openSUSE Security April 2004

security@lists.opensuse.org

95 participants
92 discussions

by Gustavo Castro Puig

Hi, I'm trying to reinstall a package manually with rpm in SuSE 9.0 and some config files doesn't get updated. I tried with --force, --replacefiles and so on, and that files doesn't get updated anyway. I don't know if it's a security issue or something I have to worry about... Do you know how to *really* reinstall a complete package (including configuration files)? Thanks in advance. Regards, Gustavo.

18 years, 4 months

AW: [suse-security] Multiple Internal Networks not Routing

by Rasp, Robert

Hello Philipp, i'm sorry but i think your wrong. You'r right about the network-calsses but yout can of course route a network with a /12 Network to a /19 Notwork.. and so an I Route 5 /19 Networks with 3 /16 Networks in every direction over one Router. As long as they ar not in one Subnet.... For routing-roules ist is possibile to route 192.168.0.0/16 to 10.62.56.0/24 All hosts hav to use a defaultroute to "the Networkcard" of ther Router. If the Router has 192.168.0.1 on eth1 and 10.62.56.1 on eth2 then the default route an the 10.* Net ist 10.62.56.1 and on 192.168.* it ist 192.168.0.1... If you have ip-forwarding enabled, it will work. But have al look at the other Routingrouls on the Router and on the Workstations. CU Robert -----Ursprüngliche Nachricht----- Von: Philipp Rusch [mailto:philipp.rusch@rusch-edv.de] Gesendet: Dienstag, 6. April 2004 22:28 An: suse-security(a)suse.com Betreff: Re: [suse-security] Multiple Internal Networks not Routing Jason, Ok, we are one step further ! To clarify: (this has been defined like that, there is no obvious technical reason for that, ok there are some reasons, but that would lead us too far) there are classes of IP-networks: A-class : mask /8 B-class : mask /16 C-class : mask /24 which some special adresses reserved for "private use", which means, these are "unrouteable" adresses in terms of internet routes, that's the reason for NAT, for instance. OK, 10.a.b.c "normally" has to have a /8 mask (type A class) you can divide this huge network of 16*16*16 hosts in smaller nets using a /16 or a /24 mask for instance. 172.16.m.n "normally" has to have a /16 mask (type B class) but the same concept of breaking it down into parts applies as above, you are free to do so. 192.168.x.y "normally" has to have a /24 mask (type C class) which implies that you choose the "x" and then this part of the network address is fix for your setup. The advantage of having a 10.a.b.c/8 network instead of a 192.168.x.y/24 is that you can have more hosts belonging to the *same" network without the need to route. In your case, if you are still free to choose your network adresses and don't have more than 254 hosts, I would strongly recommend that you go for something like 192.168.1.x/24 on eth1 and 192.168.2.y/24 on eth2 or if you have more hosts, go for 172.16.1.x/16 on eth1 if there is the majority of your hosts and take 192.168.2.x/24 for eth2. Next question: what are the routing entries of your Windows PCs? They have to know about the other net as well ! Post a route print example output of both networks back here. Regards, Philipp Jason Dobbs schrieb: > Ok here is the tracert data: > > From a windows PC (192.168.65.228) to a windows PC (10.62.56.8) > ----------------------------------------------------------------- > 1 <1 ms <1 ms <1 ms 192.168.66.252 > 2 * * * Request timed out. > 3 * * * Request timed out. > 4 * * * Request timed out. > 5 * * * Request timed out. > > > > /var/log/messages > ----------------------------------------------------------------- > Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= > OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 > PREC=0xC0 TTL=64 ID=1245 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 > DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1530 PROTO=ICMP > TYPE=8 CODE=0 ID=512 SEQ=24065 ] > Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= > OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 > PREC=0xC0 TTL=64 ID=1246 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 > DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1531 PROTO=ICMP > TYPE=8 CODE=0 ID=512 SEQ=24321 ] > Apr 6 04:22:47 terminator kernel: SuSE-FW-TRACEROUTE-ATTEMPT IN= > OUT=eth1 SRC=192.168.66.252 DST=192.168.65.228 LEN=120 TOS=0x00 > PREC=0xC0 TTL=64 ID=1247 PROTO=ICMP TYPE=11 CODE=0 [SRC=192.168.65.228 > DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 TTL=1 ID=1532 PROTO=ICMP > TYPE=8 CODE=0 ID=512 SEQ=24577 ] > Apr 6 04:22:48 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=1 ID=1534 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=24833 > Apr 6 04:22:52 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=1 ID=1577 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25089 > Apr 6 04:22:56 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=1 ID=1579 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25345 > Apr 6 04:23:01 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=2 ID=1581 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25601 > Apr 6 04:23:05 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=2 ID=1589 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=25857 > Apr 6 04:23:10 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=2 ID=1591 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26113 > Apr 6 04:23:14 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=3 ID=1593 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26369 > Apr 6 04:23:19 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=3 ID=1597 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26625 > Apr 6 04:23:23 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=3 ID=1599 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26881 > Apr 6 04:23:28 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=4 ID=1601 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27137 > Apr 6 04:23:32 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=4 ID=1605 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27393 > Apr 6 04:23:37 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=4 ID=1607 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27649 > Apr 6 04:23:41 terminator kernel: SuSE-FW-ACCEPT-CLASS IN=eth1 > OUT=eth2 SRC=192.168.65.228 DST=10.62.56.8 LEN=92 TOS=0x00 PREC=0x00 > TTL=5 ID=1609 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27905 > > > 192.168.66.252 is the gateway for the 192.168.0.0/16 network. > 10.62.56.252 is the gateway for the 10.62.56.0/24 network. > > as far as your note on /16 and /24 ... maybe I have them backwards! I > though 192.168.0.0 was /16 and 10.62.56.0 was /24!!!!!! <-- Please > clearify this! > > Thank You, > Jason Dobbs . IT Manager > Westin Casuarina Casino Las Vegas > > > > Philipp Rusch wrote: > >> Hello Jason, >> OK, I see ... >> what about my note about /16 and /24 masks ? >> do you *have* to do it like that ? >> >> When you leave both FW_MASQ_NETS="" (empty) >> and FW_FORWARD="" (empty) >> and do a traceroute from a host on eth1 to a host on eth2 >> or vice versa, what do you see in the firewall logs in >> /var/logs/messages ? >> >> Lets get this to work, Philipp >> >> Jason Dobbs schrieb: >> >>> Kernel IP routing table >>> Destination Gateway Genmask Flags Metric Ref >>> Use Iface >>> <public ip> 0.0.0.0 255.255.255.128 U 0 >>> 0 0 eth0 >>> 10.62.56.0 0.0.0.0 255.255.255.0 U 0 >>> 0 0 eth2 >>> 192.168.0.0 0.0.0.0 255.255.0.0 U 0 >>> 0 0 eth1 >>> 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 >>> 0 eth0 >>> >>> ip forwarding is turned on in yast! >>> >>> Thank You, >>> Jason Dobbs . IT Manager >>> Westin Casuarina Casino Las Vegas >>> p. 702.836.5939 f. 270.913.7462 >>> mailto: jdobbs(a)casuarinacasino.com >>> >>> >>> >>> Philipp Rusch wrote: >>> >>>> Hi Jason what is your routing table looking like ? >>>> post route -nv back here >>>> are you routing at all ? (set ip_forward=yes in YAST) >>>> >>>> other comments inline ... >>>> >>>> Jason Dobbs schrieb: >>>> >>>>> --SNIP --- >>>> >>>> >>>> >>>> >>>> >>>>> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail >>>>> server ip>/32 10.62.56.0/24,<mail server ip>/32" >>>> >>>> >>>> >>>> >>>> >>>> ----------------------------------^ this >>>> ----------------------------------and this ^ is redundant, >>>> 192.168.65.224/27 is completely contained >>>> in 192.168.0.0./16 network, which means all 192.168."something" >>>> nets ... >>>> you know that normally 192.168.x.y net is a /24-type network and a >>>> 10.x.y.z has a /16 type mask ?? >>>> >>>> --SNIP-- >>>> >>>>> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 >>>>> 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ >>>>> 192.168.0.0/16,10.62.56.0/24,udp,1:65535 >>>>> 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ >>>>> 192.168.0.0/16,10.62.56.0/24,icmp >>>>> 10.62.56.0/24,192.168.0.0/16,icmp" >>>>> FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 >>>>> 0/0,192.168.65.227,tcp,5900 \ >>>>> 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" >>>> >>>> >>>> >>>> >>>> >>>> what are you trying to do here ? >>>> If routing just doesn't work then forwarding doesn't help that much >>>> ... >>>> >>>> I think something different is causing your troubles than missing >>>> entries here, >>>> seems you did to much of a work, it is normally quite simple, what >>>> you try to do :-) >>>> >>>> Regards from Germany, Philipp >>>> >>>> >>> >>> >> >> > > -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

18 years, 4 months

Re: AW: [suse-security] Multiple Internal Networks not Routing

by Jason Dobbs

Robert, ETH1 Dump ------------------------------------------ tcpdump: listening on eth1 05:33:19.653787 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707194 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207866 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708547 192.168.65.228 > 10.62.56.8: icmp: echo request 4 packets received by filter 0 packets dropped by kernel ETH2 Dump ------------------------------------------- tcpdump -pni eth2 icmp tcpdump: listening on eth2 05:33:19.654447 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:24.707232 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:30.207911 192.168.65.228 > 10.62.56.8: icmp: echo request 05:33:35.708586 192.168.65.228 > 10.62.56.8: icmp: echo request 4 packets received by filter 0 packets dropped by kernel 192.168.65.228 trying to ping 10.62.56.8 --------------------------------------------------- Pinging 10.62.56.8 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.62.56.8: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), IP-Forwarding ---------------------------------------- cat /proc/sys/net/ipv4/ip_forward <enter> 1 Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas Rasp, Robert wrote: >Hello, > >i had this problem by my self... i hate routing sometimes ;-) >Is IP-Forwaring enabled (cat /proc/sys/net/ipv4/ip_forward) >Try this: >Open two Shell's and start "tcpdump -pni eth1 icmp" on one Shell and >"tcpdump -pni eth2 icmp" on the other. >Try the Ping again and watch the results... > >CU >Robert > > >-----Ursprüngliche Nachricht----- >Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] >Gesendet: Dienstag, 6. April 2004 21:49 >An: Rasp, Robert >Betreff: Re: *****list-suse***** AW: [suse-security] Multiple Internal >Networks not Routing > > >Robert, > >I took the firewall script down and tried a ping from 192.168.65.228 to >10.62.56.8 and got the same results, request timed out. > >Thank You, >Jason Dobbs . IT Manager >Westin Casuarina Casino Las Vegas > > > >Rasp, Robert wrote: > > > >>Hello, >> >>if i had this problem, i try it without firewall first.... >>Then you can be sure your routing is ok. >>It may be better to stay offline while the firewallscript isn't runnung :-) >> >>CU >>Robert >> >>-----Ursprüngliche Nachricht----- >>Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] >>Gesendet: Dienstag, 6. April 2004 17:18 >>An: suse-security(a)suse.com >>Betreff: [suse-security] Multiple Internal Networks not Routing >> >> >>Hi, >> >>Hoping someone can point out my mistake here! I have SuSE 9.0 running >>with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and >>eth2=10.62.56.0/24). Everything with the internet is working great. The >>problem is routing traffic between eth1 and eth2. I've set both networks >>as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing >>has seemed to work. Posted is also a copy of my >>/etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between >>these 2 networks. >> >>Any ideas? >> >>------------------------------------------------------------------- >>FW_QUICKMODE="no" >>FW_DEV_EXT="eth0" >>FW_DEV_INT="eth1 eth2" >>FW_DEV_DMZ="" >>FW_ROUTE="yes" >>FW_MASQUERADE="yes" >>FW_MASQ_DEV="$FW_DEV_EXT" >>FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail >>server ip>/32 10.62.56.0/24,<mail server ip>/32" >>FW_PROTECT_FROM_INTERNAL="no" >>FW_AUTOPROTECT_SERVICES="yes" >>FW_SERVICES_EXT_TCP="http https ssh" >>FW_SERVICES_EXT_IP="" >>FW_SERVICES_DMZ_TCP="" >>FW_SERVICES_DMZ_IP="" >>FW_SERVICES_INT_TCP="" >>FW_SERVICES_INT_UDP="" >>FW_SERVICES_INT_IP="" >>FW_SERVICES_QUICK_TCP="" >>FW_SERVICES_QUICK_UDP="" >>FW_SERVICES_QUICK_IP="" >>FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" >>FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" >>FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" >>FW_SERVICE_AUTODETECT="yes" >>FW_SERVICE_DNS="yes" >>FW_SERVICE_DHCLIENT="no" >>FW_SERVICE_DHCPD="yes" >>FW_SERVICE_SQUID="yes" >>FW_SERVICE_SAMBA="no" >>FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 >>10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ >> 192.168.0.0/16,10.62.56.0/24,udp,1:65535 >>10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ >> 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" >>FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ >> 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" >>FW_REDIRECT="" >>FW_LOG_DROP_CRIT="yes" >>FW_LOG_DROP_ALL="yes" # Jason Dobbs >>FW_LOG_ACCEPT_CRIT="yes" >>FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs >>FW_LOG="--log-level warning --log-tcp-options --log-ip-option >>--log-prefix SuSE-FW" >>FW_KERNEL_SECURITY="yes" >>FW_STOP_KEEP_ROUTING_STATE="no" >>FW_ALLOW_PING_FW="yes" >>FW_ALLOW_PING_DMZ="no" >>FW_ALLOW_PING_EXT="no" >>FW_ALLOW_FW_TRACEROUTE="yes" >>FW_ALLOW_FW_SOURCEQUENCH="yes" >>FW_ALLOW_FW_BROADCAST="no" >>FW_IGNORE_FW_BROADCAST="yes" >>FW_ALLOW_CLASS_ROUTING="yes" >>FW_CUSTOMRULES="" >>FW_REJECT="no" >>FW_HTB_TUNE_DEV="" >>----------------------------------------------------------------------------------- >> >> >> >> >> > > > > >

18 years, 4 months

AW: [suse-security] Multiple Internal Networks not Routing

by Rasp, Robert

Hello, if i had this problem, i try it without firewall first.... Then you can be sure your routing is ok. It may be better to stay offline while the firewallscript isn't runnung :-) CU Robert -----Ursprüngliche Nachricht----- Von: Jason Dobbs [mailto:jdobbs@casuarinacasino.com] Gesendet: Dienstag, 6. April 2004 17:18 An: suse-security(a)suse.com Betreff: [suse-security] Multiple Internal Networks not Routing Hi, Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks. Any ideas? ------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" ----------------------------------------------------------------------------------- -- Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help(a)suse.com Security-related bug reports go to security(a)suse.de, not here

18 years, 4 months

Re: [suse-security] Multiple Internal Networks not Routing

by Philipp Rusch

Hello Jason, OK, I see ... what about my note about /16 and /24 masks ? do you *have* to do it like that ? When you leave both FW_MASQ_NETS="" (empty) and FW_FORWARD="" (empty) and do a traceroute from a host on eth1 to a host on eth2 or vice versa, what do you see in the firewall logs in /var/logs/messages ? Lets get this to work, Philipp Jason Dobbs schrieb: > Kernel IP routing table > Destination Gateway Genmask Flags Metric Ref > Use Iface > <public ip> 0.0.0.0 255.255.255.128 U 0 0 > 0 eth0 > 10.62.56.0 0.0.0.0 255.255.255.0 U 0 0 > 0 eth2 > 192.168.0.0 0.0.0.0 255.255.0.0 U 0 0 > 0 eth1 > 0.0.0.0 <public gw> 0.0.0.0 UG 0 0 0 > eth0 > > ip forwarding is turned on in yast! > > Thank You, > Jason Dobbs . IT Manager > Westin Casuarina Casino Las Vegas > p. 702.836.5939 f. 270.913.7462 > mailto: jdobbs(a)casuarinacasino.com > > > > Philipp Rusch wrote: > >> Hi Jason what is your routing table looking like ? >> post route -nv back here >> are you routing at all ? (set ip_forward=yes in YAST) >> >> other comments inline ... >> >> Jason Dobbs schrieb: >> >>> --SNIP --- >> >> >> >>> FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail >>> server ip>/32 10.62.56.0/24,<mail server ip>/32" >> >> >> >> ----------------------------------^ this >> ----------------------------------and this ^ is redundant, >> 192.168.65.224/27 is completely contained >> in 192.168.0.0./16 network, which means all 192.168."something" nets ... >> you know that normally 192.168.x.y net is a /24-type network and a >> 10.x.y.z has a /16 type mask ?? >> >> --SNIP-- >> >>> FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 >>> 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ >>> 192.168.0.0/16,10.62.56.0/24,udp,1:65535 >>> 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ >>> 192.168.0.0/16,10.62.56.0/24,icmp >>> 10.62.56.0/24,192.168.0.0/16,icmp" >>> FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 >>> 0/0,192.168.65.227,tcp,5900 \ >>> 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" >> >> >> >> what are you trying to do here ? >> If routing just doesn't work then forwarding doesn't help that much ... >> >> I think something different is causing your troubles than missing >> entries here, >> seems you did to much of a work, it is normally quite simple, what >> you try to do :-) >> >> Regards from Germany, Philipp >> >> > >

18 years, 4 months

Multiple Internal Networks not Routing

by Jason Dobbs

Hi, Hoping someone can point out my mistake here! I have SuSE 9.0 running with 3 NICS (eth0=internet, eth1=192.168.0.0/16, and eth2=10.62.56.0/24). Everything with the internet is working great. The problem is routing traffic between eth1 and eth2. I've set both networks as trusted, set FW_FORWARD, and enabled FW_ALLOW_CLASS_ROUTING. Nothing has seemed to work. Posted is also a copy of my /etc/sysconfig/SuSEfirewall2. I'd like to allow all traffic between these 2 networks. Any ideas? ------------------------------------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.65.224/27 10.62.56.0/24 192.168.0.0/16,<mail server ip>/32 10.62.56.0/24,<mail server ip>/32" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http https ssh" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="192.168.0.0/16 10.62.56.0/24" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.0.0/16,10.62.56.0/24,tcp,1:65535 10.62.56.0/24,192.168.0.0/16,tcp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,udp,1:65535 10.62.56.0/24,192.168.0.0/16,udp,1:65535 \ 192.168.0.0/16,10.62.56.0/24,icmp 10.62.56.0/24,192.168.0.0/16,icmp" FW_FORWARD_MASQ="0/0,192.168.65.227,tcp,5800 0/0,192.168.65.227,tcp,5900 \ 0/0,192.168.65.227,tcp,5632 0/0,192.168.65.227,udp,5632" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" # Jason Dobbs FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" # Jason Dobbs FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" ----------------------------------------------------------------------------------- -- Thank You, Jason Dobbs . IT Manager Westin Casuarina Casino Las Vegas

18 years, 4 months

Postfix + sasl on 8.1?

by Sven 'Darkman' Michels

Hi there, while setting up smtp-auth, i noticed that postfix shipped with 8.1 is compiled against sasl1 but nearly all other things like cyrus against sasl2. Anyone knows a way to put them together without recompiling stuff? i don't want to start own repositores ;) I just want 'virtual' mail users for security reasons but this seems not to be possible with 8.1? or at least not in an easy way. Regards & thanks, Sven

18 years, 4 months

SuSEfirewall2 configuration problem

by Robbert Eggermont

Hi, I have some problems with the configuration of the SuSEfirewall2 (3.1) on a SuSE 9.0 system. I have read the unofficial SuSEFAQ by Togan Muftuoglu, but unfortunately this could not help me to solve the problem. The system is part of a NIS domain with central NFS server. When the firewall is off, I have full network functionality (i.e. the system boots as a NIS client with nfs mounted home directories). However, when I enable SuSEfirewall2 for this system (using YaST), the firewall (/etc/rc.d/rc5.d/S01SuSEfirewall2_init) blocks ("destination unreachable") all {dns, smb, nfs, nis} traffic until (S14SuSEfirewall2_setup) *after* the {smbfs, nfs, ypbind} services are started... I'm wondering if the above functionality is by design, and if so, why? And, more important, how do I configure the firewall so everything works? (I haven't seen any mention of this problem, so I'm wondering if I'm just doing something wrong, or noone else is using SuSE 9.0, SuSEfirewall2 and {smb, nfs, nis}?) Thanx in advance, Robbert Eggermont

18 years, 4 months

postfix, cyrus, saslauthd -> pam auth mechanism questions

by Markus Feilner

Hello List, First of all thanks to all the helpful people out there! I have postfix, cyrus and saslauthd running on a suse 9.0 box. postfix and cyrus use tls and sslauthd to authenticate users against pam. In my /etc/pam.d/smtp and imap files i have working definitions for active directory/samba3/winbind, so that both local linux users and windows users can access the mailserver. But: With this combination, only few possibilities are left for encryption: - imap is sort of ok (I hope), since this is manged over ssl, however I would prefer cramd or digest encryption additionally. But I was told: this does not work not with saslauthd and pam. Why? - If I activate tls in postfix, local delivery to cyrus fails with the message: MUST ISSUE A STARTTLS COMMAND. So my questions are: 1) How can I make my setup more secure? 2) How can I setup postfix with cyrus and tls and working local delivery? I can send relevant config files, if you wish. -- Mit freundlichen Grüßen Markus Feilner -- Linux Solutions, Training, Seminare und Workshops - auch Inhouse Feilner IT Linux & GIS Erlangerstr. 2 93059 Regensburg fon: +49 941 70 65 23 - mobil: +49 170 302 709 2 web: http://feilner-it.net mail: mfeilner(a)feilner-it.net

18 years, 4 months

Re: [suse-security] postfix/imap/cyrus-sasl and Pam backend - again

by chris

Hello, i finally got it working. My chrooted Postfix uses saslauthd to authenticate users against pam (at least AD). Here are the essentials of my config: /usr/lib/sasl2/smtpd.conf pwcheck_method: saslauthd saslauthd_path: /var/run/sasl2/mux mech_list: plain login Remember to leave smtpd_sasl_local_domain in your main.cf blank: smtpd_sasl_local_domain = Modify your rcsaslauthd to hard-link the socket from sasl2 to postfix, and rm the socket when stopping saslauthd . . . case "$1" in start) echo -n "Starting service saslauthd" /sbin/startproc $AUTHD_BIN -a $SASLAUTHD_AUTHMECH > /dev/null 2>&1 #debug # den socket fuer postfix hardlinken ln /var/run/sasl2/mux /var/spool/postfix/var/run/sasl2/ rc_status -v ;; stop) echo -n "Shutting down service saslauthd" /sbin/killproc -TERM $AUTHD_BIN > /dev/null 2>&1 # den socket fuer postfix loeschen rm -r /var/spool/postfix/var/run/sasl2/mux rc_status -v ;; . . . Of course you need a corresponding /etc/pam.d/smtp . I.E. #%PAM-1.0 # by lanchr70 2003-02-12 auth sufficient pam_krb5.so # auth required pam_unix2.so auth required pam_shells.so account required pam_unix2.so password required pam_unix2.so session required pam_unix2.so The extract from /var/log/messages: Apr 5 14:09:50 xms001 saslauthd[29900]: rel_accept_lock : released accept lock Apr 5 14:09:51 xms001 saslauthd[29900]: pam_krb5: authentication succeeds for `chris' Apr 5 14:09:51 xms001 saslauthd[29900]: pam_krb5: pam_sm_authenticate returning 0 (Success) Apr 5 14:09:51 xms001 saslauthd[29900]: do_auth : auth success: [user=chris] [service=smtp] [realm=] [mech=pam] Apr 5 14:09:51 xms001 saslauthd[29900]: do_request : response: OK Have fun! mfg Chris Christian Lange D-30455 Hannover

18 years, 4 months

← Newer
1
2
3
4
5
6
7
8
9
10
Older →

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security April 2004