Hello List. This is my first posting, so please bear with me. I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup: +----------+ |"Internet"| +----------+ | wlan0 | (192.168.1.1) | +----------------+ +----------------+ +--------+ |exterior router |-----+---- |interiror router| --- |intranet| +----------------+ | +----------------+ +--------+ eth0 (10.0.0.1) | | | eth0 (10.0.0.2) +----------+ |DMZ server| +----------+ Right now I'm trying to configure the exterior router. To enable HTTP and SSH on the DMZ server I configured the SuSEfirewall2 script as follows: FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22" the rest is more or less standard settings (attached at the end of this email) Now, when I try to connect to the webserver from the internet I can see the packets with tcpdump at the DMZ server, however, the return packets get blocked by SuSEfirewall2 with the log entry: Feb 24 13:19:10 linux kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth0 OUT=wlan0 SRC=10.0.0.2 DST=192.168.1.2 LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=33012 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0456274F008ADDF901030302 and these packets should be bloked because the relevant iptables-rules generated by SuSEfirewall2 are: -A forward_dmz -d 10.0.0.2 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j ACCEPT -A forward_dmz -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options -A forward_dmz -j DROP If I understand the first rule correctly, only packets with the destination IP 10.0.0.2 will match. All the rest gets blocked with the Log message. All the tutorials and FAQs I read so far never said anything about configuring the reverse path also. I mean I could simply include 10.0.0.2,0/0 in FW_FORWARD, but if someone hacked my DMZ server he automatically has access to everywhere. So is this me just being stupid or is SuSEfirewall2 not doing what it should be doing? Is there a better way to enable just the response traffic from the DMZ server than including the reverse path? Greetings Stefan ---- full SuSEfirewall2 configuration --- $ cat /etc/sysconfig/SuSEfirewall2 | grep -e "FW_" | grep -v "#" FW_QUICKMODE="no" FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_INT="" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_*_TCP="" FW_SERVICES_*_UDP="" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="no" FW_LOG="" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no"
hey,
All the tutorials and FAQs I read so far never said anything about configuring the reverse path also. I mean I could simply include 10.0.0.2,0/0 in FW_FORWARD, but if someone hacked my DMZ server he automatically has access to everywhere.
i think i ran into the same problem some time ago when i wuz setting up my dmz. for me the problem only occured for requests coming from the internal network (if i remember correctly...)
So is this me just being stupid or is SuSEfirewall2 not doing what it should be doing?
that where the same thoughts that came into my head...my solution was to create some custom rules so that the packages could get through the firewall on their way back. i can't reconstruct that mess in detail, but if you try it out, i guess u find the rules to allow the stuff u need pretty fas. i had to alter the tables forward_dmz and forward_ext. i found no other solution, nor reason for this, so i won't say sfw2 is doing anything wrong... hth greetingz luk
The Thursday 2005-02-24 at 15:21 +0100, Stefan Schmidt wrote:
I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup: ...
FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e"
I still have SuSE 9.1, and I don't know if things have changed that much in 9.2. But in 9.1 that syntax would be incorrect: it expects devices names like "eth0", "ppp0", "ippp1", "tr0", "auto", etc. -- Cheers, Carlos Robinson
----- Original Message ----- From: "Carlos E. R." <robin1.listas@tiscali.es> To: "SuSE Security List" <suse-security@suse.com> Sent: Thursday, February 24, 2005 4:13 PM Subject: Re: [suse-security] [SUSE 9.2] SuSEfirewall2 Problem
The Thursday 2005-02-24 at 15:21 +0100, Stefan Schmidt wrote:
I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup: ...
FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e"
I still have SuSE 9.1, and I don't know if things have changed that much in 9.2. But in 9.1 that syntax would be incorrect: it expects devices names like "eth0", "ppp0", "ippp1", "tr0", "auto", etc.
Depending on where device is mapped to. If you know your ethernet-id you can check this via ifconfig and look which devices are listed. Above syntax is for kernel 2.6 and it's provided iptables and is generated by yast. Both syntaxes are allowed, but sometimes by using similar or same cards kernel switches devices after reboot. For that you have to set kerneloptions at module loadtime via /etc/modules.conf or the new modules.conf-file provided with kernel 2.6. Philippe
Philippe Vogel wrote:
----- Original Message ----- From: "Carlos E. R." <robin1.listas@tiscali.es> To: "SuSE Security List" <suse-security@suse.com> Sent: Thursday, February 24, 2005 4:13 PM Subject: Re: [suse-security] [SUSE 9.2] SuSEfirewall2 Problem
The Thursday 2005-02-24 at 15:21 +0100, Stefan Schmidt wrote:
I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup:
...
FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e"
I still have SuSE 9.1, and I don't know if things have changed that much in 9.2. But in 9.1 that syntax would be incorrect: it expects devices names like "eth0", "ppp0", "ippp1", "tr0", "auto", etc.
Depending on where device is mapped to. If you know your ethernet-id you can check this via ifconfig and look which devices are listed.
BTW (not really security-related, but drove me insane nevertheless): How can I see if I've got a link (and what speed etc.) on a specific nic ? In FreeBSD-land, it's part of the output of ifconfig, but not on my SuSE hosts. cheers, Rainer -- =================================================== ~ Rainer Duffner - rainer@ultra-secure.de ~ ~ Freising - Munich - Germany ~ ~ Unix - Linux - BSD - OpenSource - Security ~ ~ http://www.ultra-secure.de/~rainer/pubkey.pgp ~ ===================================================
On Thu, Feb 24, 2005 at 09:40:34PM +0100, Rainer Duffner wrote:
BTW (not really security-related, but drove me insane nevertheless): How can I see if I've got a link (and what speed etc.) on a specific nic ? In FreeBSD-land, it's part of the output of ifconfig, but not on my SuSE hosts.
/sbin/ip link show eth0 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:1f:2c:a2 brd ff:ff:ff:ff:ff:ff -Kastus
Kastus schrieb:
BTW (not really security-related, but drove me insane nevertheless): How can I see if I've got a link (and what speed etc.) on a specific nic ? In FreeBSD-land, it's part of the output of ifconfig, but not on my SuSE hosts.
/sbin/ip link show eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:02:b3:1f:2c:a2 brd ff:ff:ff:ff:ff:ff
-Kastus
...and /sbin/mii-tool from the net-tools-package :-) client:/home/juergen # mii-tool eth0: negotiated 100baseTx-FD, link ok Juergen
The Thursday 2005-02-24 at 21:24 +0100, Philippe Vogel wrote:
FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e"
I still have SuSE 9.1, and I don't know if things have changed that much in 9.2. But in 9.1 that syntax would be incorrect: it expects devices names like "eth0", "ppp0", "ippp1", "tr0", "auto", etc.
Depending on where device is mapped to. If you know your ethernet-id you can check this via ifconfig and look which devices are listed. Above syntax is for kernel 2.6 and it's provided iptables and is generated by yast.
Both syntaxes are allowed, but sometimes by using similar or same cards kernel switches devices after reboot. For that you have to set kerneloptions at module loadtime via /etc/modules.conf or the new modules.conf-file provided with kernel 2.6.
Mmm. Interesting. But the "/etc/sysconfig/SuSEfirewall2" file comments don't mention that in SuSE 9.1, and it uses kernel 2.6. What about SuSE 9.2, is this new syntax mentioned on the firewall file? -- Cheers, Carlos Robinson
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Carlos E. R. schrieb: | The Thursday 2005-02-24 at 21:24 +0100, Philippe Vogel wrote: | |>>> FW_DEV_EXT="wlan-bus-pcmcia" |>>> FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" |>> |>> |>> I still have SuSE 9.1, and I don't know if things have changed |>> that much in 9.2. But in 9.1 that syntax would be incorrect: it |>> expects devices names like "eth0", "ppp0", "ippp1", "tr0", |>> "auto", etc. |> |> Depending on where device is mapped to. If you know your |> ethernet-id you can check this via ifconfig and look which |> devices are listed. Above syntax is for kernel 2.6 and it's |> provided iptables and is generated by yast. |> |> Both syntaxes are allowed, but sometimes by using similar or same |> cards kernel switches devices after reboot. For that you have to |> set kerneloptions at module loadtime via /etc/modules.conf or the |> new modules.conf-file provided with kernel 2.6. | | | Mmm. Interesting. But the "/etc/sysconfig/SuSEfirewall2" file | comments don't mention that in SuSE 9.1, and it uses kernel 2.6. | What about SuSE 9.2, is this new syntax mentioned on the firewall | file? I was wondering, too. But it worked fine, except switched nics after reboot. I fixed this by changing modprobe.conf.local: alias etho tulip alias eth1 8193too After a reboot order was correct. I wonder why this wasn't fixed. after beta-testing. Thx to google for finding a propper solution. Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQh6OE0Ng1DRVIGjBAQLGPgb9FWT1ev4IJMlg2KI3kyxAhqV0ROUBemEQ mR81k2wu4d+SDfHNUdvz48DTSBvPgsiaAAZ2m9clODtMb0pv+RRjDZsDqgluYeNk xZyfgxA1cojOwGBaaDr3GRr8dWS3oFxgvIV4WjYWBy6YDWXwyiHY7ahXZK/BqJrC O740IVqYU5PT1C6rJdpZOPdiPqivMFD3OAC0ZVRIjeOek3NGWb0nHdK+vqxma0Fl LxpRQjwTXJQEA7xcsyP4c1M8q4VhQuqNcCke2pCwvY0lbsrIzrDZMdPgAanmu/4R 8xEWX2hk8kc= =lVt8 -----END PGP SIGNATURE-----
Carlos E. R. wrote:
The Thursday 2005-02-24 at 15:21 +0100, Stefan Schmidt wrote:
I'm playing with SuSEfirewall2 on SUSE 9.2 trying to build a screened subnet FW. Here's my test setup: ...
FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e"
I still have SuSE 9.1, and I don't know if things have changed that much in 9.2. But in 9.1 that syntax would be incorrect: it expects devices names like "eth0", "ppp0", "ippp1", "tr0", "auto", etc.
9.1 SuSEfirewall2 also supports configuration names like the above. It uses getcfg-interface to find out the real kernel name. That's needed since the card that becomes "eth0" can change at every boot if you have multiple ethernet cards. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Stefan Schmidt wrote:
[...] FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22"
the rest is more or less standard settings (attached at the end of this email)
Now, when I try to connect to the webserver from the internet I can see the packets with tcpdump at the DMZ server, however, the return packets get blocked by SuSEfirewall2 with the log entry:
Feb 24 13:19:10 linux kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth0 OUT=wlan0 SRC=10.0.0.2 DST=192.168.1.2 LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=33012 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0456274F008ADDF901030302
It's a bug in the 9.2 SuSEfirewall2. An update is already in the queue.
---- full SuSEfirewall2 configuration --- $ cat /etc/sysconfig/SuSEfirewall2 | grep -e "FW_" | grep -v "#" FW_QUICKMODE="no" FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_INT="" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_*_TCP="" FW_SERVICES_*_UDP="" ^ did you manually edit that in the mail?
cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Thanks Ludwig for yourk answer :) I was beginning to wonder if I'm too stupid for this stuff ;) Ludwig Nussel wrote:
Stefan Schmidt wrote:
[...] FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_FORWARD="0/0,10.0.0.2,tcp,80 0/0,10.0.0.2,tcp,22"
the rest is more or less standard settings (attached at the end of this email)
Now, when I try to connect to the webserver from the internet I can see the packets with tcpdump at the DMZ server, however, the return packets get blocked by SuSEfirewall2 with the log entry:
Feb 24 13:19:10 linux kernel: SFW2-FWDdmz-DROP-DEFLT IN=eth0 OUT=wlan0 SRC=10.0.0.2 DST=192.168.1.2 LEN=60 TOS=0x08 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=80 DPT=33012 WINDOW=5792 RES=0x00 ACK SYN URGP=0 OPT (020405B40402080A0456274F008ADDF901030302
It's a bug in the 9.2 SuSEfirewall2. An update is already in the queue. What does that mean exactly? Is it in a testing state and will be released soon or is it still being worked on? Any speculations about a release date - I'm kind of in a hurry with this project.
---- full SuSEfirewall2 configuration --- $ cat /etc/sysconfig/SuSEfirewall2 | grep -e "FW_" | grep -v "#" FW_QUICKMODE="no" FW_DEV_EXT="wlan-bus-pcmcia" FW_DEV_INT="" FW_DEV_DMZ="eth-id-00:50:04:d2:71:9e" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="no" FW_SERVICES_*_TCP="" FW_SERVICES_*_UDP=""
^ did you manually edit that in the mail? Yes, that was me. I first had all options in the main text before deciding to put it at the end of the email.
cu Ludwig
Greetings Stefan
participants (8)
-
Carlos E. R. -
dadirtyluk -
Juergen Porbadnigk -
Kastus -
Ludwig Nussel -
Philippe Vogel -
Rainer Duffner -
Stefan Schmidt