I tried these configs and having the aliases eth0:1 and eth0:2 only in FW_DEV_DMZ and all I got was SuSE-FW-UNAUTHORIZED-TARGET and by adding eth0 in there as well got me SuSE-FW-DROP-SPOOF messages in my logfile. By putting the aliases in FW_DEV_EXT, I obtained more progress in that I can now see SuSE-FW-ACCEPT-TRUST inbound messages from my test machine (emulated vendor) and destined for the ip address of the eth0:1 alias, but a complete lack of the FW_FORWARD_MASQ operation happening. According to all the examples I've looked at, it seems the first ip address in each line of FW_FORWARD_MASQ must be the outside address coming in (i.e. my vendor who wants to get to one of my my internal pcanywhere hosts), and the second address in each FW_FORWARD_MASQ line is the internal address of the destination internal host. I guess what I need is a was to specify three ip addresses for each forward_masq operation, first the originating source address, secondly the external ip alias on the firewall, and thirdly the interior ip address of the particular pcanywhere host something like: vendor's ip address = x.y.z.123 external ip of eth0 = a.b.c.100 external ip of eth0:1 = a.b.c.101 external ip of eth0:2 = a.b.c.102 interior pcanywhere host 1 = 192.168.1.10 interior pcanywhere host 2 = 192.168.1.11 interior pcanywhere host 3 = 192.168.1.12 If only the FW_FORWARD_MASQ supported the concept of three addresses such as: source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber then I'd be really happy. FW_FORWARD_MASQ = "x.y.z.123,a.b.c.100,192.168.1.10,tcp,5631 \ x.y.z.123,a.b.c.100,192,168,1,10,udp,5632 \ x.y.z.123,a.b.c.101,192.168.1.11,tcp,5631 \ x.y.z.123,a.b.c.101,192.168.1.11,udp,5632 \ x.y.z.123,a.b.c.102,192.168.1.12,tcp,5631 \ x.y.z.123,a.b.c.102,192.168.1.12,udp,5632" but alas, it only supports two ip addresses of originating source and final internal destination like: FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \ x.y.z.123,192,168,1,10,udp,5632" and putting the external firewall address in the first part, doesn't work If anyone has any other ideas of making such a scenario work, I'd sure appreciate the help, otherwise I guess I'm going to go back to the single external ip on the firewall with alternate port numbers for my various interior pcanywhere hosts and just tell my vendor that his poor little childish support staff are just going to have to learn how to deal with using alternate ports in their pca remotes, that this is all I can support on my end and if he wants to continue to get my business he'll have to do things my way. -----Original Message----- From: Togan Muftuoglu Sent: Tuesday, November 26, 2002 5:37 PM To: Suse-Security Subject: Re: [suse-security] SuSEfirewall2: external ip aliases with forward / masq? * Howard, Neal; <nhoward@cwftx.net> on 26 Nov, 2002 wrote:
I'll try it out tomorrow, it's been a long day here in Texas too and my brain hurts right now!
I know the feeling :-)
I'm guessing I should use the external ip aliases in the first part of each stanza of FW_FORWARD_MASQ instead of putting the vendor's ip address in that place like I was doing?
Now although I said
FW_DEV_EXT="eth0 eth0:1 eth0:2"
It's better to have the aliases eth0:1 and eth0:2 in FW_DEV_DMZ and then FW_FORWARD_MASQ them for the vendor this way it should be both secure and doable (cross your fingers) -- Togan Muftuoglu -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here