[suse-security] SuSEfirewall2 v1.6 question? FAQ?
Ok...Maybe I'm not getting something. I have a SuSE 7.2 machine with 2 network cards. eth0 is world device (Real Static IP) and eth1 (Private Static IP) is internal device. Masquerading is happening for machines on the internal network. Everything is working fine. Masquerading works. Internal machines can get to the outside world. The outside world can only get to the services that are open on the firewall. All is good. BUT, The SuSE machine is a webserver, gameserver, etc... and there is a need for internal machines to access services on the world device (eth0), however, they can't. For example, if an internal machine tries to get a webpage from the webserver and uses the Internal address on the webserver, everything works fine. But if you try and get the same page using the external address, nothing works. In the firewall2.rc.config file, I have www listed in both the FW_SERVICES_EXT_TCP and FW_SERVICES_INT_TCP. However I always get a message in the /var/log/firewall log saying that it denied a request on eth1 for DPT=80. What am I missing? Losing hair...hehehe TIA, Tall0n -- GregWorld.com
Hi Tall0n On 2001.08.26 23:45:38 +0100 Tall0n wrote:
Ok...Maybe I'm not getting something. I have a SuSE 7.2 machine with 2 network cards. eth0 is world device (Real Static IP) and eth1 (Private Static IP) is internal device. Masquerading is happening for machines on the internal network.
<SNIP>
in the /var/log/firewall log saying that it denied a request on eth1 for DPT=80.
What am I missing? Losing hair...hehehe
One of my systems is virtually identical to this. Can you post a full log entry for the failed packets please? Maf.
TIA,
Tall0n --
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Maf. King Standby Exhibition Services ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "It is easier to do a job right than to explain why you didn't." - Martin Van Buren ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
On Sunday 26 August 2001 16:45, you wrote:
The SuSE machine is a webserver, gameserver, etc... and there is a need for internal machines to access services on the world device (eth0), however, they can't. For example, if an internal machine tries to get a webpage from the webserver and uses the Internal address on the webserver, everything works fine. But if you try and get the same page using the external address, nothing works.
Can people outside your network hit your eth0 machine? This sounds like a nameserver issue to me. I have a setup just like this and have no such problem, of course I also have a domain name associated with my eth0 machine. So long as the DNS you're using has your eth0 IP/domain name, things should work. Have you tried pinging your eth0 IP or domain name? What is the physical connection for the eth0 machine? Is it a cable modem, wireless modem (what I use), hub, switch, router, ...? You also might want to include the config file definitions for: FW_SERVICES_EXTERNAL_TCP FW_SERVICES_EXTERNAL_UDP FW_SERVICES_EXTERNAL_IP in a future post to this thread. I doubt that it would make a difference, but I use http to specify web services rather than www. They're both listed in /etc/services for port 80, but http is listed first. Mike
participants (3)
-
maf king
-
Michael L Lockhart
-
Tall0n