I believe the problem is in your FW_MASQ_NETS setting. Ping is an ICMP protocol. Why don't you try to open this up completely (internalnet/8-16-or24 - whichever appropriately applies. then test to seen what happens. then you can start restricting this more and more to tighten the controls as needed. Jim 09/05/01 10:57:34 AM, "Anthony Hogbin" <anthony.hogbin@btinternet.com> wrote:
Hello
I am running repeatedly into a brick wall here over SuSEfirewall2
Three NIC's - a real IP DMZ, a masqueraded LAN on 192, and a DSL router which is my DFG and name server.
I can do most stuff I hoped it would do when I sat down and figured out what I needed - like web, mail, imap, ssh, MSN IM blah blah. BUT I CANNOT PING.
No where on the network can ping at all.
Masqueraded clients can resolve but then nothing.
This is what I get in the /var/log/firewall (where 14 is the router - and the 192 address is the test client):
Sep 5 15:40:40 prometheus kernel: SuSE-FW-DROP-ANTI-SPOOFIN=eth0 OUT= MAC=00:01:02:24:8b:9a:00:20:6f:09:7c:b5:08:00 SRC=217.34.212.14 DST=217.34.212.2 LEN=315 TOS=0x00 PREC=0x00 TTL=60 ID=42849 PROTO=UDP SPT=53 DPT=1027 LEN=295
....this is just one example of many SPOOF issues - but the one that I think points the strongest towards my current issues.
With a bit of luck the act of asking for help will bring some enlightenment?!
----
For your entertainment (take it easy on me!) is the setup
# 2.) FW_DEV_EXT="eth0"
# 3.) FW_DEV_INT="eth2"
# 4.) FW_DEV_DMZ="eth1"
# 5.) FW_ROUTE="yes"
# 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="$INT_LAN_RANGE,0/0,tcp,20 $INT_LAN_RANGE,0/0,tcp,21 $INT_LAN_RANGE,0/0,tcp,22 $INT_LAN_RANGE,0/0,tcp,23 $INT_LAN_RANGE,0/0,tcp,25 $INT_LAN_RANGE,0/0,tcp,37 $INT_LAN_RANGE,0/0,udp,37 $INT_LAN_RANGE,0/0,udp,43 $INT_LAN_RANGE,0/0,udp,53 $INT_LAN_RANGE,0/0,tcp,53 $INT_LAN_RANGE,0/0,tcp,80 $INT_LAN_RANGE,0/0,tcp,110 $INT_LAN_RANGE,0/0,tcp,113 $INT_LAN_RANGE,0/0,tcp,123 $INT_LAN_RANGE,0/0,udp,123 $INT_LAN_RANGE,0/0,tcp,143 $INT_LAN_RANGE,0/0,tcp,443 $INT_LAN_RANGE,0/0,tcp,554 $INT_LAN_RANGE,0/0,tcp,993 $INT_LAN_RANGE,0/0,tcp,1863 $INT_LAN_RANGE,0/0,tcp,2401 $INT_LAN_RANGE,0/0,tcp,5800 $INT_LAN_RANGE,0/0,tcp,5900 $INT_LAN_RANGE,0/0,tcp,6800:6900 $INT_LAN_RANGE,0/0,udp,6800:6900 $INT_LAN_RANGE,0/0,tcp,6901 $INT_LAN_RANGE,0/0,udp,6901 $INT_LAN_RANGE,0/0,tcp,6970:7170 $INT_LAN_RANGE,0/0,tcp,7070"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="53 3128" FW_SERVICES_DMZ_UDP="53" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="23 53 3128" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP=""
# 10.) FW_TRUSTED_NETS="$EXT_ZFT_GATE,tcp,22"
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="$INT_LAN_RANGE,$DMZ_IP_RANGE 0/0,$DMZ_EXCHANGE,tcp,25 0/0,$DMZ_EXCHANGE,tcp,80 0/0,$DMZ_EXCHANGE,tcp,135 0/0,$DMZ_EXCHANGE,tcp,443 0/0,$DMZ_BACKUP,tcp,21 0/0,$DMZ_BACKUP,tcp,20"
# 14.) FW_FORWARD_MASQ="" # Beware to use this!
# 15.) FW_REDIRECT=""
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# 17.) FW_KERNEL_SECURITY="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="yes"
# 19.) FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com