Firewall2 and Masquerading
Apologies if this is off topic to the list. I am new to Linux and have spent the last few weeks seeking help using other avenues to no success. I have installed SuSE7.3 to a Linux box to act as router/firewall on a small network. The box uses a ISDN line (with dynamic IP address) for internet access. I have set this line up according to the SuSE network manual. With Firewall2 inactive I can access the internet with no problems from this box (though obviously computers on the LAN that are to use this box as an internet gateway cannot). With Firewall2 active I cannot access the internet from this box (though masquerading appears to be functioning correctly as computers on the LAN can now use the gateway). Trying to ping www.suse.com from the firewall box gives this message in the firewall log " SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.7 DST=62.136.92.111 LEN=1 44 TOS=0x00 PREC=0x00 TTL=59 ID=12419 PROTO=UDP SPT=53 DPT=1090 LEN=124 SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.4 DST=62.136.92.111 LEN=1 " where 195.112.4.4 / 195.112.4.7 are my ISP's DNS servers (statically assigned) and 62.136.92.111 is the dynamic IP address that has been assigned by my ISP for the session. Could anyone explain why this is occurring (i.e.. the dropping of outgoing connections made from the firewall box) and how I could correct it? My firewall config file is as follows: FW_DEV_EXT="ippp0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ippp0" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" Many Thanks. -- Dave Cunningham PGP Key http://www.upsilon.org.uk/dc.asc -- Dave Cunningham PGP Key http://www.upsilon.org.uk/dc.asc
At Sonntag, 10. November 2002 14:33 dave cunningham wrote:
... With Firewall2 active I cannot access the internet from this box (though masquerading appears to be functioning correctly as computers on the LAN can now use the gateway). ... My firewall config file is as follows: FW_DEV_EXT="ippp0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="ippp0"
Have you tried masquerading eth0 instead of ippp0 ? -- Michael Zimmermann (http://vegaa.de)
------- Original message follows -------
Have you tried masquerading eth0 instead of ippp0 ?
I'm afraid I don't quite follow. eth0 is my internal network which is using the linux box as an internet gateway. -- Dave Cunningham PGP Key http://www.upsilon.org.uk/dc.asc
On 11/10/2002 10:23 PM, dave cunningham wrote:
I'm afraid I don't quite follow. eth0 is my internal network which is using the linux box as an internet gateway.
Exactly. You external interface has (or gets) a public (internet routeable) IP address. It doesn't need masqueraded. Your internal network should have private, non-internet routeable IP addresses, so for them to access the internet, their packets need masqueraded to a routeable address. HTH. -- Joe & Sesil Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Web Address: http://www.mydestiny.net/~joe_morris Registered Linux user 231871 God said, I AM that I AM. I say, by the grace God, I am what I am.
* dave cunningham;
Trying to ping www.suse.com from the firewall box gives this message in the firewall log
" SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.7 DST=62.136.92.111 LEN=1 44 TOS=0x00 PREC=0x00 TTL=59 ID=12419 PROTO=UDP SPT=53 DPT=1090 LEN=124
here 192.112.4.7 send s packet from port 53 to your computer 1090. Prptocl is udp and this is DNS reply
SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.4 DST=62.136.92.111 LEN=1 "
where 195.112.4.4 / 195.112.4.7 are my ISP's DNS servers (statically assigned) and 62.136.92.111 is the dynamic IP address that has been assigned by my ISP for the session.
FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain time ntp"
In order to have the DNS replies being accepted (which is not the case in your config is because this part needs to have DNS or yes (DNS is safer it will accept DNS replies only from namerserver listed in your /etc/resolve.conf. Time is port 37 and ntp is 123 so they are not gigh ports It would not help to put them here. Try with FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
participants (4)
-
dave cunningham -
Joe & Sesil Morris (NTM) -
Michael Zimmermann -
Togan Muftuoglu