I should also ask if there is a way to get debug messages for the masquerade/NAT code, I might be able to figure out what is going on better. All that I have been able to determine is that the GRE packets are arriving at the router but not passing through. I realize these are difficult to help with "over the phone", but if anyone has personal experience with debugging NAT and knows of other logging flags I should set, that information would be greatly appreciated! best, -b
Good day all!
I'm having some issues with my masquerading setup. I moved the machine to a new IP address, and masquerading for PPTP/GRE suddenly stopped working from the outside. I've sniffed packets, the authentication is happening fine and the initial GRE is sent from the client to the server, but the GRE never passes over the masquerade. I've enclosed my SuSEFirewall2 config below.
Can anyone assist? I believe the problem may have to do with the fact that the router was up for 311 days before i moved it to the new ip address and there must have been some change which only showed up after reboot. To be sure, I've pulled down the 2.1 version of SuSEfirewall2, and I am running a 2.4.10 kernel from the 7.3 distro.
Thanks kindly,
Brian
i=============i
# ########### # Scenario 4: # This company has got a more complex setup: # # Internet # | # | Webserver # | | # SuSE-Firewall------- # | # |---Mailserver # | # |---Database # | # Internal LAN # # All Mail is delivered to the firewall. It also provides DNS service to # internal and external. # There's a DMZ where a Webserver resides (port 80 and port 443) which # needs # to connect to the Firewall to deliver mail to internal, send syslog # messages and do domain lookups. It needs also direct access to the # internal # database (bad idea!). # All mail which is delivered to the firewall, is sent to the internal # mailserver. The mailserver sends all mail to the internet to the # firewall. # Internal PCs which access the internet should be masqueraded. # external fw interface: eth2 # dmz fw interface: eth1 # internal fw interface: eth0 # ip of database: 192.168.1.3, tcp port for database is 4545 # ip of webserver: 200.200.200.200 (this is an official, assigned # address!) # internal LAN: 192.168.1.0 netmask 255.255.255.0 # # TODO: the nameserver on the firewall needs to be setup # "split-brained". See # the DNS How-to. The mailserver on the firewall needs to be setup as a # forwarder/relayer. The mailserver on the internal network gets the # firewall # as forwarder/relay configured.
START_FW2="yes" FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config" FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" FW_SERVICES_EXT_TCP="22 25 53 123" FW_SERVICES_EXT_UDP="53 123" FW_SERVICES_DMZ_TCP="25 53" FW_SERVICES_DMZ_UDP="53 123 514" FW_SERVICES_INT_TCP="22 25 53 80 123" FW_SERVICES_INT_UDP="53 123" FW_SERVICE_DNS="yes" DNS_PORT="53" #FW_FORWARD_MASQ="61.0.0.0/8,192.168.0.100,tcp,8888 0/0,192.168.0.2,tcp,1723 0/0,192.168.0.2,tcp,443 " FW_FORWARD_MASQ="0/0,192.168.0.100,tcp,8888 0/0,192.168.0.2,tcp,1723 0/0,192.168.0.2,tcp,443 " FW_FORWARD="204.152.97.10,0/0,tcp,80 204.152.97.10,0/0,tcp,21 192.168.1.100,204.152.97.10 204.152.97.10,192.168.1.100 204.152.97.10,192.168.0.11,tcp,3306 204.152.97.10,192.168.0.11,tcp,11009 0/0,204.152.97.10,tcp,25 204.152.97.10,0/0,tcp,25 0/0,204.152.97.0/24,tcp,22 0/0,204.152.97.0/24,tcp,21 0/0,204.152.97.0/27,tcp,80 0/0,204.152.97.10,tcp,443 0/0,204.152.97.11,tcp,443 204.152.97.10,0/0,tcp,110" FW_INPUT="0/0,204.152.97.1,udp,53" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services # on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_SERVICES option. # If you set this to "no", any user can connect (and attack) any service # on # the firewall. # # Choice: "yes" or "no", defaults to "yes" # # "yes" is a good choice FW_PROTECT_FROM_INTERNAL="no"
# # 8.) # Do you want to autoprotect all running network services on the # firewall? # # If set to "yes", all network access to services TCP and UDP on this # machine # will be prevented (except to those which you explicitly allow, see # below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="no" # For VPN/Routing which END at the firewall!! FW_SERVICES_DMZ_IP="" FW_SERVICES_EXT_IP="" # For VPN/Routing which END at the firewall!! FW_SERVICES_INT_IP=""
# # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS=""
# # 12.) # Are you running some of the services below? # They need special attention - otherwise they won´t work! # # Set services you are running to "yes", all others to "no", defaults to # "no" # FW_SERVICE_AUTODETECT="no" # Autodetect the services below when starting # # if you use dhclient to get an ip address you have to set this to "yes" # ! FW_SERVICE_DHCLIENT="no" # # set to "yes" if this server is a DHCP server FW_SERVICE_DHCPD="no" # # set to "yes" if this server is running squid. You still have to open # the # tcp port 3128 to allow remote access to the squid proxy service. FW_SERVICE_SQUID="no" # # set to "yes" if this server is running a samba server. You still have # to open # the tcp port 139 to allow remote access to SAMBA. FW_SERVICE_SAMBA="no"
# # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid # proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of # redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination # IP/net, # 3) protocol (tcp or udp) 3) original destination port and 4) local # port to # redirect the traffic to, seperated by a colon. e.g.: # "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # FW_REDIRECT=""
# # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="yes" # FW_LOG_DROP_ALL="yes" # FW_LOG_ACCEPT_CRIT="yes" # FW_LOG_ACCEPT_ALL="yes" # # only change/activate this if you know what you are doing! FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", defaults to "yes" # FW_KERNEL_SECURITY="no"
# # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # If you are using diald, or automatic dialing via ISDN, if packets need # to be sent to the internet, you need to turn this on. The script will # then # not turn off routing and masquerading when stopped. # You *might* also need this if you have got a DMZ. # Please note that this is *insecure*! If you unload the rules, but are # still # connected, you might your internal network open to attacks! # The better solution is to remove "/sbin/SuSEfirewall2 stop" or # "/sbin/init.d/firewall stop" from the ip-down script! # # # Choices "yes" or "no", defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no"
# # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz # from # the internet? The internet option is for allowing the DMZ and the # internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="yes" # FW_ALLOW_PING_EXT="no"
## # END of rc.firewall ##
# # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # # #-------------------------------------------------------------------------# # #
# # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your # firewall. # This is used for traceroutes to your firewall (or traceroute like # tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you # say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes"
# # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, # however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes"
# # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log # entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes"
# # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network # interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here