Mailinglist Archive: opensuse-security (297 mails)

< Previous Next >
Re: [suse-security] SuSEFirewall2 with internal routing - problems!
  • From: muralito@xxxxxxxxxxxxxxxxx
  • Date: Wed, 7 Jul 2004 11:28:03 -0300
  • Message-id: <1089210483.40ec0873b00e0@xxxxxxxxxxxxxxxxxxxxxx>
Set FW_ALLOW_CLASS_ROUTING="yes" to allow routing between ifaces of the same
class (int/ext/dmz)

Quoting Jochen Haßfurter <jo@xxxxxxxxxxxx>:

>
>
> Hallöle!
>
>
> Since two weeks I am trying to understand the SuSEFirewall2....
> I think I read enough, but I found no solution for my problem.
>
> I have a Suse 9.0 system with an ethernet card with 4 ports.
> The Server is router and wins server between two Windows-Domains
>
> The ports are managed like this:
>
>
> eth0 Link encap:Ethernet HWaddr _____________
> inet addr:192.168.1.20 Bcast:192.168.1.255
> Mask:255.255.255.0
>
> # Domain 1: Windows 2003 Server - Domain "W2003"
>
>
>
> eth1 Link encap:Ethernet HWaddr _____________
> inet addr:192.168.200.248 Bcast:192.168.200.255
> Mask:255.255.255.0
>
> # Domain 2: Windows NT 4.0 - Domain "Hart"
>
>
>
> eth2 Link encap:Ethernet HWaddr _____________
> inet addr:192.168.3.10 Bcast:192.168.3.255
> Mask:255.255.255.0
>
> # To Router (192.168.3.1)
>
>
>
> eth3 Link encap:Ethernet HWaddr _____________
> inet addr:192.168.4.10 Bcast:192.168.4.255
> Mask:255.255.255.0
>
> # To (Secure) WLan (192.168.4.1)
>
>
>
> # SuSEFirewall2-Konfiguration:
>
>
> FW_QUICKMODE="no"
>
> FW_DEV_EXT="eth2"
>
> FW_DEV_INT="eth0 eth1 eth3"
>
> FW_DEV_DMZ=""
>
> FW_ROUTE="yes"
>
> FW_MASQUERADE="yes"
>
> FW_MASQ_DEV="eth2"
>
> FW_MASQ_NETS="192.168.0.0/16"
>
> FW_PROTECT_FROM_INTERNAL="yes"
>
> FW_AUTOPROTECT_SERVICES="yes"
>
> FW_SERVICES_EXT_TCP=""
>
> FW_SERVICES_EXT_UDP=""
>
>
> FW_SERVICES_EXT_IP=""
>
> FW_SERVICES_DMZ_TCP=""
>
> FW_SERVICES_DMZ_UDP=""
>
> FW_SERVICES_DMZ_IP=""
>
> FW_SERVICES_INT_TCP="ssh 22 53 80 139 445"
>
> FW_SERVICES_INT_UDP="53 137 138"
>
> FW_SERVICES_INT_IP=""
>
> FW_SERVICES_QUICK_TCP=""
>
> FW_SERVICES_QUICK_UDP=""
>
> FW_SERVICES_QUICK_IP=""
>
> FW_TRUSTED_NETS="192.168.0.0/16"
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
>
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
>
> FW_SERVICE_AUTODETECT="yes"
>
>
> FW_SERVICE_DNS="yes"
>
> FW_SERVICE_DHCLIENT="no"
>
> FW_SERVICE_DHCPD="no"
>
> FW_SERVICE_SQUID="no"
>
> FW_SERVICE_SAMBA="yes"
>
> FW_FORWARD=""
>
>
> FW_FORWARD_MASQ=""
>
>
> FW_REDIRECT=""
>
> FW_LOG_DROP_CRIT="yes"
>
> FW_LOG_DROP_ALL="yes"
>
> FW_LOG_ACCEPT_CRIT="yes"
>
> FW_LOG_ACCEPT_ALL="no"
>
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option
> --log-prefix SuSE-FW"
>
> FW_KERNEL_SECURITY="yes"
>
> FW_STOP_KEEP_ROUTING_STATE="no"
>
> FW_ALLOW_PING_FW="yes"
>
> FW_ALLOW_PING_DMZ="no"
>
> FW_ALLOW_PING_EXT="no"
>
>
>
> FW_ALLOW_FW_TRACEROUTE="no"
>
> FW_ALLOW_FW_SOURCEQUENCH="yes"
>
> FW_ALLOW_FW_BROADCAST="no"
>
> FW_IGNORE_FW_BROADCAST="yes"
>
> FW_ALLOW_CLASS_ROUTING="no"
>
> FW_CUSTOMRULES=""
>
> FW_REJECT="no"
>
> FW_HTB_TUNE_DEV=""
>
>
>
>
> In this Konfiguration and even if I change
>
> FW_PROTECT_FROM_INTERNAL="yes"
>
> FW_AUTOPROTECT_SERVICES="yes"
>
>
> both to "no" (what I dislike to do!)
>
> the following "errors" occur, if I try to get data from one PC to
> another:
> (that means, in "Netzwerkumgebung" the PC's will not be visible, and
> there is no chance to get to them, but the Internet is working well on
> every PC)
>
> Jul 5 15:32:46 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=14931 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:32:48 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=14933 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:32:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=14935 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:27 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16608 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16610 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16613 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=16620 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 15:55:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=16621 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 15:55:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=16622 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 15:55:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16624 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16626 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 15:55:58 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=16628 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:10:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17801 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:10:32 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17803 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:10:34 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17805 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:10:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=28159 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 16:10:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=28161 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 16:10:45 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127
> ID=28171 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0
> OPT (020405B401010402)
> Jul 5 16:10:57 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17822 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:10:59 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17826 PROTO=UDP SPT=138 DPT=138 LEN=182
> Jul 5 16:11:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1
> SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127
> ID=17828 PROTO=UDP SPT=138 DPT=138 LEN=182
>
>
>
> Please help me! Tell me why! What am I doing wrong??
>
>
>
> Mit freundlichen Grüssen,
> With kind regards,
> Veuillez agréer mes salutations distinguées,
>
> Jochen Haßfurter
>
>
> --------------------------------
>
> Atelier MO
> Stefan Mock & Jochen Haßfurter GbR
>
> Büro:
> Industriestraße 3
> 97332 Volkach
> Germany
>
> Tel. 0.93.81 7.15.20.92
> Fax 0.93.81 7.15.20.93
>
>
> Kreativ-Zentrum:
> Am Kapellenberg 2
> 97332 Volkach
> Germany
>
> Tel. 0.93.81 7.15.20.91
> Fax 0.93.81 8.47.59.99
>
> www.ateliermo.de
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>




------------------------------------------------------------
0909 2468 El acceso telefonico a Internet del Portal
Hay 3 maneras de cambiarte
http://www.montevideo.com.uy/0909


< Previous Next >
Follow Ups
References