High Fritz, I solve your problem in that way, that I configure apache to listen on the internal interface. Than I use a proxy.pac to redir the request on the external nic to the internal device. Greetings Harald Am Freitag, 13. September 2002 20:05 schrieb Fritz Berger:
Is there really no way to relax the anti-spoofing mechanism of SuSEfirewall2 in the way, that only http-requests from the internal network get to the second networkcard with the connection to the world (and back)? (Sorry - but I did get absolutely no answer to my question below - so maybe this is not easyly done, or not possible?) Thanks for any answer! (maybe the answer is: NO)?
Fritz
-------- Ursprüngliche Nachricht -------- Betreff: [suse-security] stop susefirewall2 anti-spoofing for HTTP only? Von: "Fritz Berger"
Datum: Mit, 11.09.2002, 21:52 An: Hello List!
I'm Sorry to have to ask this question, but I did RTFM for quite a while, but I do need your help! I have a SuSE 8.0 Prof server with apache & sendmail and internal I am forwarding/masquerading some pcs (some windows) (absolutely trusted). Everything works fine, BUT:
I tried without success to stop the anti-spoofing-rules of the susefirewall2 to let ONLY HTTP (Port 80. do I need more?) from the internal network (eth0) to the external nis (eth1). I do NOT want all traffic from my internal pcs to my OWN HOMEPAGE to go over the proxy of my ISP. (Its sometimes really slow due to an overlaod on the proxy of my ISP). ...and it is "destroying bandwith" when i go masqueraded to my isp only to access the other networkcard on my own server! I know it is a security hole, but if it would be only for http it should be ok. (And on my suse7.3 server with ipchains it worked fine too.) Please - no RTFM: I need a "cooking instruction". I think it is only one line inserted into /etc/sysconfig/scripts/SuSEfirewall2-custom, but which line and where ??? AND I think this would be (as a "cooking instruction") something for the FAQ for all like me who want to take this risk! I am tired to try options and only get the SUSE-FW-NO_ACCESS_INT->FWEXT in my firewall logs! Thank you in advance!!
Fritz
Here is my firewall config:
----------------
FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="http smtp www" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 = 1-90 Email: wallus@netlike-gmbh.de Internet: http://netlike-gmbh.de