How to make SuSEfirewall2 accept packets passing bridge-interface
Hi! I had set up a router as follows: - eth1/ ppp0 is external interface to a DSL-modem to the internet - eth0 is a ethernet-interface to internal net/ switch => everything was fine. SuSEFirewall2 set up the routing to and from the internet for the internal clients and provided some protection from the internet. Now I added a wireless-card for the router also acting as a wireless access-point: - ath0 is interface of wireless-card running in hostap-mode Then I build a bridge-interface from eth0 and ath0 and gave it the former IP of eth0. - br0 bridge made of ath0 and eth0 Routing from the wired and wireless clients to the internet works like a charm. What does not work ist bridging from physical interface eth0 to ath0 so that I can reach my server attached to the LAN-switch from my wireless notebook. I get logging-entries like that: SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0 SRC=192.168.42.6 DST=192.168.42.2 Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing my bridge. Bridge was set up like that: brctl addbr br0 brctl addif br0 ath0 brctl addif br0 eth0 ifconfig ath0 0.0.0.0 ifconfig eth0 0.0.0.0 ifconfig br0 192.168.42.5 Thanks in advance for any tips. -- Eat, sleep and go running, David Hücking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
David Huecking wrote:
Now I added a wireless-card for the router also acting as a wireless access-point: - ath0 is interface of wireless-card running in hostap-mode Then I build a bridge-interface from eth0 and ath0 and gave it the former IP of eth0. - br0 bridge made of ath0 and eth0 Routing from the wired and wireless clients to the internet works like a charm. What does not work ist bridging from physical interface eth0 to ath0 so that I can reach my server attached to the LAN-switch from my wireless notebook. I get logging-entries like that: SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0 SRC=192.168.42.6 DST=192.168.42.2
Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing my bridge.
I don't have such a setup myself so I can't help you here. I wouldn't use bridging with the LAN though. With newer SuSEfirewall2 you can define a new zone for the WLAN and then use normal routing for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for that purpose if you don't have a real DMZ. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
I think the routing is set up and with the option FW_STOP_KEEP_ROUTING_STATE="yes" for keeping the routing up when SuSEFirewall2 is unloaded I think I can access the server in the LAN. I thought of using bridging because it's more transparent. What variables would I have to fiddle around with in /etc/sysconfig/SuSEFirewall2 when using another zone with "FW_ZONES"? On Montag 21 November 2005 10:51, Ludwig Nussel wrote:
David Huecking wrote:
Now I added a wireless-card for the router also acting as a wireless access-point: - ath0 is interface of wireless-card running in hostap-mode Then I build a bridge-interface from eth0 and ath0 and gave it the former IP of eth0. - br0 bridge made of ath0 and eth0 Routing from the wired and wireless clients to the internet works like a charm. What does not work ist bridging from physical interface eth0 to ath0 so that I can reach my server attached to the LAN-switch from my wireless notebook. I get logging-entries like that: SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0 SRC=192.168.42.6 DST=192.168.42.2
Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing my bridge.
I don't have such a setup myself so I can't help you here. I wouldn't use bridging with the LAN though. With newer SuSEfirewall2 you can define a new zone for the WLAN and then use normal routing for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for that purpose if you don't have a real DMZ.
-- Eat, sleep and go running, David Hücking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
David Huecking wrote:
What variables would I have to fiddle around with in /etc/sysconfig/SuSEFirewall2 when using another zone with "FW_ZONES"?
e.g. FW_ZONES="wlan" FW_DEV_wlan="wlan0" FW_SERVICES_wlan_TCP="ssh" cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
On Montag 21 November 2005 10:51, Ludwig Nussel wrote:
David Huecking wrote:
Now I added a wireless-card for the router also acting as a wireless access-point: - ath0 is interface of wireless-card running in hostap-mode Then I build a bridge-interface from eth0 and ath0 and gave it the former IP of eth0. - br0 bridge made of ath0 and eth0 Routing from the wired and wireless clients to the internet works like a charm. What does not work ist bridging from physical interface eth0 to ath0 so that I can reach my server attached to the LAN-switch from my wireless notebook. I get logging-entries like that: SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0 SRC=192.168.42.6 DST=192.168.42.2
Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing my bridge.
