Re: [suse-security] SuseFirewall2 DMZ
--- Thorsten Preuss
sorry for my mistake.
of course the question should then be:
if not, can you reach it on the webserver itself with e.g. wget http://192.168.5.2/
Thorsten
I see my webserver ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
OK, next step: when you try to reach your webserver from the internal network with http://192.168.5.2/ which messages do you get on the firewall ? Thorsten
--- Thorsten Preuss
when you try to reach your webserver from the internal network with http://192.168.5.2/ which messages do you get on the firewall ?
Thorsten
How see messages on the firewall ? ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
On your firewall try tail -f /var/log/messages and then try to access your webserver from your internal network. Thorsten
--- Thorsten Preuss
tail -f /var/log/messages
My /var/log/messages Jan 17 16:09:53 linux pppd[982]: sent [LCP EchoReq id=0x82 magic=0x9fc93b77] Jan 17 16:09:53 linux pppd[982]: rcvd [LCP EchoRep id=0x82 magic=0x27bb6028] Jan 17 16:10:02 linux dhcpd: DHCPREQUEST for 0.0.4.102 from 00:03:93:b0:fa:26 via eth1: ignored (not authoritative). Jan 17 16:10:09 linux last message repeated 3 times Jan 17 16:10:13 linux pppd[982]: sent [LCP EchoReq id=0x83 magic=0x9fc93b77] Jan 17 16:10:13 linux pppd[982]: rcvd [LCP EchoRep id=0x83 magic=0x27bb6028] Jan 17 16:10:17 linux dhcpd: DHCPDISCOVER from 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPOFFER on 192.168.1.164 to 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPREQUEST for 192.168.1.164 (192.168.1.1) from 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPACK on 192.168.1.164 to 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.15.76.155 DST=80.15.77.20 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=34582 PROTO=UDP SPT=1030 DPT=137 LEN=58 Jan 17 16:10:33 linux pppd[982]: sent [LCP EchoReq id=0x84 magic=0x9fc93b77] Jan 17 16:10:33 linux pppd[982]: rcvd [LCP EchoRep id=0x84 magic=0x27bb6028] Jan 17 16:10:53 linux pppd[982]: sent [LCP EchoReq id=0x85 magic=0x9fc93b77] Jan 17 16:10:53 linux pppd[982]: rcvd [LCP EchoRep id=0x85 magic=0x27bb6028] Jan 17 16:11:13 linux pppd[982]: sent [LCP EchoReq id=0x86 magic=0x9fc93b77] Jan 17 16:11:13 linux pppd[982]: rcvd [LCP EchoRep id=0x86 magic=0x27bb6028] Jan 17 16:11:17 linux kernel: VFS: Disk change detected on device fd(2,0) Jan 17 16:11:33 linux pppd[982]: sent [LCP EchoReq id=0x87 magic=0x9fc93b77] Jan 17 16:11:33 linux pppd[982]: rcvd [LCP EchoRep id=0x87 magic=0x27bb6028] Jan 17 16:11:34 linux pppd[982]: rcvd [LCP EchoReq id=0x9 magic=0x27bb6028] Jan 17 16:11:34 linux pppd[982]: sent [LCP EchoRep id=0x9 magic=0x9fc93b77]
and then try to access your webserver from your internal network.
IExplorer find but nothing ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
The line: Jan 17 16:10:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.15.76.155 DST=80.15.77.20 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=34582 PROTO=UDP SPT=1030 DPT=137 LEN=58 tells us, that the firewall is at least blocking packets and that the firewall logs these, too. Can you post the output of the command: route -n from your firewall and your webserver and perhaps the output of the command route print from your windows box ? The setup following should work fine, but you will not be able to reach your webserver from the inside with the public ip of your ppp0 interface, just with the private ip 192.168.5.2. Please also try to get the newest version of the SuSEfirewall2 scripts, i ran into some trouble with an older version while trying to use FW_FORWARD_MASQ which ran fine after updating the scripts. The newest version is available under: ftp://ftp.suse.com/pub/people/garloff/linux/SuSE/RPMS/[SuSE-version]/SuSEfirewall2-* FW_DEV_EXT="ppp0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0.0.0.0/0,192.168.5.2,tcp,80" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option \ --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
route -n from firewall :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
80.15.77.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
10.0.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
0.0.0.0 80.15.77.1 0.0.0.0 UG 0 0 0 ppp0
route -n from web server
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
route print from windows
===========================================================================
Liste d'Interfaces
0x1 ........................... MS TCP Loopback interface
0x2 ...00 40 f4 45 e8 0e ...... Carte réseau Fast Ethernet PCI Realtek RTL8139 Family - Miniport
d'ordonnancement de paquets
===========================================================================
===========================================================================
Itinraires actifsÿ:
Destination rseau Masque rseau Adr. passerelle Adr. interface Mtrique
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.199 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.199 192.168.1.199 20
192.168.1.199 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.199 192.168.1.199 20
224.0.0.0 240.0.0.0 192.168.1.199 192.168.1.199 20
255.255.255.255 255.255.255.255 192.168.1.199 192.168.1.199 1
Passerelle par dfautÿ: 192.168.1.1
===========================================================================
Itinraires persistantsÿ:
Aucun
--- Thorsten Preuss
Jan 17 16:10:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.15.76.155 DST=80.15.77.20 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=34582 PROTO=UDP SPT=1030 DPT=137 LEN=58
tells us, that the firewall is at least blocking packets and that the firewall logs these, too.
