SuSEfirewall2 and viewing your own internal web site.
I'm using SuSEfirewall2 doing network address translation. I have defined: FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80" This allows external machines to hit a test web server I have running. Now if I define a link on a web based page or forum that points back at my firewall's external address like this (assuming 1.2.3.4 is my firewall's external address): http://1.2.3.4/foo.jpg From any other machine in the world outside my firewall, I can click that link and see foo.jpg. But from inside my firewall from another machine, no go. I can't use the external address. I have to change the reference to http://192.168.2.12/foo.jpg (ie, the internal address). I'd like to know what I have to tweak in /etc/rc.config.d/firewall2.rc.config in order to allow other internal machines to use the external address to be masq-forwarded back in to the 192.168.2.12 machine? Maybe it's not possible... But I'm hoping it is. Sincerely, Argentium
This has been an ongoing conversation on the SLE mailing list off and on.
This is an issue with the anti-spoofing rules with the firewall2 configuration
(a valid security implementation by the way)
First off. we need a view of what the following command provides:
grep -v ^# /etc/rc.config.d/firewall2.rc.config
Also, I would suggest adding:
At the end of firewall2.rc.config:
Section 25. )
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Then in firewall2-custom.rc.config:
In the fw_custom_before_antispoofing() section add:
iptables -A INPUT -i
I'm using SuSEfirewall2 doing network address translation.
I have defined:
FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80"
This allows external machines to hit a test web server I have running.
Now if I define a link on a web based page or forum that points back at my firewall's external address like this (assuming 1.2.3.4 is my firewall's external address):
From any other machine in the world outside my firewall, I can click that link and see foo.jpg. But from inside my firewall from another machine, no go. I can't use the external address. I have to change the reference to http://192.168.2.12/foo.jpg (ie, the internal address).
I'd like to know what I have to tweak in /etc/rc.config.d/firewall2.rc.config in order to allow other internal machines to use the external address to be masq-forwarded back in to the 192.168.2.12 machine?
Maybe it's not possible... But I'm hoping it is.
Sincerely, Argentium
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
James Bliss wrote:
This has been an ongoing conversation on the SLE mailing list off and on. This is an issue with the anti-spoofing rules with the firewall2 configuration (a valid security implementation by the way)
Okay...
First off. we need a view of what the following command provides: grep -v ^# /etc/rc.config.d/firewall2.rc.config
Done: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="192.168.2.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="22" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="113 37 53 22" FW_SERVICES_DMZ_UDP="113 37 53 22" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="80 113 37 53 22 2064 3064" FW_SERVICES_INT_UDP="113 37 53 22" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"
Also, I would suggest adding: At the end of firewall2.rc.config: Section 25. )
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Then in firewall2-custom.rc.config: In the fw_custom_before_antispoofing() section add: iptables -A INPUT -i
-s -d (external IP address> -j ACCEPT This line should look like: iptaqbles -A INPUT -i eth0 -s 192.168.1.0/24 -d 1.1.1.1 -j ACCEPT 192.169.1.0 should be your internal address range with a 0 at the end. 1.1.1.1 should be the IP address of you external interface.
Done. That line reads: iptables -A INPUT -i eth0 -s 192.168.2.0/24 -d 1.2.3.4 -j ACCEPT (with the 1.2.3.4 being substituted with my real external IP)
Then let us know what your resolution is. And we can proceed from there.
No change unfortunately, after executing a: /etc/init.d/SuSEfirewall_final start It took the new commands, but no joy. In the Firewall log, when I'm trying to browse an external web page with HTML that points back into my network on port 80, we get this: Again, 1.2.3.4 has replaced my real external address. II:II:II:II:II:II replaces the mac address of the internal card eth1 on the firewall that connects to the internal network. Mar 8 10:56:19 cerberus kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth1 OUT= MAC=II:II:II:II:II:II:00:02:b3:0b:7b:3d:08:00 SRC=192.168.2.101 DST=1.2.3.4 LEN=48 TOS=0x08 PREC=0x00 TTL=128 ID=62243 DF PROTO=TCP SPT=4055 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402) This help diagnose the problem? Argentium
I have absolutely similar problem: i cant connect to services (ssh,
imap, etc) running on my firewall
from my internal network to external IP:
i.e.: ssh
James Bliss wrote:
This has been an ongoing conversation on the SLE mailing list off and on. This is an issue with the anti-spoofing rules with the firewall2 configuration (a valid security implementation by the way)
Okay...
First off. we need a view of what the following command provides: grep -v ^# /etc/rc.config.d/firewall2.rc.config
Done:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="eth2"
FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="eth0" FW_MASQ_NETS="192.168.2.0/24"
FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="22" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="113 37 53 22" FW_SERVICES_DMZ_UDP="113 37 53 22" FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="80 113 37 53 22 2064 3064" FW_SERVICES_INT_UDP="113 37 53 22" FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="yes" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
Also, I would suggest adding: At the end of firewall2.rc.config: Section 25. )
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Then in firewall2-custom.rc.config: In the fw_custom_before_antispoofing() section add: iptables -A INPUT -i
-s -d (external IP address> -j ACCEPT This line should look like: iptaqbles -A INPUT -i eth0 -s 192.168.1.0/24 -d 1.1.1.1 -j ACCEPT 192.169.1.0 should be your internal address range with a 0 at the end. 1.1.1.1 should be the IP address of you external interface.
Done. That line reads:
iptables -A INPUT -i eth0 -s 192.168.2.0/24 -d 1.2.3.4 -j ACCEPT
(with the 1.2.3.4 being substituted with my real external IP)
Then let us know what your resolution is. And we can proceed from there.
No change unfortunately, after executing a: /etc/init.d/SuSEfirewall_final start
It took the new commands, but no joy.
In the Firewall log, when I'm trying to browse an external web page with HTML that points back into my network on port 80, we get this:
Again, 1.2.3.4 has replaced my real external address.
II:II:II:II:II:II replaces the mac address of the internal card eth1 on the firewall that connects to the internal network.
Mar 8 10:56:19 cerberus kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth1 OUT= MAC=II:II:II:II:II:II:00:02:b3:0b:7b:3d:08:00 SRC=192.168.2.101 DST=1.2.3.4 LEN=48 TOS=0x08 PREC=0x00 TTL=128 ID=62243 DF PROTO=TCP SPT=4055 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
This help diagnose the problem?
Argentium
Checked FW_SERVICE_INT_TCP="80" (you can see web server on FIREWALL inside LAN) -----Mensaje original----- De: Argentium G. Tiger [mailto:agtiger@kc.rr.com] Enviado el: Jueves, 07 de Marzo de 2002 10:13 p.m. Para: suse-security@suse.com Asunto: [suse-security] SuSEfirewall2 and viewing your own internal web site. I'm using SuSEfirewall2 doing network address translation. I have defined: FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80" This allows external machines to hit a test web server I have running. Now if I define a link on a web based page or forum that points back at my firewall's external address like this (assuming 1.2.3.4 is my firewall's external address): http://1.2.3.4/foo.jpg From any other machine in the world outside my firewall, I can click that link and see foo.jpg. But from inside my firewall from another machine, no go. I can't use the external address. I have to change the reference to http://192.168.2.12/foo.jpg (ie, the internal address). I'd like to know what I have to tweak in /etc/rc.config.d/firewall2.rc.config in order to allow other internal machines to use the external address to be masq-forwarded back in to the 192.168.2.12 machine? Maybe it's not possible... But I'm hoping it is. Sincerely, Argentium -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (4)
-
Argentium G. Tiger
-
Carlos Carrera
-
James Bliss
-
Vitaly Shishakov