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse , 2002 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into # -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES ! # -> /usr/share/doc/packages/SuSEfirewall2/FAQ ! # -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE ! # # /etc/sysconfig/SuSEfirewall2 # # for use with /sbin/SuSEfirewall2 version 3.1 which is for 2.4 kernels! # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall2 you are # not secure per se! There is *not* such a thing you install and hence you # are safed from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks (internet) # You can do this by using software which has been designed with # security in mind (like postfix, apop3d, ssh), setting these up without # misconfiguration and praying, that they have got really no holes. # SuSEcompartment can help in most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can you trust # SuSE or any other software distributor?) # * Harden your server(s) with the harden_suse package/script # * Recompile your kernel with the openwall-linux kernel patch # (former secure-linux patch, from Solar Designer) www.openwall.com # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the internet # for an internal network, try to run proxy services for everything and # disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone transfers and # either don't allow access to it from the internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example. # # # All types have to set enable SuSEfirewall2 in the runlevel editor # # If you are a end-user who is NOT connected to two networks (read: you have # got a single user system and are using a dialup to the internet) you just # have to configure (all other settings are OK): 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the # internet and to an internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), # 14), 20) # # If you want to run a DMZ in either of the above three standard setups, you # just have to configure *additionally* 4), 9), 12), 13), 17), 19). # # If you know what you are doing, you may also change 8), 11), 15), 16) # and the expert options 19), 20), 21), 22) and 23) at the far end, but you # should NOT. # # If you use diald or ISDN autodialing, you might want to set 17). # # To get programs like traceroutes to your firewall to work is a bit tricky, # you have to set the following options to "yes" : 11 (UDP only), 18 and 19. # # Please note that if you use service names, that they exist in /etc/services. # There is no service "dns", it's called "domain"; email is called "smtp" etc. # # *Any* routing between interfaces except masquerading requires to set FW_ROUTE # to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING ! # # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn): # iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0 # echo 1 > /proc/sys/net/ipv4/ip_forward # and additionally the following lines to get at least a minimum of security: # iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0 # iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0 # ------------------------------------------------------------------------ # # 1.) # Should the Firewall run in quickmode? # # "Quickmode" means that only the interfaces pointing to external networks # are secured, and no other. all interfaces not in the list of FW_DEV_EXT # are allowed full network access! Additionally, masquerading is # automatically activated for FW_MASQ_DEV devices. and last but not least: # all incoming connection via external interfaces are REJECTED. # You will only need to configure 2.) and FW_MASQ_DEV in 6.) # Optionally, you may add entries to section 9a.) # # Choice: "yes" or "no", if not set defaults to "no" # FW_QUICKMODE="no" FW_DEV_EXT="ppp0 ipsec0" # # 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_INT="eth0" # # 4.) # Which is the interface that points to the dmz or dialup network? # # Enter all the network devices here which point to the dmz/dialups. # A "dmz" is a special, seperated network, which is only connected to the # firewall, and should be reachable from the internet to provide services, # e.g. WWW, Mail, etc. and hence are at risk from attacks. # See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example. # # Special note: You have to configure FW_FORWARD to define the services # which should be available to the internet and set FW_ROUTE to yes. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_DMZ="" # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ # # You need only set this to yes, if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but this is not # a good idea). This option supersedes IP_FORWARD from # /etc/sysconfig/network/options # # Setting this option one alone doesn't do anything. Either activate # massquerading with FW_MASQUERADE below if you want to masquerade your # internal network to the internet, or configure FW_FORWARD to define # what is allowed to be forwarded! # # Choice: "yes" or "no", if not set defaults to "no" # FW_ROUTE="yes" # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE # # "Masquerading" means that all your internal machines which use services on # the internet seem to come from your firewall. # Please note that it is more secure to communicate via proxies to the # internet than masquerading. This option is required for FW_MASQ_NETS and # FW_FORWARD_MASQ. # # Choice: "yes" or "no", if not set defaults to "no" # FW_MASQUERADE="yes" # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT" FW_MASQ_DEV="ppp0" # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. # FW_MASQ_NETS="192.168.0.0/24" # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_SERVICES option. # If you set this to "no", any user can connect (and attack) any service on # the firewall. # # Choice: "yes" or "no", if not set defaults to "yes" # # "yes" is a good choice FW_PROTECT_FROM_INTERNAL="no" oice: "yes" or "no", if not set defaults to "yes" # FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_EXT_TCP="53 rsync ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_UPD="500" FW_SERVICES_EXT_IP="50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # # Common: ssh smtp domain FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.10.0/24 192.168.0.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="192.168.0.0/24,192.168.10.0/24 192.168.10.0/24,192.168.0.0/24" # FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="YES" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_DMZ="no" # FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" Thank you for any help you can be. -- Absolute Internet Services (http://www.aiserve.net)