Hello All Same issue, different person - no resolution as yet. Firewall2 - on SuSE 7.1 kernel 2.4.x LAN is masqueraded. DMZ is real IP External IP is real IP ISSUE: Masqueraded LAN is 192.168.x.x - it can ping the DMZ machines, and the firewall (with all ping settings set to "yes" - however is unable to ping machines out in the real world. Surely since the local IP's are masqueraded - they go out with it's IP address, and are routable? The firewall is set to full logging - yet the it says quite happily FW-ACCEPT-PING and passes it from LAN NIC to world facing NIC. ALLOW_PING is set to yes for FW DMZ and EXT while I am testing. Looking at the tcpdump from the external NIC I can see that it is trying to ping from 192 address. How on earth do I get it to Masquerade the ping? If I restrict what services they have - then I cannot ping. If I masq with simply 192.168.0.0/24 it works.... and it will not allow me to do 192.168.0.0/24,icmp *ARGH* Can someone put me out of my misery? -----Original Message----- From: semat [mailto:semat@wawa.eahd.or.ug] Sent: 17 July 2001 10:41 To: maillist Cc: suse-security@suse.com Subject: Re: [suse-security] Suse firewall script question

network. But no request gets an answer. Are you using private address space or public space? if it is private then you have to turn on masquerading for the internal network. However if your network is using public ip addresses, then it is ok. However in both cases you should turn on ip forwarding if the two networks are on different interfaces on your machine. This can be done by editing /etc/rc.config and setting ip_forward=yes or in the firewall preferably both. Or you can do it manually whenever you need to with echo 1> /proc/sys/net/ipv4/ip_forward and tunr it off with echo 0> /proc/sys/net/ipv4/ip_forward

Noah. -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com __________________________________________________ A n t h o n y H o g b i n www.zerosandones.co.uk lynx -source http://www.zerosandones.co.uk/anthony.pgp | pgp -fka