Mailinglist Archive: opensuse (924 mails)

< Previous Next >
Re: [opensuse] SuseFirewall2 does not allow pings to ext network?
On 10/29/2012 12:59 AM, Togan Muftuoglu wrote:
On 10/28/2012 08:36 PM, Marc Chamberlin wrote:
Thanks Togan , nice way to strip out comments! I have posted the
SuSEfirewall2 configuration to

http://susepaste.org/fe8e7b3a

and left the default expiration at 1 week. Hopefully someone can find
something interesting that I have overlooked!
Ok first tighten up your config a bit and remove "any" from the DEV_EXT
so it looks like
FW_DEV_EXT="eth0"


When you have FW_PROTECT_FROM_INT="no" then you do not need to specify
FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP so you may want to remove
them. Best way during testing is comment them and and empty versions of
them with an empty line after the variable ie.

FW_SERVICES_INT_TCP=""

FW_SERVICES_INT_UDP=""

For testing purposes also make the following changes

FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_ALL="yes"

These will cause lots of logging so once you are done with the testing
revert them back to their default no

So for testing once the above is corrected with root privileges
/sbin/SuSEfirewall2 start

Begin trying to use your application and send the relevant part of the
logs, ie if the service is unreachable then find the log entries which
are dropped and send them or use susepaste.org which in that case send
the paste id

Togan
Thanks for the good suggestions Togan, on how to improve SuSEFirewall2! Much appreciated.

I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy. I did a tail -f /var/log/firewall and post the output to

http://susepast.org/34186a92

but I don't think much of relevance really got logged. Perhaps you will see something I don't.. I can try an do it a few more time, the output is different each time and I suspect mostly from other systems on my internal network communicating with the internet.

Marc..



--
"The Truth is out there" - Spooky

--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >