Problem forwarding port
Greetings, I'm having a problem forwarding port 443 to a box on my masquerade network. Everything else works fine, but I can't get this port forwarded. It's stumping me! I've worked on tons of firewalls, but this one is kicking my butt. Any ideas? Here is my firewall2.rc.config: START_FW2="yes" FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" FW_SERVICES_EXT_TCP="22 25 53" FW_SERVICES_EXT_UDP="53" FW_SERVICES_DMZ_TCP="22 53" FW_SERVICES_DMZ_UDP="53 514" FW_SERVICES_INT_TCP="22 53" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443" FW_ALLOW_PING_DMZ="yes" Thanks a ton for any suggestions!!!!! Brian
I'm having a problem forwarding port 443 to a box on my masquerade network.
FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443"
Maybe it's UDP traffic that needs to be passed in addition? Try this... FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443 0/0,192.168.0.2,udp,443" Argentium
No, it's definitely not that, and the UDP requests would have been visible on the tcpdump. SSL works completely over port 443. Thanks for the idea though! Brian ----- Original Message ----- From: "Argentium G. Tiger" <agtiger@kc.rr.com> To: <suse-security@suse.com> Cc: "Brian Topping" <brian@ponoi.com> Sent: Tuesday, March 12, 2002 11:16 AM Subject: Re: [suse-security] Problem forwarding port
Hmm, still doesn't seem to work. tcpdump shows the packet coming in from the external interface and a tcp reply of some sort being generated, but there is no traffic on the masqueraded interface to contact the server that has the https server on it. I've done a complete "SuSEfirewall2 stop && SuSEfirewall2 start" to make sure there is no cruft. Thanks for the try, any other ideas? :-) My latest config: START_FW2="yes" FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" FW_SERVICES_EXT_TCP="22 25 53 443" FW_SERVICES_EXT_UDP="53" FW_SERVICES_DMZ_TCP="22 53" FW_SERVICES_DMZ_UDP="53 514" FW_SERVICES_INT_TCP="22 53 443" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443" FW_ALLOW_PING_DMZ="yes" Brian ----- Original Message ----- From: "Robert Klein" <RoKlein@roklein.de> To: "Brian Topping" <brian@ponoi.com>; <suse-security@suse.com> Sent: Tuesday, March 12, 2002 11:52 AM Subject: Re: [suse-security] Problem forwarding port
Hi,
umm, you're doing masquerading on your ext iface, do you? For example the ip addr of eth0 is 80.80.80.80, while the ip addr of eth2 if 192.168.0.x. So, what is the address or network of eth1? Are eth1 and eth2 both in the 192.168.0.0/24 net? Could you please elaborate on "a tcp reply of some sort being created"? If there's a reply, it has to come from 192.168.0.2 in the DMZ. It might help to know, which network is on which iface. Robert
----- Original Message ----- From: "Robert Klein" <RoKlein@roklein.de> To: "Brian Topping" <brian@ponoi.com>; <suse-security@suse.com> Sent: Tuesday, March 12, 2002 12:32 PM Subject: Re: [suse-security] Problem forwarding port
eth1 is a DMZ net, actually it is 204.152.97.0/24
It looks like a TCP reject, but I believe that is a result of the firewall accepting 443 as a local service instead of forwarding it to the masquerade rules. When I set the rules back to FW_SERVICES_EXT_TCP="22 25 53", the packet comes in, is not rejected on the external interface, but is never forwarded to the DMZ or internal interfaces either. Current rules are back to what I started with: START_FW2="yes" FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" FW_SERVICES_EXT_TCP="22 25 53" FW_SERVICES_EXT_UDP="53" FW_SERVICES_DMZ_TCP="22 53" FW_SERVICES_DMZ_UDP="53 514" FW_SERVICES_INT_TCP="22 53" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443" FW_ALLOW_PING_DMZ="yes" Thanks all!! Brian
Thanks all!!
Brian, if your DMZ is not masqueraded, then you need to be using the FW_FORWARD command instead of the FW_FORWARD_MASQ command. If your DMZ *is* masqueraded, then it should also be defined with your internal network in the FW_MASQ_NETS command.
