SuSEfirewall2: FW_SERVICES_INT_* settings not working
Hello, I posted this earlier to SLE but have had no answers at this point... I have a SuSE 8.1 machine with all currently available online updates applied that I am trying to remote-administer. It is on a DSL connection and I am trying to work on it's firewall settings. It's obviously important that in configuring it's firewall, I don't lock myself out... 8^) I have read through the following files a couple times and as I configured each option. However, I think I must have missed something... /usr/share/doc/packages/SuSEfirewall2/EXAMPLES /usr/share/doc/packages/SuSEfirewall2/FAQ /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE I have a machine with two interfaces, eth0, eth1. eth0 is external, eth1 is masq (192.168.1.0/24). I want to be able to access some specific services running on the external interface from the internal, masqueraded network: FW_SERVICES_INT_TCP="ssh smtp http ntp https imaps pop3s 8080" FW_SERVICES_INT_UDP="ntp" All names are listed in /etc/services on the firewall machine and I have a squid proxy server running on port 8080. After making the changes in /etc/sysconfig/SuSEfirewall2, I restarted the firewall with this command: rcSuSEfirewall2 restart I also tried 'rcSuSEfirewall2 stop' then 'rcSuSEfirewall2 start'. Despite listing services in FW_SERVICES_INT_(TCP|UDP)=, I am still getting denied when trying to access the services from the internal network. Anyone have any ideas? Here is my full config: # cat /etc/sysconfig/SuSEfirewall2 | egrep -v "^[[:space:]]*$|^#" FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="https imaps pop3s smtp ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh smtp http ntp https imaps pop3s 8080" FW_SERVICES_INT_UDP="ntp" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option \ --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" Thanks. -- Marc Christensen http://www.mecworks.com http://www.mecworks.com/~marc/resume
* Marc Christensen; <marc@mecworks.com> on 02 Feb, 2003 wrote:
I have a machine with two interfaces, eth0, eth1. eth0 is external, eth1 is masq (192.168.1.0/24). I want to be able to access some specific services running on the external interface from the internal, masqueraded network:
So you want to reach your external interface from your internel network. This is not possible without tweaking FW_CUSTOM to enable such access as SuSEfirewall2 by default denies these requests.
Despite listing services in FW_SERVICES_INT_(TCP|UDP)=, I am still getting denied when trying to access the services from the internal network. Anyone have any ideas?
Can you reach those services from the internal interface by tying the address of the internal interface
FW_MASQ_NETS="0/0"
You probably want to have this repseresenting your actual masquerading network ie 192.168.1.0/24 -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Sunday 02 February 2003 23:52, Togan Muftuoglu wrote:
* Marc Christensen; <marc@mecworks.com> on 02 Feb, 2003 wrote:
I have a machine with two interfaces, eth0, eth1. eth0 is external, eth1 is masq (192.168.1.0/24). I want to be able to access some specific services running on the external interface from the internal, masqueraded network:
So you want to reach your external interface from your internel network. This is not possible without tweaking FW_CUSTOM to enable such access as SuSEfirewall2 by default denies these requests.
Yes, this is what I want to do. From the EXAMPLE file item #9, it states (emphisis on the words 'on the firewall' not mine): # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX ... From what I understand, services running on the firewall listed in the variables FW_SERVICES_INT_TCP, FW_SERVICES_INT_UDP and FW_SERVICES_INT_IP should be accessable from the internal network.
Despite listing services in FW_SERVICES_INT_(TCP|UDP)=, I am still getting denied when trying to access the services from the internal network. Anyone have any ideas?
Can you reach those services from the internal interface by tying the address of the internal interface
I imagine that you ment to say "typing" instead of "tying". Yes, all services are accessabe via the 192.168.1.xxx IP address on the gateway. However, I want to be able to have my clients enter in FQDNs for the different services. ie. for access to: Service FQDN ------- ---- squid proxy proxy.domainname.com:8080 ntp ntp.domainname.com gw gw.domainname.com DNS ns.domainname.com imap/pop/smtp mail.domainname.com etc. These DNS entries are all valid and either CNAMES or A records for the real-world server IP. Being able to put in FQDNs in for these services is important because it allows new servers to be installed to take on the above funcitons transparent to the clients. If I have them enter IPs for the internal masqueraded network, they will have to reconfigure their TCP/IP setup if one of these changes.
FW_MASQ_NETS="0/0"
You probably want to have this repseresenting your actual masquerading network ie 192.168.1.0/24
Yea, but since there are no other nets, it doesn't really matter but I was thinking the same thing... -- Marc Christensen http://www.mecworks.com http://www.mecworks.com/~marc/resume
* Marc Christensen; <marc@mecworks.com> on 03 Feb, 2003 wrote:
So you want to reach your external interface from your internel network. This is not possible without tweaking FW_CUSTOM to enable such access as SuSEfirewall2 by default denies these requests.
