Mailinglist Archive: opensuse (4294 mails)

< Previous Next >
Re: [opensuse] Accepting all in the FORWARD chain
  • From: Peder <suseuser@xxxxxxxxxxx>
  • Date: Fri, 15 Dec 2006 08:21:38 +0100 (CET)
  • Message-id: <Pine.LNX.4.64.0612150755150.20449@xxxxxxxxxxxxxxxxx>


On Thu, 14 Dec 2006, Darryl Gregorash wrote:

On 2006-12-14 02:33, Peder wrote:

I've been following this thread with some interest, and I cannot see
what problem you were having with SuSEfirewall2. AFAICT, all that you
did should have worked. What relevant differences are there between what
SuSEfirewall2 delivers, and your own rules?

SuSEfirewall2 sends FORWARDED packets to the forward_ext chain
where it does some magic tricks with it like setting TOS IIRC
and other stuff (there was like 10-15 rules in that chain).
My rules just sets default action to ACCEPT and nothing else.

It would have helped, of course, if you had given us an example or two
of traffic that was being dropped.

This is from one session:

SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16576 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16577 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0

SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15
LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16578 DF PROTO=TCP
SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15
LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16579 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0

SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15
LEN=48TOS=0x00 PREC=0x00 TTL=127 ID=16610 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15
LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16611 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0

(10.100.200.10 is my client and 10.111.40.15 my web server on the DMZ)

so it seems like it accepts the initial SYN but drops the following
ACKs. From what I recall the FW_FORWARD="10.100.200.0/24,0/0" led to
NEW,RELATED and ESTABLISHED being accepted from 10.100.200.0/24 and
RELATED and ESTABLISHED being accepted back.

Hmmm, I think I realize now why it doesn't work. Since my squid server
isn't a router in its true meaning it doesn't see the ACK my web
server sends as a reply to the SYN (since that traffic goes directly
from the web server to the client).
Therefore it doesn't see my client's subsequent ACK as RELATED or
ESTABLISHED.

I guess my setup is a bit too unorthdox for SuSEfirewall2 but I still
don't get why it doesn't have an option to accept _all_ forwarding.

- Peder

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups