firewals-2.1-5 (from 6.4), 1x dev-world, 2x dev-int
hello list! I have installed firewals 2.1-5 on one of my machines. it has two internal devices (eth0: 192.168.0.10, eth1: 192.168.1.10) and one external (ippp0). both internal nets can connect to the internet w/o problems, but connecting to each other seems to be a problem, since there is no customizable ruleset in the firewall config for that (routing, forwarding etc. between internal ifaces) --snip-- Chain forward (policy DENY): target prot opt source destination ports fw_masq all ------ 192.168.0.0/23 0.0.0.0/0 n/a DENY all ----l- 0.0.0.0/0 0.0.0.0/0 n/a --snip-- after executing --snip-- ipchains -D forward 2 ipchains -A forward -s 192.168.0.0/23 -d 192.168.0.0/23 -j ACCEPT --snip-- the machines on the two different nets can connect to each other. the firewall is also a smb server, hence it tries to broadcast to both nets, which unfortunately is also denied. any idea to modify the SuSEfirewall script that it fits my needs? I'm not that familiar with ipchains :( thanx in advance. Mit freundlichen Grüssen | Wolfram Schlich ------------------------------------------------------------------ | E-Mail: wolfram@schlich.org * ICQ #: 35713642 | Postal: Berghof * 56626 Andernach * Germany | Tel.: +49-(0)2636-941194
--snip-- ipchains -D forward 2 ipchains -A forward -s 192.168.0.0/23 -d 192.168.0.0/23 -j ACCEPT --snip-- The rule you've used above is quite okay now in order not to always have to put it in manually you can add it to /sbin/SuSEfirewall before the rule that tells it to deny everything by default. Although from what I see above those two cards seem to be on the same network.
--snip-- ipchains -D forward 2 ipchains -A forward -s 192.168.0.0/23 -d 192.168.0.0/23 -j ACCEPT --snip-- The rule you've used above is quite okay now in order not to always have to put it in manually you can add it to /sbin/SuSEfirewall before
first: thanks for your help. the rule
that tells it to deny everything by default. hmm... I don't _really_ understand /sbin/SuSEfirewall any hints which line to go to? :)
Although from what I see above those two cards seem to be on the same network. err... eth0: 192.168.0.0/24 (192.168.0.0/255.255.255.0) eth1: 192.168.1.0/24 (192.168.1.0/255.255.255.0) -> 192.168.0.0/23 (192.168.0.0/255.255.254.0)
btw: am I the first one who needs forwarding / routing etc. between internal interfaces?! Mit freundlichen Grüssen | Wolfram Schlich ------------------------------------------------------------------ | E-Mail: wolfram@schlich.org * ICQ #: 35713642 | Postal: Berghof * 56626 Andernach * Germany | Tel.: +49-(0)2636-941194
Okay I don't think this is how marc would do it but I would put that line at line 729 of /sbin/SuSEfirewall i.e } done # Here is your rule: $IPCHAINS -A forward -s etc etc -d etc .... test "$FW_ROUTE" = yes && for i in $DEV_INT_NET $FW_MASQ_NETS; do for j in $FW_DEV_WORLD; do $IPCHAINS -A input -j "$DENY" -i $j -d $i $LDC done done On Tue, 3 Oct 2000, W.Schlich wrote:
--snip-- ipchains -D forward 2 ipchains -A forward -s 192.168.0.0/23 -d 192.168.0.0/23 -j ACCEPT --snip-- The rule you've used above is quite okay now in order not to always have to put it in manually you can add it to /sbin/SuSEfirewall before
first: thanks for your help. the rule
that tells it to deny everything by default. hmm... I don't _really_ understand /sbin/SuSEfirewall any hints which line to go to? :)
Although from what I see above those two cards seem to be on the same network. err... eth0: 192.168.0.0/24 (192.168.0.0/255.255.255.0) eth1: 192.168.1.0/24 (192.168.1.0/255.255.255.0) -> 192.168.0.0/23 (192.168.0.0/255.255.254.0)
btw: am I the first one who needs forwarding / routing etc. between internal interfaces?!
Mit freundlichen Gr�ssen
| Wolfram Schlich ------------------------------------------------------------------ | E-Mail: wolfram@schlich.org * ICQ #: 35713642 | Postal: Berghof * 56626 Andernach * Germany | Tel.: +49-(0)2636-941194
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Okay I don't think this is how marc would do it but I would put
at line 729 of /sbin/SuSEfirewall i.e } done # Here is your rule: $IPCHAINS -A forward -s etc etc -d etc .... test "$FW_ROUTE" = yes && for i in $DEV_INT_NET $FW_MASQ_NETS; do for j in $FW_DEV_WORLD; do $IPCHAINS -A input -j "$DENY" -i $j -d $i $LDC done done
On Tue, 3 Oct 2000, W.Schlich wrote:
--snip-- ipchains -D forward 2 ipchains -A forward -s 192.168.0.0/23 -d 192.168.0.0/23 -j ACCEPT --snip-- The rule you've used above is quite okay now in order not to always have to put it in manually you can add it to /sbin/SuSEfirewall before
first: thanks for your help. the rule
that tells it to deny everything by default. hmm... I don't _really_ understand /sbin/SuSEfirewall any hints which line to go to? :)
Although from what I see above those two cards seem to be on
thanx - works! :)
Oct 3 16:19:43 klondike kernel: Packet log: input DENY eth0
PROTO=17 192.168.0.10:138 192.168.0.255:138 L=253 S=0x00 I=34543
F=0x0000 T=64 (#12)
seems that the firewall prevents itself (it's samba-d) to
broadcast... :(
Mit freundlichen Grüssen
| Wolfram Schlich
------------------------------------------------------------------
| E-Mail: wolfram@schlich.org * ICQ #: 35713642
| Postal: Berghof * 56626 Andernach * Germany
| Tel.: +49-(0)2636-941194
----- Original Message -----
From: "semat"
same
network. err... eth0: 192.168.0.0/24 (192.168.0.0/255.255.255.0) eth1: 192.168.1.0/24 (192.168.1.0/255.255.255.0) -> 192.168.0.0/23 (192.168.0.0/255.255.254.0)
btw: am I the first one who needs forwarding / routing etc. between internal interfaces?!
Mit freundlichen Grüssen
| Wolfram Schlich
------------------------------------------------------------------
| E-Mail: wolfram@schlich.org * ICQ #: 35713642 | Postal: Berghof * 56626 Andernach * Germany | Tel.: +49-(0)2636-941194
------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
participants (3)
-
semat
-
W.Schlich
-
Wolfram Schlich