Mailinglist Archive: opensuse-security (570 mails)

< Previous Next >
Re: [suse-security] another 3-interface firewall problem (twoexternal, no DMZ)
  • From: "Philippe Vogel" <filiaap@xxxxxxxxxx>
  • Date: Tue, 6 Jan 2004 22:23:29 +0100
  • Message-id: <014301c3d49b$54d3ec60$8b20fea9@xxxxxxxxxxxxxxxxxx>
Hi Again,

> 1) Is the routing ok ?
How can I check the routing ?
The SuSEfirewall-Script generates more rules than G.W. bushisms.

Print routing table:

route -n

General routing should look like this:

fb7-fg6:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
Iface
internal-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth1
external-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth0
dsl-ip 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 default-gw-ip 0.0.0.0 UG 0 0 0
ppp0

default gw is the ip you get from dsl, that should be set correct within dsl
"dialup script" and resetted within dsl "dialout script"!

If not add a rule within yast/network/dsl.

Sometimes that routing stuff acts very strange -> maybe a reboot helps
sometimes to reset everything after a change.

> 2) Are there any firewall log entries ?
Nothing critical for the 'dead' Interface. But I have to retry with logging
everything.

With this you get the firewalloutput in one file to analyse it:

less /var/log/messages | grep DROP > Outputfile

> 3) Are you sure you don't masq your webserver's reply packets with the
wrong
> IP ? (I understand that you now have 2 external IPs)
I am completely unshure about everything!
I guess, everything should be clear by understanding the IP rules.
Is there a debugging tool for this ? -> /sbin/SuSEfirewall status
# gives debug output of iptables sets in SuSEfirewall

Try:

less /proc/sys/net/ipv4/ip_forward

If you see a "1" you have forwarding enabled.

Testing if network is running:

unload firewall
enable forwarding
ping IP of eth0, eth1, ppp0
traceroute www.freenet.de # here we go to external and see where the route
goes (e.g. here with freenet.de)!

If you get errors here there is no problem with the firewall.

The firewall should look:

FW_DEV_EXT="eth0 ppp0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"

configure the services and ports for your desire!

# bad security, but for testing ...
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_KERNEL_SECURITY="yes"
# for testing set to "yes" \/\/\/\/
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_SOURCEQUENCH="no"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
FW_REJECT="no"
# for german t-dsl:
FW_HTB_TUNE_DEV="ppp0,250"
# not optimized:
FW_HTB_TUNE_DEV=""

Philippe


< Previous Next >