Re: [suse-security] SuSEfirewall2 and DMZ problems...

9 May 2002

      Protect from internal is on, if that blocks the internal requests....you may
need to build a route between the two internal IP blocks as well. Route add
xxx

The redirects are where you are passing the requests from the real IP to the
fake DMZ IP.

Regards,

Jon
----- Original Message -----
From: <Bill.Light@kp.org>
To: <suse-security@suse.com>
Sent: Tuesday, May 07, 2002 3:40 PM
Subject: [suse-security] SuSEfirewall2 and DMZ problems...
...
Hi Gang !
Given the following scenario...Firewall
running SuSE 7.3 / SuSEfirewall2 with 3 NICs:
************
* Internet *
************
     * "Real" IP address
     *
eth0 *
************ eth1   ******************
* Firewall ********** DMZ - www/mail *
************        ******************
     * eth2
     *
     *
************
*  switch  *
************
 *   *   *
 *   *   *
***********************
* Internal Machine(s) *
***********************
If AA.aaa.aaa.aaa  is a private IP on eth1
and  BB.bbb.bbb.bbb is private IP on eth2 (to feed the rest of the
network)
How are questions answered in /etc/rc.config.d/firewall2.rc.config
to get to the dmz computer ??  This is what I have (and I get dropped
in the firewall without seeing the DMZ) ...  I know I have NOT yet
turned on mail, because I want to see www services running first.....
FWD_DEV_EXT="eth0"
FWD_DEV_INT="eth2"
FWD_DEV_DMZ="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASW_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="BB.bb.bbb.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="www"
FW_SERVICES_EXT_UDP="www"
FW_SERVICES_EXT_IP="www"
FW_SERVICES_DMZ_TCP="domain www"
FW_SERVICES_DMZ_UDP="www"
FW_SERVICES_DMZ_IP="www"
FW_SERVICES_INT_TCP="www"
FW_SERVICES_INT_UDP="www"
FW_SERVICES_INT_IP="www"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
     FW_FORWARD=""                           ??
-or- FW_FORWARD="0/0,AA.aaa.aaa.aaa,tcp,80"  ??
FW_FORWARD_MASQ="0/0,AA.aaa.aaa.aaa,tcp,80"
     FW_REDIRECT=""                          ??
-or- FW_REDIRECT="0/0,AA.aaa.aaa.aaa,tcp,80" ??
The "-or-" is my guessing.....no combination seems to work,
any help appreciated.  What am I missing ??  I always get
dropped in the "firewall" box and never get to the web-server.
The SuSEfirewall2 examples given by Marc do not seem to address
the setup I am attempting ... Is my inherent design bad ?
- Bill