As to your first statements, this is a voluntary response list. People may not respond for several reasons. I believe the answer to your problem is to place the following in your custom config file for the firewall: fw_custom_before_antispoofing() { # these rules will be loaded before any anti spoofing rules will be # loaded. Effectively the only filter lists already effective are # 1) allow any traffic via the loopback interface, 2) allow DHCP stuff, # 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"] # You can use this hook to prevent logging of uninteresting broadcast # packets or to allow certain packet through the anti-spoofing mechanism. #example: allow incoming multicast packets for any routing protocol #iptables -A INPUT -j ACCEPT -d 224.0.0.0/24 iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 999.999.999.999 -j ACCEPT true } Note, 999.999.999.999 should be set to the IP adderss for your external interface. You will also need to add this line to the end of your firewall config file: # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2- custom.rc.config # FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" This should do the job for you. This is an intentional security measure in the firewall to prevent spoofing of your internal addresses to your external interface. Jim By the way, the 'last attempt' comment may actually get you ignored by some members of this list. 8/1/2002 4:29:43 AM, j0nas <jonas@falafel.nu> wrote:
I'm going to make one last attempt at getting some answers to my problem before I leave this list. Hopefully someone can help me, or at least tell me what I want done is impossible so I don't have to keep looking for a solution. Here's my problem:
I'm using SuSE 8.0 with SuSEfirewall2, and on my firewall I have ports for ssh,smtp,http and identd open to the outside, and the same ports plus pop3+samba open for the internal network. I also have an extra port (not 21) opened for my ftp service.
My problem is that I can access all resources from the inside using the internal ip-adress of the firewall, ie I can view the web pages when calling http://192.168.0.1/ from any other machine on the internal network. It also works when I try to access the web server from the outside (using the external ip), BUT when I try to access the web server using the external ip (or the domain pointing to my firewall) nothing happens and i get this logged in /var/log/firewall: Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth0 OUT= MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5 DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID= 33688 DF PROTO=TCP SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B4010303000101080A000000000000000001010402)
Same goes for when I try to access any of the other services from the inside using the external ip. How can I make this work?
Here is my /etc/sysconfig/SuSEfirewall2 setup: FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_DEV_DMZ="" FW_ROUTE="yes"
FW_MASQUERADE="yes" FW_MASQ_DEV="eth1" FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="113 8000 http smtp ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="113 139 445 8000 http pop3 pop3s smtp ssh" FW_SERVICES_INT_UDP="137:138" FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="192.168.0.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="8000" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
Any help would be appreciated, thank you!
Jonas
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here