Yes, this is what I want to do. From the EXAMPLE file item #9, it states (emphisis on the words 'on the firewall' not mine):
SuSEfirewall2 will drop requests coming to the External address which have private addresses this is antispoofing. Th eonly way you can change this is adding your rules in the custom script "fw_custom_before_ antispoofing" iptables -A INPUT -i internal_int -s internal_net/mask -d external_int -j ACCEPT you can add port numbers also so you will be limiting the behavior of this permission
I imagine that you ment to say "typing" instead of "tying". Yes, all services
I only had one cup of coffee yet so it is normal that I mistype
are accessabe via the 192.168.1.xxx IP address on the gateway. However, I want to be able to have my clients enter in FQDNs for the different services. ie. for access to: Service FQDN ------- ---- squid proxy proxy.domainname.com:8080 ntp ntp.domainname.com gw gw.domainname.com DNS ns.domainname.com imap/pop/smtp mail.domainname.com etc.
These DNS entries are all valid and either CNAMES or A records for the real-world server IP. Being able to put in FQDNs in for these services is important because it allows new servers to be installed to take on the above funcitons transparent to the clients. If I have them enter IPs for the internal masqueraded network, they will have to reconfigure their TCP/IP setup if one of these changes.
Taking into consideration that I have had only one cup of coffee yet, why don't you set a DNS for internal use only so your clients can still reach with FQDN internally psç Please do not put me to CC as I can get my copy from the mailinglist -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Monday 03 February 2003 00:39, Togan Muftuoglu wrote:
* Marc Christensen; <marc@mecworks.com> on 03 Feb, 2003 wrote:
So you want to reach your external interface from your internel network. This is not possible without tweaking FW_CUSTOM to enable such access as SuSEfirewall2 by default denies these requests.
Yes, this is what I want to do. From the EXAMPLE file item #9, it states (emphisis on the words 'on the firewall' not mine):
SuSEfirewall2 will drop requests coming to the External address which have private addresses this is antispoofing. Th eonly way you can change this is adding your rules in the custom script "fw_custom_before_ antispoofing"
So, if I understand, a packet coming from a 192.168.1.xxx (non-routable IP address) to a real IP address will be dropped even if it is a trusted network? This is a pain...
iptables -A INPUT -i internal_int -s internal_net/mask -d external_int -j ACCEPT
you can add port numbers also so you will be limiting the behavior of this permission
Thanks...I'll look into this. [snip]
These DNS entries are all valid and either CNAMES or A records for the real-world server IP. Being able to put in FQDNs in for these services is important because it allows new servers to be installed to take on the above funcitons transparent to the clients. If I have them enter IPs for the internal masqueraded network, they will have to reconfigure their TCP/IP setup if one of these changes.
Taking into consideration that I have had only one cup of coffee yet, why don't you set a DNS for internal use only so your clients can still reach with FQDN internally
Yea, I thought of that as well. I just don't want to maintain two zone files, all duplicates when I should only have to maintain one. If I can't get the above custom rule set to work, I'll probably end up doing this. Thanks. -- Marc Christensen http://www.mecworks.com http://www.mecworks.com/~marc/resume
On Monday 03 February 2003 00:39, Togan Muftuoglu wrote:
SuSEfirewall2 will drop requests coming to the External address which have private addresses this is antispoofing. Th eonly way you can change this is adding your rules in the custom script "fw_custom_before_ antispoofing"
iptables -A INPUT -i internal_int -s internal_net/mask -d external_int -j ACCEPT
you can add port numbers also so you will be limiting the behavior of this permission
I ended up adding the following lines to the "/etc/sysconfig/scripts/SuSEfirewall2-custom" file: iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d real_server_ip \ -p tcp -m multiport --dports \ ssh,smtp,domain,http,ntp,https,imaps,pop3s,8080 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d real_server_ip \ -p udp -m multiport --dports ntp,domain -j ACCEPT I believe that this will allow only access to TCP ports ssh,smtp,domain,http,ntp,https,imaps,pop3s,8080 and UDP ports ntp,domain from the internal network, 192.168.1.0/24 to the external IP. Does this make sense to you? Thanks a lot! Seems to be working fine! -- Marc Christensen http://www.mecworks.com http://www.mecworks.com/~marc/resume
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi !
I have a machine with two interfaces, eth0, eth1. eth0 is external, eth1 is masq (192.168.1.0/24). I want to be able to access some specific services running on the external interface from the internal, masqueraded network:
- --> This is forbidden by the anti-spoofing rules of SuSEfirewall2. Have a look at the lists archive at http://lists.suse.com/. There was a thread yesterday about this yesterday with a solution. HTH, Armin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+PoJqG8Xv4GxznLoRAixUAJ9vgBL590Y/jeYiE8/T2q1lj8IM6gCgwzed cz7YakhVYjXJ/S6fPinQRTE= =8GRK -----END PGP SIGNATURE-----
participants (3)
-
Armin Schoech -
Marc Christensen -
Togan Muftuoglu