I don't have such a setup myself so I can't help you here. I wouldn't use bridging with the LAN though. With newer SuSEfirewall2 you can define a new zone for the WLAN and then use normal routing for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for that purpose if you don't have a real DMZ.
cu Ludwig
I changed the setup a bit and do use now an external access-point attached to another ethernet-interface (eth2) instead of an internal wireless-card (ath0) and solved the problem like this: Build the bridge using eth0 and eth2 and gave it the former IP-address of eth0. In /etc/sysconfig/SuSEFirewall2: FW_DEV_INT="br0" FW_ALLOW_CLASS_ROUTING="yes" This works for me. _BUT_ this does not provide any security from SuSEfirewall2 in any way. It just makes the WLAN hosts appear like normal wired hosts in the LAN. Both types have the same IP-range. The only advantage compared to attaching an accesspoint directly to you ethernet-switch is, that you can lock out the wireless clients without plugging a cable when you delete the bridge-device. So any security comes (and goes) with the authorized assess to the access-point. Just like physical security to the ethernet-plugs. The advantage is that I just set up both interfaces of my notebook, ethernet and WLAN with the _same_ IP-address and switched them to "hotplug"-mode. I only use one interface at a time and so it's always accessible under the same IP-address. The only question now is: In which start/ init-script should I put the commands to build the bridge-device in case of a reboot and when I don't want to build the bridge manually. It has to happen after the physical network-interfaces... -- Eat, sleep and go running, David Hücking. Encrypted eMail welcome! GnuPG/ PGP-Key: 0x57809216. Fingerprint: 3DF2 CBE0 DFAA 4164 02C2 4E2A E005 8DF7 5780 9216
Hello, Am Sonntag, 27. November 2005 01:30 schrieb David Huecking: [...]
The only question now is: In which start/ init-script should I put the commands to build the bridge-device in case of a reboot and when I don't want to build the bridge manually. It has to happen after the physical network-interfaces...
Write your own small initscript (based on /etc/init.d/skeleton) and enter "network" in Required-Start. Then insserv yourscript Regards, Christian Boltz -- Die beste SuSE glaub ich Dir gern, von mir aus auch gern die beste Linux Distro, aber die beste Susi kann ich dir nicht unterschreiben... Da gibt es Features, die wird die SuSE AG nie in eine Linux-Distro unterbringen ;-) [Manfred Tremmel in suse-linux]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Christian Boltz schrieb:
Hello,
Am Sonntag, 27. November 2005 01:30 schrieb David Huecking: [...]
The only question now is: In which start/ init-script should I put the commands to build the bridge-device in case of a reboot and when I don't want to build the bridge manually. It has to happen after the physical network-interfaces...
Write your own small initscript (based on /etc/init.d/skeleton) and enter "network" in Required-Start. Then insserv yourscript
Regards,
Christian Boltz
Another solution is to put a call to your script into /etc/init.d/boot.localnet (behind marker "start"). In this case after any updates to that script you will have to rewrite the script again. This action has the advantage that you get your process started in the right place. So I did with my wireless-usb nic because ndiswrapper wasn't starting as it should. There is some kind of non standard handling of init-scripts in SuSE which makes problems with your own init-scripts e.g. with flexlm so some stuff must be started in SuSE's scripts to be run in the right place on boot. There is a requirement section in the init-script telling when to start and what is required but this doesn't work at all. I always had to make a symlink in /etc/init.d/rc* by hand to start script x exactly when I want it to start. HTH! Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQ4nLfUNg1DRVIGjBAQJ1rgcAhAHoSy1ClsudiicTSs7qDXJ93EeZUI6E nYlaDjWXy+D8WQtf0RojKQRVAHilEcrrwLxNxNA9UDY9oJ6o+yRDvxCN+G2lC7uY mPLvFcNa3zDR8AQhqoBFzPBFO4IkigmuGTZiTJ+dc+mugYxrh4nEPWS2hp2VTVLJ VpMwKSrPyoKQSD1kfRjrTDJl4HxkvGxVWyHNLOAbU99Z7JKJEIHzQkyOiIzC/3bY 3FfsPoP+VOjhI7UdrV+IHT2ibM5LwtnSsURjakCIVqVBYU6wqyTS/XhuHD9zAHn5 Dd01kP5KM2k= =Ouzl -----END PGP SIGNATURE-----
Hello, Am Sonntag, 27. November 2005 16:06 schrieb Philippe Vogel:
Christian Boltz schrieb:
Am Sonntag, 27. November 2005 01:30 schrieb David Huecking: [...]
