[opensuse-security] FW_MASQUERADE default behavior ?
Hi, I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24" But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this: FW_MASQ_NETS="!0/0 192.168.10.0/24" Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1. Cheers, -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
I sent this email like a ago and didn't get a response, resending it as now I see some activity on the list and this is still happening on OpenSUSE 12.3: On Tue, Mar 19, 2013 at 11:09 PM, Juan Luis Baptiste <juan.baptiste@gmail.com> wrote:
Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers, -- JLB
-- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Are you sure? Just tested it on my box: FW_MASQUERADE="yes" FW_MASQ_NETS="0/0" --> masquerading for all internal machines FW_MASQUERADE="yes" FW_MASQ_NETS="" --> no masquerading FW_MASQUERADE="yes" FW_MASQ_NETS="172.17.7.9/32" --> masquerading for that particular machine only Did you restart the firewall when testing? Markus Juan Luis Baptiste schrieb:
I sent this email like a ago and didn't get a response, resending it as now I see some activity on the list and this is still happening on OpenSUSE 12.3:
On Tue, Mar 19, 2013 at 11:09 PM, Juan Luis Baptiste <juan.baptiste@gmail.com> wrote:
Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers, -- JLB
-- JLB
-- Markus Abt Comet Computer GmbH Rückertstraße 5 80336 München GERMANY Fon +49 89 46224611 Fax +49 89 46224612 mailto:abt@comet.de http://www.comet.de VAT: DE128219532 HRB: 81386 München Geschäftsführung: Markus Granlund, Johan Ekener, Peter Bornschein, Uwe Heldmann ---------------------------------------- Comet is proud to be a Semcon company http://www.semcon.com/de ---------------------------------------- Die Profis für Technische Dokumentation Online - Print - Multimedia ---------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt <abt@comet.de> wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="" and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding: FW_MASQ_NETS="!0/0" internet access is blocked. -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 23, 2013 at 5:54 PM, Juan Luis Baptiste <juan.baptiste@gmail.com> wrote:
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt <abt@comet.de> wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS=""
and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding:
FW_MASQ_NETS="!0/0" internet access is blocked.
Just checked like for the 10th time, I created a new vanilla 12.3 JeOS appliance to discard that I had done any change to SuSEfirewall2 that could be making it behave like this. The only packages installed after first run were susefirewall2, yast2 and yast2-network to configure the second network card. Then I built ovf images, downloaded it, ran it on VirtualBox and the behavior is exatly the same. If I set: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="" (by default now it comes with 0/0) Internet will be enabled for any machine on the internal network. Here you can see my current config, as said before, it's the dault one from 12.3 with only those variables set: http://pastebin.com/YxxAH7HZ -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Apr 24, 2013 at 12:24:10AM -0500, Juan Luis Baptiste wrote:
On Tue, Apr 23, 2013 at 5:54 PM, Juan Luis Baptiste <juan.baptiste@gmail.com> wrote:
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt <abt@comet.de> wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS=""
and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding:
FW_MASQ_NETS="!0/0" internet access is blocked.
Just checked like for the 10th time, I created a new vanilla 12.3 JeOS appliance to discard that I had done any change to SuSEfirewall2 that could be making it behave like this. The only packages installed after first run were susefirewall2, yast2 and yast2-network to configure the second network card. Then I built ovf images, downloaded it, ran it on VirtualBox and the behavior is exatly the same. If I set:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="" (by default now it comes with 0/0)
Internet will be enabled for any machine on the internal network. Here you can see my current config, as said before, it's the dault one from 12.3 with only those variables set:
Can you run SuSEfirewall2 status after setting it up? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Apr 24, 2013 at 12:44 AM, Marcus Meissner <meissner@suse.de> wrote:
Can you run SuSEfirewall2 status
after setting it up?
Here it is: http://pastebin.com/hVesGKbU and I forgot to answer something I was asked before: yes, I restart SuSEfirewall2 each time after I modify the configuration file (SuSEfirewall2 stop;SuSEfirewall2 start). Cheers, -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Juan Luis Baptiste
-
Marcus Meissner
-
Markus Abt