Fw: A bug with SuSEfirewall2 ? Or a feature ?
![](https://seccdn.libravatar.org/avatar/328a001352ac1d3cc478d599fd7676ee.jpg?s=120&d=mm&r=g)
Hi, I'm using SuSEfirewall2 1.0 in a SuSE 7.1 kernel 2.4.2, the machine is the firewall for a private lan using masquerading to reach the internet. The problem is: Internal machines can't connect to ports on the external address of the firewall. If I try these ports from outside, it works ok. Example : firewall eth1 - external ip 1.2.3.4 eth0 - internal ip 172.16.0.1 if I try to get mail from 172.16.0.3 this is the log in /var/log/firewall: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:80:ad:09:0b:38:00:48:54:62:d9:ed:08:00 SRC=172.16.0.3 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26274 DF PROTO=TCP SPT=1908 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) /etc/rc.config.d/firewall2.rc.config has this line : FW_SERVICES_EXT_TCP="ssh smtp pop3 domain www" The masquerading works to any other host without a charm, except for the external ip of the firewall. Previously we were using SuSefirewall on a SuSE 6.4 and this thing worked. There are laptop users that try to get mail from inside or outside and this problem is very annoying. Is SuSEfirewall2 doing this on purpose ? Thanks, --
![](https://seccdn.libravatar.org/avatar/cbdb2b4dc48489f0fdee30e8d42165c5.jpg?s=120&d=mm&r=g)
On Friday 15 June 2001 00:09, linux wrote:
Hi,
I'm using SuSEfirewall2 1.0 in a SuSE 7.1 kernel 2.4.2, the machine is the firewall for a private lan using masquerading to reach the internet.
The problem is:
Internal machines can't connect to ports on the external address of the firewall. If I try these ports from outside, it works ok.
Example : firewall eth1 - external ip 1.2.3.4 eth0 - internal ip 172.16.0.1
if I try to get mail from 172.16.0.3 this is the log in /var/log/firewall: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:80:ad:09:0b:38:00:48:54:62:d9:ed:08:00 SRC=172.16.0.3 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26274 DF PROTO=TCP SPT=1908 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
/etc/rc.config.d/firewall2.rc.config has this line : FW_SERVICES_EXT_TCP="ssh smtp pop3 domain www"
Do you have FW_SERVICES_INT_TCP set as well? This variable defines which services should be available on the firewall machine for hosts on the internal network
The masquerading works to any other host without a charm, except for the external ip of the firewall. Previously we were using SuSefirewall on a SuSE 6.4 and this thing worked. There are laptop users that try to get mail from inside or outside and this problem is very annoying.
Is SuSEfirewall2 doing this on purpose ?
Thanks, --
Regards Anders
![](https://seccdn.libravatar.org/avatar/328a001352ac1d3cc478d599fd7676ee.jpg?s=120&d=mm&r=g)
Do you have FW_SERVICES_INT_TCP set as well? Yes i do. This is my firewall2.rc.confg file 2.) FW_DEV_EXT="eth1" 3.) FW_DEV_INT="eth0" 4.) FW_DEV_DMZ="" 5.) FW_ROUTE="yes" 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="172.16.0.0/16" 7.) FW_PROTECT_FROM_INTERNAL="yes" 8.) FW_AUTOPROTECT_SERVICES="yes" 9.) FW_SERVICES_EXT_TCP="http-alt ssh smtp pop3 domain ftp www" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh ftp smtp domain www telnet pop3 137 138 139 901 3128" FW_SERVICES_INT_UDP="domain 137 138 139" FW_SERVICES_INT_IP="" 10.) FW_TRUSTED_NETS="" 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SAMBA="no" 13.) FW_FORWARD="" 14.) FW_FORWARD_MASQ="0/0,172.16.0.3,tcp,8080,80" 15.) FW_REDIRECT="172.16.0.0/16,0/0,tcp,80,3128" 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" 17.) FW_KERNEL_SECURITY="yes" 18.) FW_STOP_KEEP_ROUTING_STATE="no" 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" 20.) FW_ALLOW_FW_TRACEROUTE="yes" 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" 22.) FW_ALLOW_FW_BROADCAST="no" 23.) FW_ALLOW_CLASS_ROUTING="no"
Best Regards
Alberto
...labp
----- Original Message -----
From: "Anders Johansson"
On Friday 15 June 2001 00:09, linux wrote:
Hi,
I'm using SuSEfirewall2 1.0 in a SuSE 7.1 kernel 2.4.2, the machine is the firewall for a private lan using masquerading to reach the internet.
The problem is:
Internal machines can't connect to ports on the external address of the firewall. If I try these ports from outside, it works ok.
Example : firewall eth1 - external ip 1.2.3.4 eth0 - internal ip 172.16.0.1
if I try to get mail from 172.16.0.3 this is the log in /var/log/firewall: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:80:ad:09:0b:38:00:48:54:62:d9:ed:08:00 SRC=172.16.0.3 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26274 DF PROTO=TCP SPT=1908 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
/etc/rc.config.d/firewall2.rc.config has this line : FW_SERVICES_EXT_TCP="ssh smtp pop3 domain www"
Do you have FW_SERVICES_INT_TCP set as well? This variable defines which services should be available on the firewall machine for hosts on the internal network
The masquerading works to any other host without a charm, except for the external ip of the firewall. Previously we were using SuSefirewall
on
a SuSE 6.4 and this thing worked. There are laptop users that try to get mail from inside or outside and this problem is very annoying.
Is SuSEfirewall2 doing this on purpose ?
Thanks, --
Regards Anders
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
![](https://seccdn.libravatar.org/avatar/d2ae16d2527220461407a9fc43a651da.jpg?s=120&d=mm&r=g)
Try setting MASQ section from your 172* address to /24 and see if that has any impact. The external interface on which to masquerade on I usually specify the exact device (eg eth0 or eth1). Not that is seems to be making much difference in your case: Matt -- "The only thing complex about Linux are the users themselves."
participants (3)
-
Anders Johansson
-
linux
-
StarTux