The only question now is: In which start/ init-script should I put the commands to build the bridge-device in case of a reboot and when I don't want to build the bridge manually. It has to happen after the physical network-interfaces...
Write your own small initscript (based on /etc/init.d/skeleton) and enter "network" in Required-Start. Then insserv yourscript
Another solution is to put a call to your script into /etc/init.d/boot.localnet (behind marker "start"). In this case after any updates to that script you will have to rewrite the script again.
This makes this "solution" unreasonable.
This action has the advantage that you get your process started in the right place. [...] There is some kind of non standard handling of init-scripts in SuSE which makes problems with
Huh? I don't know what should be non-standard in the init scripts. Can you please explain?
your own init-scripts e.g. with flexlm so some stuff must be started in SuSE's scripts to be run in the right place on boot. There is a requirement section in the init-script telling when to start and what is required but this doesn't work at all.
For me, it always worked. Please show the "INIT INFO" section of your initscript - I guess there's something wrong with it.
I always had to make a symlink in /etc/init.d/rc* by hand to start script x exactly when I want it to start.
This will break at the next insserv run (which will re-sort the symlinks) so it is also unreasonable.
Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift!
GPG told me that your signature was broken :-( Regards, Christian Boltz --
man procmailex Procmailex, ist das sowas wie Ameisen-Ex oder Fliegen-Ex? Dann hätte ich gerne ein große Familienpackung. [Thorsten Haude in suse-linux]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Sunday 2005-11-27 at 16:06 +0100, Philippe Vogel wrote:
There is some kind of non standard handling of init-scripts in SuSE which makes problems with your own init-scripts e.g. with flexlm so some stuff must be started in SuSE's scripts to be run in the right place on boot. There is a requirement section in the init-script telling when to start and what is required but this doesn't work at all. I always had to make a symlink in /etc/init.d/rc* by hand to start script x exactly when I want it to start.
Then there is something wrong with your procedure, because the SuSE way has always worked for me. I never tamper with the symlinks, as they can be erased by Yast. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFDi3HmtTMYHG2NR9URAvL8AJ4pj18tPaPLTaCMiqGUWeR9jqzfQwCfQKVj MyaOt6/TK4UwaVUjADAwL8c= =0daa -----END PGP SIGNATURE-----
On Mon, 28 Nov 2005, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Sunday 2005-11-27 at 16:06 +0100, Philippe Vogel wrote:
There is some kind of non standard handling of init-scripts in SuSE which makes problems with your own init-scripts e.g. with flexlm so some stuff must be started in SuSE's scripts to be run in the right place on boot. There is a requirement section in the init-script telling when to start and what is required but this doesn't work at all. I always had to make a symlink in /etc/init.d/rc* by hand to start script x exactly when I want it to start.
Then there is something wrong with your procedure, because the SuSE way has always worked for me. I never tamper with the symlinks, as they can be erased by Yast.
I was about to say something similar. Assuming you've got the init comments syntax correct, Philippe: you do run insserv on the services you want to have run at boot after putting the init script in? Bjørn -- Bjørn Tore Sund Phone: (+47) 555-84894 Stupidity is like a System administrator Fax: (+47) 555-89672 fractal; universal and Math. Department Mobile: (+47) 918 68075 infinitely repetitive. University of Bergen VIP: 81724 Support: http://bs.uib.no Contact: teknisk@mi.uib.no Direct: bjornts@mi.uib.no
participants (6)
-
Bjorn Tore Sund
-
Carlos E. R.
-
Christian Boltz
-
David Huecking
-
Ludwig Nussel
-
Philippe Vogel