Set FW_ALLOW_CLASS_ROUTING="yes" to allow routing between ifaces of the same
class (int/ext/dmz)
Quoting Jochen Haßfurter
Hallöle!
Since two weeks I am trying to understand the SuSEFirewall2.... I think I read enough, but I found no solution for my problem.
I have a Suse 9.0 system with an ethernet card with 4 ports. The Server is router and wins server between two Windows-Domains
The ports are managed like this:
eth0 Link encap:Ethernet HWaddr _____________ inet addr:192.168.1.20 Bcast:192.168.1.255 Mask:255.255.255.0
# Domain 1: Windows 2003 Server - Domain "W2003"
eth1 Link encap:Ethernet HWaddr _____________ inet addr:192.168.200.248 Bcast:192.168.200.255 Mask:255.255.255.0
# Domain 2: Windows NT 4.0 - Domain "Hart"
eth2 Link encap:Ethernet HWaddr _____________ inet addr:192.168.3.10 Bcast:192.168.3.255 Mask:255.255.255.0
# To Router (192.168.3.1)
eth3 Link encap:Ethernet HWaddr _____________ inet addr:192.168.4.10 Bcast:192.168.4.255 Mask:255.255.255.0
# To (Secure) WLan (192.168.4.1)
# SuSEFirewall2-Konfiguration:
FW_QUICKMODE="no"
FW_DEV_EXT="eth2"
FW_DEV_INT="eth0 eth1 eth3"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth2"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh 22 53 80 139 445"
FW_SERVICES_INT_UDP="53 137 138"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.0.0/16"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="no"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
In this Konfiguration and even if I change
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
both to "no" (what I dislike to do!)
the following "errors" occur, if I try to get data from one PC to another: (that means, in "Netzwerkumgebung" the PC's will not be visible, and there is no chance to get to them, but the Internet is working well on every PC)
Jul 5 15:32:46 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14931 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:48 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14933 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:32:50 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=14935 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:27 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16608 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16610 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:31 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16613 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16620 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16621 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:42 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16622 DF PROTO=TCP SPT=4646 DPT=139 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 15:55:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16624 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:56 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16626 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 15:55:58 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=16628 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17801 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:32 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17803 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:34 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17805 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:36 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28159 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28161 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:45 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.101 DST=192.168.200.1 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=28171 DF PROTO=TCP SPT=1841 DPT=139 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402) Jul 5 16:10:57 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17822 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:10:59 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17826 PROTO=UDP SPT=138 DPT=138 LEN=182 Jul 5 16:11:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=eth1 SRC=192.168.1.10 DST=192.168.200.1 LEN=202 TOS=0x00 PREC=0x00 TTL=127 ID=17828 PROTO=UDP SPT=138 DPT=138 LEN=182
Please help me! Tell me why! What am I doing wrong??
Mit freundlichen Grüssen, With kind regards, Veuillez agréer mes salutations distinguées,
Jochen Haßfurter
--------------------------------
Atelier MO Stefan Mock & Jochen Haßfurter GbR
Büro: Industriestraße 3 97332 Volkach Germany
Tel. 0.93.81 7.15.20.92 Fax 0.93.81 7.15.20.93
Kreativ-Zentrum: Am Kapellenberg 2 97332 Volkach Germany
Tel. 0.93.81 7.15.20.91 Fax 0.93.81 8.47.59.99
www.ateliermo.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
------------------------------------------------------------ 0909 2468 El acceso telefonico a Internet del Portal Hay 3 maneras de cambiarte http://www.montevideo.com.uy/0909