Mailinglist Archive: opensuse-security (297 mails)

[Mike Branda <mike@xxxxxxxxxxxxx>]

Running SuSE 9.0 Pro.

O.K.  I'm about to give up.  I've been messing with the setup for
SuSEfirewall2 which is apparently a niced up front end to IPTABLES.  I'm
trying to get a DMZ up so when I have to fix something on our renderfarm
at 3 AM I can do it from home through ssh.  currently the firewall works
with 2 NICs dividing my local net from the big bad ugly WWW.  it is
functioning properly and dropping everything that it should.  now on to
the DMZ. I've read a ton of stuff on how to set up internal DMZ's
through FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80" which looks like it
Masquerades and uses an inside IP on a third NIC that's not a "real
world" IP.  I can't get that working in any way.  Then there's the
preferred method of having a second, ISP issued "real world" IP, on the
DMZ and It again resides on the third NIC but there is no masquerading
and it looks like and it uses FW_FORWARD="127.0.0.1,127.0.0.2,tcp,1".

The forelisted FW lines are straight out of the EXAMPLE included with
SuSE so they really don't apply to my network directly.  let me sum up
what I have and maybe somebody can point me in the right direction.

Firewall box:

FW_DEV_INT="eth0"
FW_DEV_EXT="eth1"
FW_DEV_DMZ="eth2"


the external has my first ISP assigned IP.  the internal is the generic
192.168.2.0 network.  what I'm not sure of is what IP needs to be on
eth2 real or masq'd and any custom routing.  I've tried everything I can
think of. including a same and different internal IP, another of my real
world IP's you name it.  routes?? and maybe howto??

DMZ box

eth0 tried internal IP, real world IP......all in pairs because AFAIK if
the subnet isn't the same and the networks are different they wont ping.
the only life out there I get is when I use and internal IP like
192.168.0.1 on eth2 for the firewall and 192.168.0.2 on the DMZ.  then I
can ping from firewall to DMZ and vice versa.  but when I go from there
to try and use the FW_FORWARD_MASQ, I still can't get in from home on
the outside.  the only reason I'm pursuing the masq setup is I can't get
anything else to ping.  I'd prefer to do it the other way but it's not
getting anywhere.  so here's the snip from the masq field:

# Which services accessed from the internet should be allowed to
masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP
addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow
access
# from internal!
#
# Please note that this should *not* be used for security reasons! You
are
# opening a hole to your precious internal network. If e.g. the
webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained
syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination
IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request
to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ="0/0,10.0.1.2,tcp,80"           # Beware to use this!


Any help would be appreciated.  I'm feeling beat up by what should be so
simple... :^(

Mike