Re: [suse-security] Router won't forward

Hi linsley, you did check if the machine is a Router? cat /proc/sys/net/ipv4/ip_forward schould _not_ print 0. You can set this with /etc/sysconfig/sysctl:IP_FORWARD="yes" Dirk linsley schrieb:

I have a box configured as a firewall/router/server. The firewall box will talk to the world, and vice versa. The internal zone can talk to the firewall. But nothing seems to be going *through* the firewall.

Basic info: SuSE 10.0

...

uname -a

Linux rose 2.6.13-15-default #1 Tue Sep 13 14:56:15 UTC 2005 i686 i686 i386 GNU/Linux

eth1 is the external zone interface: # ifstatus eth1 eth1 eth1 configuration: eth-id-00:30:f1:2f:ef:8c eth1 is up 4: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:f1:2f:ef:8c brd ff:ff:ff:ff:ff:ff inet 209.204.189.32/24 brd 209.204.189.255 scope global eth1 inet 209.204.189.33/24 brd 209.204.189.255 scope global secondary eth1:2 inet 209.204.189.34/24 brd 209.204.189.255 scope global secondary eth1:3 inet 209.204.189.35/24 brd 209.204.189.255 scope global secondary eth1:4 inet 209.204.189.36/24 brd 209.204.189.255 scope global secondary eth1:5 inet6 fe80::230:f1ff:fe2f:ef8c/64 scope link valid_lft forever preferred_lft forever eth1 IP address: 209.204.189.32/24 secondary eth1:2 IP address: 209.204.189.33/24 secondary eth1:3 IP address: 209.204.189.34/24 secondary eth1:4 IP address: 209.204.189.35/24 secondary eth1:5 IP address: 209.204.189.36/24 Configured routes for interface eth1: default 209.204.189.1 - - Active routes for interface eth1: 209.204.189.0/24 proto kernel scope link src 209.204.189.32 default via 209.204.189.1 0 of 1 configured routes for interface eth1 up

eth0 is the internal zone: # ifstatus eth0 eth0 device: VIA Technologies, Inc. VT6105 [Rhine-III] (rev 86) eth0 configuration: eth-id-00:40:f4:88:de:ae eth0 is up 3: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:40:f4:88:de:ae brd ff:ff:ff:ff:ff:ff inet 192.168.2.18/24 brd 192.168.2.255 scope global eth0 inet6 fe80::240:f4ff:fe88:deae/64 scope link valid_lft forever preferred_lft forever eth0 IP address: 192.168.2.18/24 Configured routes for interface eth0: default 209.204.189.1 - - 169.254.0.0 - 255.255.0.0 eth0 Active routes for interface eth0: 192.168.2.0/24 proto kernel scope link src 192.168.2.18 169.254.0.0/16 scope link 1 of 2 configured routes for interface eth0 up

Firewall is configured with SuseFirewall2 using YaST2: External zone allowed services are http https imap smtp ssh Internal zone allowed services are http https imap smtp ssh Protect Firewall from Internal Zone is checked. Accepted packets and not accepted packets are both set to Log All I see packets from the internal zone being accepted with messages like these: Mar 19 08:33:58 rose kernel: SFW2-FWDint-ACC-MASQ IN=eth0 OUT=eth1 SRC=192.168.2.2 DST=209.204.189.1 LEN=60 TOS=0x00 PREC=0x00 TTL=126 ID=37282 PROTO=ICMP TYPE=8 CODE=0 ID=32768 SEQ=14848 However, no reply packets are logged, either accepted or not.

Help! What is configured wrong???

TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: linsley@sonic.net, suse-security@suse.com # Dateianhänge: 0