Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers,
I sent this email like a ago and didn't get a response, resending it as now I see some activity on the list and this is still happening on OpenSUSE 12.3:
On Tue, Mar 19, 2013 at 11:09 PM, Juan Luis Baptiste juan.baptiste@gmail.com wrote:
Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers,
JLB
-- JLB
Are you sure?
Just tested it on my box:
FW_MASQUERADE="yes" FW_MASQ_NETS="0/0" --> masquerading for all internal machines
FW_MASQUERADE="yes" FW_MASQ_NETS="" --> no masquerading
FW_MASQUERADE="yes" FW_MASQ_NETS="172.17.7.9/32" --> masquerading for that particular machine only
Did you restart the firewall when testing?
Markus
Juan Luis Baptiste schrieb:
I sent this email like a ago and didn't get a response, resending it as now I see some activity on the list and this is still happening on OpenSUSE 12.3:
On Tue, Mar 19, 2013 at 11:09 PM, Juan Luis Baptiste juan.baptiste@gmail.com wrote:
Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers,
JLB
-- JLB
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt abt@comet.de wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS=""
and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding:
FW_MASQ_NETS="!0/0" internet access is blocked.
On Tue, Apr 23, 2013 at 5:54 PM, Juan Luis Baptiste juan.baptiste@gmail.com wrote:
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt abt@comet.de wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS=""
and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding:
FW_MASQ_NETS="!0/0" internet access is blocked.
Just checked like for the 10th time, I created a new vanilla 12.3 JeOS appliance to discard that I had done any change to SuSEfirewall2 that could be making it behave like this. The only packages installed after first run were susefirewall2, yast2 and yast2-network to configure the second network card. Then I built ovf images, downloaded it, ran it on VirtualBox and the behavior is exatly the same. If I set:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="" (by default now it comes with 0/0)
Internet will be enabled for any machine on the internal network. Here you can see my current config, as said before, it's the dault one from 12.3 with only those variables set:
On Wed, Apr 24, 2013 at 12:24:10AM -0500, Juan Luis Baptiste wrote:
On Tue, Apr 23, 2013 at 5:54 PM, Juan Luis Baptiste juan.baptiste@gmail.com wrote:
On Tue, Apr 23, 2013 at 12:44 PM, Markus Abt abt@comet.de wrote:
Are you sure?
Yes, and I have tested it countless times in several 12.1 and 12.3 JeOS default installations (created with susestudio) by only configuring:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS=""
and I will have an open access to the internet, which as I understand the documentation, it shouldn't be the case. Only by adding:
FW_MASQ_NETS="!0/0" internet access is blocked.
Just checked like for the 10th time, I created a new vanilla 12.3 JeOS appliance to discard that I had done any change to SuSEfirewall2 that could be making it behave like this. The only packages installed after first run were susefirewall2, yast2 and yast2-network to configure the second network card. Then I built ovf images, downloaded it, ran it on VirtualBox and the behavior is exatly the same. If I set:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="" (by default now it comes with 0/0)
Internet will be enabled for any machine on the internal network. Here you can see my current config, as said before, it's the dault one from 12.3 with only those variables set:
Can you run SuSEfirewall2 status
after setting it up?
Ciao, Marcus
On Wed, Apr 24, 2013 at 12:44 AM, Marcus Meissner meissner@suse.de wrote:
Can you run SuSEfirewall2 status
after setting it up?
Here it is:
and I forgot to answer something I was asked before: yes, I restart SuSEfirewall2 each time after I modify the configuration file (SuSEfirewall2 stop;SuSEfirewall2 start).
Cheers,
-
Juan Luis Baptiste -
Marcus Meissner -
Markus Abt