pronco@conae.gov.ar wrote:
Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses.
Example: Incoming traffic to my web server in a DMZ with private addresses
FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80
I also need to set up the following rules in order to let responses out
FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world.
Dont know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones dont.
You found a bug.
Any suggestion?
You may take SuSEfirewall2 from FACTORY as soon as I have submitted a package with the fix. It should work on 10.0 as well (feel free to file a bug if not). In the meantime you could use one of the hook functions to just insert the required rules. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/