Mailinglist Archive: opensuse (1606 mails)

< Previous Next >
Re: [opensuse] Cannot access two internal nets with SuSeFirewall2
  • From: Rui Santos <rsantos@xxxxxxxxxxxxx>
  • Date: Wed, 03 Sep 2008 11:44:10 +0100
  • Message-id: <48BE6A7A.4040808@xxxxxxxxxxxxx>
wanakom@xxxxxxxxx wrote:
Hi Rui


Rui Santos wrote:
same with network 192.168.2.x

What about ssh ? Can you ssh from one net to another ?

Nope. In fact, when I ping from a wxp machine, the answer is
"Destination protocol unreachable".

My Google searches have not shown any result. What do I miss in my
configuration ?

Are you sure it's a firewall configuration ? It could be the
configuration of your print-server system. Many printing servers, by
default, only allow printing from the network it is connected to. Just
check it to make sure.
I cannot even ping machines or another server in the other network. No
limitation has been set to the print-servers.
If you are sure it is a firewall configuration, could you provide the
firewall log right after a printing attempt ? Also state witch machine
is printing to witch machine.

After sending a ping to the printer 172.26.6.10 from machine
192.168.1.14, the firewall log output is as follow :

Sep 3 11:15:32 ml110 kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=eth2
SRC=192.168.1.14 DST=172.26.6.10 LEN=60 TOS=0x00 PREC=0x00 TTL=127
ID=32021 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=14592
You are right. ping can have additional restrictions. Can you try with
an ssh, ftp or telnet connection and provide the log ?

If I understand it, the firewall drops it because if stop the icmp
protocol. But I specified FW_PROTECT_FROM_INT="no". Shall I specify
what protocols are allowed in spite of no protection for "int" ? If
so, what variables shall I look for ?

I believe your FW_MASQ_DEV="zone:ext zone:int" setting is incorrect. You
should not need any masquerade on "zone:int". Routing alone should take
care of all communications between you internal/dmz nets.

Try the settings:
FW_MASQ_DEV="zone:ext"
FW_MASQ_NETS="0/0"






--
Rui Santos
http://www.ruisantos.com/

Veni, vidi, Linux!

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups