use "SuSEfirewall2 status | grep ANTI-SPOOF" to figure out which rule stops your ICMP Packets (the first column shows you the # of packets which match the rule) In my case it has been that the external net was a subnet of the internal net (eg. int=192.168.0.0/24 and ext=192.168.0/3) But this does not bother too much. You just don't reach your dsl router directly. if it is configured correctly you can send packages through your router (and vice versa). if you want to configure your rooter you have to delete 2/4 rules (depends on wether you have turned loggin on or off) from one of your chains using iptables. after that restart the firewall to regain anti-spoof security.
Anthony Hogbin schrieb:
Hello
I am running repeatedly into a brick wall here over SuSEfirewall2
Three NIC's - a real IP DMZ, a masqueraded LAN on 192, and a DSL router which is my DFG and name server.
I can do most stuff I hoped it would do when I sat down and figured out what I needed - like web, mail, imap, ssh, MSN IM blah blah. BUT I CANNOT PING.
No where on the network can ping at all.
Masqueraded clients can resolve but then nothing.
This is what I get in the /var/log/firewall (where 14 is the router - and the 192 address is the test client):
Sep 5 15:40:40 prometheus kernel: SuSE-FW-DROP-ANTI-SPOOFIN=eth0 OUT= MAC=00:01:02:24:8b:9a:00:20:6f:09:7c:b5:08:00 SRC=217.34.212.14 DST=217.34.212.2 LEN=315 TOS=0x00 PREC=0x00 TTL=60 ID=42849 PROTO=UDP SPT=53 DPT=1027 LEN=295
....this is just one example of many SPOOF issues - but the one that I think points the strongest towards my current issues.
With a bit of luck the act of asking for help will bring some enlightenment?!
----
For your entertainment (take it easy on me!) is the setup
# 2.) FW_DEV_EXT="eth0"
# 3.) FW_DEV_INT="eth2"
# 4.) FW_DEV_DMZ="eth1"
# 5.) FW_ROUTE="yes"
# 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="$INT_LAN_RANGE,0/0,tcp,20 $INT_LAN_RANGE,0/0,tcp,21 $INT_LAN_RANGE,0/0,tcp,22 $INT_LAN_RANGE,0/0,tcp,23 $INT_LAN_RANGE,0/0,tcp,25 $INT_LAN_RANGE,0/0,tcp,37 $INT_LAN_RANGE,0/0,udp,37 $INT_LAN_RANGE,0/0,udp,43 $INT_LAN_RANGE,0/0,udp,53 $INT_LAN_RANGE,0/0,tcp,53 $INT_LAN_RANGE,0/0,tcp,80 $INT_LAN_RANGE,0/0,tcp,110 $INT_LAN_RANGE,0/0,tcp,113 $INT_LAN_RANGE,0/0,tcp,123 $INT_LAN_RANGE,0/0,udp,123 $INT_LAN_RANGE,0/0,tcp,143 $INT_LAN_RANGE,0/0,tcp,443 $INT_LAN_RANGE,0/0,tcp,554 $INT_LAN_RANGE,0/0,tcp,993 $INT_LAN_RANGE,0/0,tcp,1863 $INT_LAN_RANGE,0/0,tcp,2401 $INT_LAN_RANGE,0/0,tcp,5800 $INT_LAN_RANGE,0/0,tcp,5900 $INT_LAN_RANGE,0/0,tcp,6800:6900 $INT_LAN_RANGE,0/0,udp,6800:6900 $INT_LAN_RANGE,0/0,tcp,6901 $INT_LAN_RANGE,0/0,udp,6901 $INT_LAN_RANGE,0/0,tcp,6970:7170 $INT_LAN_RANGE,0/0,tcp,7070"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="53 3128" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="23 53 3128" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP=""
# 10.) FW_TRUSTED_NETS="$EXT_ZFT_GATE,tcp,22"
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="$INT_LAN_RANGE,$DMZ_IP_RANGE 0/0,$DMZ_EXCHANGE,tcp,25 0/0,$DMZ_EXCHANGE,tcp,80 0/0,$DMZ_EXCHANGE,tcp,135 0/0,$DMZ_EXCHANGE,tcp,443 0/0,$DMZ_BACKUP,tcp,21 0/0,$DMZ_BACKUP,tcp,20"
# 14.) FW_FORWARD_MASQ="" # Beware to use this!
# 15.) FW_REDIRECT=""
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# 17.) FW_KERNEL_SECURITY="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="yes"
# 19.) FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com