Can you post the output of the command:
route -n
from your firewall and your webserver and perhaps the output of the command
route print
from your windows box ?
The setup following should work fine, but you will not be able to reach your webserver from the inside with the public ip of your ppp0 interface, just with the private ip 192.168.5.2.
Please also try to get the newest version of the SuSEfirewall2 scripts, i ran into some trouble with an older version while trying to use FW_FORWARD_MASQ which ran fine after updating the scripts. The newest version is available under:
ftp://ftp.suse.com/pub/people/garloff/linux/SuSE/RPMS/[SuSE-version]/SuSEfirewall2-*
FW_DEV_EXT="ppp0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="DNS ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0.0.0.0/0,192.168.5.2,tcp,80" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option \ --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-----BEGIN PGP SIGNED MESSAGE----- Hi Frédéric!
route -n from web server
Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Please add 192.168.5.1 as a default gateway on the web server. Then
try to access it from the firewall, e.g., by doing a "curl
http://192.168.5.2".
Stupid question: Do you have some firewall running on the web server?
Regards, Andy
- --
Andreas J. Mueller email:
* Frédéric Poulet;
--- Thorsten Preuss
a écrit : > On your firewall try tail -f /var/log/messages
My /var/log/messages
Jan 17 16:09:53 linux pppd[982]: sent [LCP EchoReq id=0x82 magic=0x9fc93b77] Jan 17 16:09:53 linux pppd[982]: rcvd [LCP EchoRep id=0x82 magic=0x27bb6028] Jan 17 16:10:02 linux dhcpd: DHCPREQUEST for 0.0.4.102 from 00:03:93:b0:fa:26 via eth1: ignored (not authoritative). Jan 17 16:10:09 linux last message repeated 3 times Jan 17 16:10:13 linux pppd[982]: sent [LCP EchoReq id=0x83 magic=0x9fc93b77] Jan 17 16:10:13 linux pppd[982]: rcvd [LCP EchoRep id=0x83 magic=0x27bb6028] Jan 17 16:10:17 linux dhcpd: DHCPDISCOVER from 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPOFFER on 192.168.1.164 to 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPREQUEST for 192.168.1.164 (192.168.1.1) from 00:03:93:b0:fa:26 via eth1 Jan 17 16:10:18 linux dhcpd: DHCPACK on 192.168.1.164 to 00:03:93:b0:fa:26 via eth1
Now there is some misguidng information a few minutes ago when you sent your config # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" You are sating there are no DHCP servers or DHCP clients on the firewall amchine yet your logs say the opposite ?
Jan 17 16:10:29 linux kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=80.15.76.155 DST=80.15.77.20 LEN=78 TOS=0x00 PREC=0x00 TTL=120 ID=34582 PROTO=UDP SPT=1030 DPT=137 LEN=58
This is from 80.15.76.155 to 80.15.77.20 and requesting Netbios from port 1030 to 137 and it is dropped by default Nothing
and then try to access your webserver from your internal network.
IExplorer find but nothing
Meaning what you are unable to reach the webserver or there are no related logs in the /var/log/messages -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
* Frédéric Poulet;
--- Thorsten Preuss
a écrit : > OK, next step: when you try to reach your webserver from the internal network with http://192.168.5.2/ which messages do you get on the firewall ?
Thorsten
How see messages on the firewall ?
they are log to /var/log/firewall or /var/log/messages so tail -f /var/log/messages will show you the messages while you are trying on another screen -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (4)
-
Andreas J Mueller
-
Frédéric Poulet
-
Thorsten Preuss
-
Togan Muftuoglu