Mailinglist Archive: opensuse-security (570 mails)

< Previous Next >
AW: [suse-security] another 3-interface firewall problem (twoexternal, no DMZ)
  • From: "Christian Lange" <christian.lange@xxxxxxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 7 Jan 2004 08:15:51 +0100
  • Message-id: <CHEMJAFHNIDCJMCIHPNNGEDECNAA.christian.lange@xxxxxxxxxxxxxxxxxxxxxxxx>
Hello Peter,

possibly the problem is a complete different. Recently i had problems with a
router using identical nics, i. e. 3* 3com905. It seems that the router
mixed up the interfaces.

Perhaps you may try it with differrent nics.

Best regards

Christian


> -----Ursprüngliche Nachricht-----
> Von: Dr. Peter Münstermann [mailto:peter@xxxxxxxxxxxxxxxxxxxxx]
> Gesendet: Dienstag, 6. Januar 2004 21:38
> An: suse-security@xxxxxxxx
> Betreff: Re: [suse-security] another 3-interface firewall problem
> (twoexternal, no DMZ)
>
>
> Sorry for the routing test.
>
> The output of the route command seems to be okay. Something like
>
> Destination Gateway Genmask Flags Metric Ref Use Iface
> w.x.y.z 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
> external 0.0.0.0 255.255.255.252 U 0 0 0 eth0
> internal 0.0.0.0 255.255.255.0 U 0 0 0 eth1
> 0.0.0.0 w.y.x.z+1 0.0.0.0 UG 0 0 0 ppp0
> gedenktage:/var/home/muenster #
>
> At the moment, I run the expensive two interface solution. I will test the
> IP-tables as soon as possible.
>
> YoYo
> Peter
>
> > Von: engelbert.gruber@xxxxxxxxx
> > Datum: Tue, 6 Jan 2004 17:15:32 +0100 (CET)
> > An: "Dr. Peter Münstermann" <peter@xxxxxxxxxxxxxxxxxxxxx>
> > Cc: suse-security@xxxxxxxx
> > Betreff: Re: [suse-security] another 3-interface firewall problem (two
> > external, no DMZ)
> >
> > On Tue, 6 Jan 2004, Dr. Peter M[ISO-8859-1] ünstermann wrote:
> >
> >> Hi Again,
> >>
> >>> 1) Is the routing ok ?
> >> How can I check the routing ?
> >
> > route -n
> >
> >> The SuSEfirewall-Script generates more rules than G.W. bushisms.
> >
> > sometimes i use ::
> >
> > iptables -vnL | grep -v "^ *0 "
> >
> > to see rules that have a hit count other 0.
> >
> >>> 2) Are there any firewall log entries ?
> >> Nothing critical for the 'dead' Interface. But I have to retry
> with logging
> >> everything.
> >>
> >>> 3) Are you sure you don't masq your webserver's reply packets
> with the wrong
> >>> IP ? (I understand that you now have 2 external IPs)
> >> I am completely unshure about everything!
> >> I guess, everything should be clear by understanding the IP rules.
> >> Is there a debugging tool for this ?
> >>
> >> Thanks so far
> >>
> >> Peter
> >>
> >> ___________________________________________________________
> >>
> >> Dr. Peter Münstermann
> >>
> >> mobil: +49 (0)173/2309398
> >> Schützenstr. 11 tel.: +49 (0)7531/919122
> >> D-78462 Konstanz fax.: +49 (0)7531/914370
> >> ___________________________________________________________
> >>
> >>
> >>> Von: Andreas Baetz <lac01@xxxxxx>
> >>> Datum: Mon, 5 Jan 2004 09:01:10 +0100
> >>> An: suse-security@xxxxxxxx
> >>> Betreff: Re: [suse-security] another 3-interface firewall problem (two
> >>> external, no DMZ)
> >>>
> >>> You could check the following:
> >>> 1) Is the routing ok ?
> >>> 2) Are there any firewall log entries ?
> >>> 3) Are you sure you don't masq your webserver's reply packets
> with the wrong
> >>> IP ? (I understand that you now have 2 external IPs)
> >>>
> >>> You could get more info by tcpdumping your interfaces.
> >>>
> >>> Andreas
> >>>
> >>>
> >>> On Sunday 04 January 2004 00:00, Dr. Peter M?nstermann wrote:
> >>>> Hi,
> >>>>
> >>>> I am running a small enterprise server under Suse 9.0.
> >>>> The main tasks are: Masquerading an internal network, SMTP,
> POP3 and web
> >>>> serving.
> >>>>
> >>>> Everything works nice with two interfaces:
> >>>> eth0: 1.2.3.4 netmask 255.255.255.192 (leased line with static IP)
> >>>> eth1: 192.168.0.1 netmask 255.255.255.0 (internal network)
> >>>> with default route 1.2.3.3
> >>>> Web server is listening on 1.2.3.4, SMTP on both interfaces,
> POP3 only at
> >>>> the internal interface
> >>>>
> >>>> NOW: to keep traffic costs as low as possible, we like to
> route the main
> >>>> traffic over a DSL flat rate.
> >>>> Configuring the DSL stuff gives the aditional ppp0 interface
> (PPPoE with
> >>>> eth2), masquerading works and I can see the web server at
> 1.2.3.4 due to
> >>>> the additional entry:
> >>>> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 1.2.3.4 -j ACCEPT
> >>>>
> >>>> BUT: The address 1.2.3.4 is not responding from the outside any more.
> >>>> Both eth0 and ppp0 are configured as external interfaces in the
> >>>> SuSEfirewall configuration.
> >>>>
> >>>> I think, the problem can be seen as a sort of load balancing for the
> >>>> leaving IP packets.
> >
> > any martians in the log ?
> >
> > what is the default route now ?
> >
> >
> > --
> > BINGO: high-performance breakthrough
> > --- Engelbert Gruber -------+
> > SSG Fintl,Gruber,Lassnig /
> > A6170 Zirl Innweg 5b /
> > Tel. ++43-5238-93535 ---+
> >
> > --
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here
> >
> >
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>


< Previous Next >