I believe the problem is in your FW_MASQ_NETS setting. Ping is an ICMP protocol. Why don't you try to open this up completely (internalnet/8-16-or24 - whichever
appropriately applies. then test to seen what happens. then you can start restricting this more and more to tighten the controls as needed.
Jim
09/05/01 10:57:34 AM, "Anthony Hogbin" <anthony.hogbin@btinternet.com> wrote:
Hello
I am running repeatedly into a brick wall here over SuSEfirewall2
Three NIC's - a real IP DMZ, a masqueraded LAN on 192, and a DSL router
which is my DFG and name server.
I can do most stuff I hoped it would do when I sat down and figured out what
I needed - like web, mail, imap, ssh, MSN IM blah blah. BUT I CANNOT PING.
No where on the network can ping at all.
Masqueraded clients can resolve but then nothing.
This is what I get in the /var/log/firewall (where 14 is the router - and
the 192 address is the test client):
Sep 5 15:40:40 prometheus kernel: SuSE-FW-DROP-ANTI-SPOOFIN=eth0 OUT=
MAC=00:01:02:24:8b:9a:00:20:6f:09:7c:b5:08:00 SRC=217.34.212.14
DST=217.34.212.2 LEN=315 TOS=0x00 PREC=0x00 TTL=60 ID=42849 PROTO=UDP SPT=53
DPT=1027 LEN=295
....this is just one example of many SPOOF issues - but the one that I think
points the strongest towards my current issues.
With a bit of luck the act of asking for help will bring some
enlightenment?!
----
For your entertainment (take it easy on me!) is the setup
# 2.)
FW_DEV_EXT="eth0"
# 3.)
FW_DEV_INT="eth2"
# 4.)
FW_DEV_DMZ="eth1"
# 5.)
FW_ROUTE="yes"
# 6.)
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="$INT_LAN_RANGE,0/0,tcp,20 $INT_LAN_RANGE,0/0,tcp,21
$INT_LAN_RANGE,0/0,tcp,22 $INT_LAN_RANGE,0/0,tcp,23
$INT_LAN_RANGE,0/0,tcp,25 $INT_LAN_RANGE,0/0,tcp,37
$INT_LAN_RANGE,0/0,udp,37 $INT_LAN_RANGE,0/0,udp,43
$INT_LAN_RANGE,0/0,udp,53 $INT_LAN_RANGE,0/0,tcp,53
$INT_LAN_RANGE,0/0,tcp,80 $INT_LAN_RANGE,0/0,tcp,110
$INT_LAN_RANGE,0/0,tcp,113 $INT_LAN_RANGE,0/0,tcp,123
$INT_LAN_RANGE,0/0,udp,123 $INT_LAN_RANGE,0/0,tcp,143
$INT_LAN_RANGE,0/0,tcp,443 $INT_LAN_RANGE,0/0,tcp,554
$INT_LAN_RANGE,0/0,tcp,993 $INT_LAN_RANGE,0/0,tcp,1863
$INT_LAN_RANGE,0/0,tcp,2401 $INT_LAN_RANGE,0/0,tcp,5800
$INT_LAN_RANGE,0/0,tcp,5900 $INT_LAN_RANGE,0/0,tcp,6800:6900
$INT_LAN_RANGE,0/0,udp,6800:6900 $INT_LAN_RANGE,0/0,tcp,6901
$INT_LAN_RANGE,0/0,udp,6901 $INT_LAN_RANGE,0/0,tcp,6970:7170
$INT_LAN_RANGE,0/0,tcp,7070"
# 7.)
FW_PROTECT_FROM_INTERNAL="yes"
# 8.)
FW_AUTOPROTECT_SERVICES="yes"
# 9.)
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP="" # Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="53 3128"
FW_SERVICES_DMZ_UDP="53"
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="23 53 3128"
FW_SERVICES_INT_UDP="53"
FW_SERVICES_INT_IP=""
# 10.)
FW_TRUSTED_NETS="$EXT_ZFT_GATE,tcp,22"
# 11.)
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.)
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="no"
# 13.)
FW_FORWARD="$INT_LAN_RANGE,$DMZ_IP_RANGE 0/0,$DMZ_EXCHANGE,tcp,25
0/0,$DMZ_EXCHANGE,tcp,80 0/0,$DMZ_EXCHANGE,tcp,135 0/0,$DMZ_EXCHANGE,tcp,443
0/0,$DMZ_BACKUP,tcp,21 0/0,$DMZ_BACKUP,tcp,20"
# 14.)
FW_FORWARD_MASQ="" # Beware to use this!
# 15.)
FW_REDIRECT=""
# 16.)
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
# 17.)
FW_KERNEL_SECURITY="yes"
# 18.)
FW_STOP_KEEP_ROUTING_STATE="yes"
# 19.)
FW_ALLOW_PING_FW="no"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
--
To unsubscribe, e-mail: suse-security-unsubscribe@suse.com
For additional commands, e-mail: suse-security-help@suse.com