Nope, DMZ is not masqueraded, but for several important reasons I can't put that server on the DMZ. I did realize that about the difference between FW_FORWARD and FW_FORWARD_MASQ though. Thanks! Brian ----- Original Message ----- From: "Argentium G. Tiger" <agtiger@kc.rr.com> To: <suse-security@suse.com> Cc: "Brian Topping" <brian@ponoi.com> Sent: Tuesday, March 12, 2002 12:07 PM Subject: Re: [suse-security] Problem forwarding port
Brian Topping writes: ok, lets summarize: eth0 is ext iface, eth1 is dmz iface, network 204.152.97.0/24 eth2 is int iface, network 192.168.0.0/24 So, where's your https Server? In your internal network? This might be the problem. I don't know in detail what rules SuSEFirewall2 creates, but I think it throws away packets forwarded to a "known service" port, i.e. packets to a port below 1023. To have your https server accessible from the outside you probably have to put it into the DMZ network. Instead of FW_FORWARD_MASQ use FW_FORWARD_MASQ, then. Robert
Robert writes:
But those allow port 443 into the firewall itself as opposed to port forwarded machines on the internal network. I know, I do a lot of port forwarding myself using SuSEfirewall2. :-) I don't have to define the services in those lines in order to get it to work. What's frustrating is that Brian's port forwarding looks as if it should work! Wait a second.... Brian? Are there any other ports or _protocols_ (very important distinction) necessary to successfully negotiate connections on that port? Argentium
Argentium G. Tiger write:
Ah, yes. You're right. I forgot destination nat is done before input/forward. It's forst destination nat, then you have a packet for 192.168.0.2, which gets into the FORWARD chain, while FW_SERVICES_* are for the INPUT chain only. Thanks for the remainder. Robert
Greetings again! So I am still trying to get this problem resolved. I'm new to SuSE, so I am at a loss at how I might resolve this. Is this something that people typically get covered on a support contract or is it something that they will fix for free as a part of a new installation? I'm asking because I don't want to be a pest on the list, but I definitely need to get it resolved and it seems like we've collectively run out of breath. :-) Thanks for everything! Brian ----- Original Message ----- From: "Brian Topping" <brian@ponoi.com> To: <suse-security@suse.com> Sent: Tuesday, March 12, 2002 10:27 AM Subject: [suse-security] Problem forwarding port Greetings, I'm having a problem forwarding port 443 to a box on my masquerade network. Everything else works fine, but I can't get this port forwarded. It's stumping me! I've worked on tons of firewalls, but this one is kicking my butt. Any ideas? Here is my firewall2.rc.config: START_FW2="yes" FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" FW_SERVICES_EXT_TCP="22 25 53" FW_SERVICES_EXT_UDP="53" FW_SERVICES_DMZ_TCP="22 53" FW_SERVICES_DMZ_UDP="53 514" FW_SERVICES_INT_TCP="22 53" FW_SERVICES_INT_UDP="53" FW_SERVICE_DNS="yes" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443" FW_ALLOW_PING_DMZ="yes" Thanks a ton for any suggestions!!!!! Brian
Hi Brian, another attempt ;)
START_FW2="yes" I believe this should be in /etc/rc.config, doesn't it?
Please read this config script carefully before using it. Notice "FW_MASQ_DEV", in detail. For detailed explanations, see /usr/share/doc/packages/SuSEfirewall2/firewall2.rc.config (I left out some of the options). Robert # --- new firewall configuration script --- FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_DEV_INT="eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT $FW_DEV_DMZ" FW_MASQ_NETS="192.168.0.0/24" FW_PROTECT_FROM_INTERNAL="no" # play around once it works FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="22 25 53" # You're running sshd, a mail server and a DNS server on the FW, # that should be accesible from the outside FW_SERVICES_EXT_UDP="53" # You're running a DNS server on the FW, that should be # accessible from the outside FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="22 53" # sshd and DNS, accessible from the DMZ FW_SERVICES_DMZ_UDP="53 514" # DNS, syslog(514), accessible from the DMZ FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 53" # sshd, DNS access to the internal network FW_SERVICES_INT_UDP="53" # DNS access to the internal network FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" # Don't know what this does, in detail FW_SERVICE_DNS="yes" FW_FORWARD_MASQ="0/0,192.168.0.2,tcp,443" FW_KERNEL_SECURITY="no" # play around here, once it works FW_ALLOW_PING_DMZ="yes" # --- end of new firewall configuration script ---
Hi Robert, Wow, that works like a champ! Thanks a million! I think it was the FW_MASQ_DEV, when I added that, it started working again. START_FW2 needs to be in the script for running SuSEfirewall2 from the command line, otherwise it hoarks. Just easier to add it here. best regards, Brian ----- Original Message ----- From: "Robert Klein" <RoKlein@roklein.de> To: "Brian Topping" <brian@ponoi.com>; <suse-security@suse.com> Sent: Wednesday, March 13, 2002 2:53 AM Subject: Re: [suse-security] Problem forwarding port
<snip/>
participants (3)
-
Argentium G. Tiger
-
Brian Topping
-
Robert Klein