Ludwig Nussel wrote:
pronco@conae.gov.ar wrote:
Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses.
Example: Incoming traffic to my web server in a DMZ with private addresses
FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80”
I also need to set up the following rules in order to let responses out
FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world.
Don’t know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones don’t.
You found a bug.
Any suggestion?
You may take SuSEfirewall2 from FACTORY as soon as I have submitted a package with the fix. It should work on 10.0 as well (feel free to file a bug if not). In the meantime you could use one of the hook functions to just insert the required rules.
Could this bug fix get into a SuSE 9.3 update ? We use here many FW_FORWARD_MASQ rules and have to maintain lots of resonse rules, allowing too much! An update to SuSE 10.0 or 10.1 is not possible, since there are still no drivers for this propietary hardware (won't buy FSComputers again!). Thanks, Richard