SuSEfirewall2 not routing when both nics on same subnet
I want to do basic filtering of ports without having to masquerade. From everything I have read (including the unofficial guide to SuSEfirewall) the below config should do that. Unfortunately I cannot get the firewall to route to eth1 or anything behind it. I am a noob at this so any guidance would be greatly appreciated. Thanks in advance, Dave The Ip's have been changed for obvious reasons. Internet | | eth0 (1.1.1.1) | FireWall---eth1 (1.1.1.2) | | Webserver (1.1.1.3) FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="ssh" FW_SERVICES_DMZ_TCP="ssh" FW_SERVICES_DMZ_UDP="ssh" FW_SERVICES_DMZ_IP="" FW_TRUSTED_NETS="" FW_FORWARD="0/0,1.1.1.3,tcp,80" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_FW_TRACEROUTE="yes" -- C: Zanzeta, Inc. N: Dave Livingston T: Chief Information Officer P: 469.688.4872 F: 214.292.8578 E: dlivingston@zanzeta.com
Hi Dave, I'm not sure about your network setup: at which interface is the webserver connected ? Also, shouldn't you have different subnets on the different interfaces ?
Internet | | eth0 (1.1.1.1) | FireWall---eth1 (1.1.1.2) | | Webserver (1.1.1.3)
--> I guess this should be someting like: FW: eth0: 1.1.1.1/255.255.255.0 FW: eth1: 1.1.2.1/255.255.255.0 Webserver: 1.1.2.2/255.255.255.0 Then you have an external interface with IP 1.1.1.1 and an internal interface with IP 1.1.2.1 which is a separate subnet.
FW_DEV_EXT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="ssh"
--> SSH is only using TCP, so you can leave this empty
FW_SERVICES_DMZ_TCP="ssh"
--> Here you would need "ssh, http"
FW_SERVICES_DMZ_UDP="ssh"
--> SSH is only using TCP, so you can leave this empty
FW_SERVICES_DMZ_IP="" FW_TRUSTED_NETS="" FW_FORWARD="0/0,1.1.1.3,tcp,80"
--> This should then read "0/0,1.1.2.2,tcp,80"
FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no"
--> Try to increase the logging level by setting the _ALL variables to "yes" for testing. Please provide more information about your setup so we can better understand and help you. Cheers, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
if you want routing between interfaces on the same subnet, you should be setting up an ethernet bridge. I tried to do this a while ago and found that it could not be done. So if someone proves me wrong, I will be more than happy to apologise and then ask for pointers.
On Tuesday 25 May 2004 12.40, b@rry.co.za wrote:
RE: [suse-security] SuSEfirewall2 not routing when both nics on samesubnet if you want routing between interfaces on the same subnet, you should be setting up an ethernet bridge.
Err... just for clarification. If you use a bridge, you're doing bridging, not routing. A bridge forwards traffic on Layer 2, based on physical addresses, ie MAC addresses. A router is a layer 3 device, forwarding logical addresses, eg IP addresses. Per default, bridging will let anything through, unless traffic is filtered in some way. Other than that, bridging between interfaces will work. Just a thought... //Tony
should be setting up an ethernet bridge.
Yes, a bridge is not routing. but how do you route between two interfaces on the same subnet? AFAIK you can't, hence requiring a bridge.
Per default, bridging will let anything through, unless traffic is filtered in some way.
Yes, bridging allows everything through as if the device were simply a piece of wire. There are some apps that will allow you to filter this traffic and set up rules. I used http://ebtables.sourceforge.net/ ebtables to do this and it worked like a bomb. Similar chain string setup as iptables, this made it fairly simple to pick up and run.
should be setting up an ethernet bridge.
Yes, a bridge is not routing. but how do you route between two interfaces on the same subnet? AFAIK you can't, hence requiring a bridge. That is correct, you can't. So a bridge is the only alternative, as you
On Tuesday 25 May 2004 13.06, b@rry.co.za wrote: pointed out. My humble point was just to separate the concepts of routing and bridging, which are two very different ways of forwarding network traffic. It's the router jockey in me, i guess ;-) ...>
I used http://ebtables.sourceforge.net/ ebtables to do this and it worked like a bomb.
Similar chain string setup as iptables, this made it fairly simple to pick up and run. It's a good tool :-)
//Tony PS. Sorry for leading the initial subject out of focus.
Hi, I use a similar setup at work to split a range of 64 ip adresses into multiple demilitarized zones. I did not choose to use subnetting, as i wanted to move hosts easily between DMZs without changing their IP-Address. The setting you want is possible if you use a technique called "proxy arp". I also suggest you use the shoreline firewall script to setup your firewalling and routing, instead of the SuSEfirewall script. It is easy to setup, even for complex settings (i dont want to start a flamewar, but shorewall is much more suited for complicated settings than SuSEfirewall IMHO). You can configure proxy arp very easily there. Get shorewalll and shorewall tutorial from http://www.shorewall.net/ In any case, i suggest you read the following about proxy arp: http://www.sjdjweis.com/linux/proxyarp/ http://lartc.org/howto/lartc.bridging.proxy-arp.html The second has an example, it should be easy to customize it to your needs. peace, Tom David Livingston wrote:
Internet | | eth0 (1.1.1.1) | FireWall---eth1 (1.1.1.2) | | Webserver (1.1.1.3)
Proper subnetting and a correctly configured DNS is really the answer here. Yes you can use proxy arp, but I would suggest that if this user is having trouble with the simple set up he has and has not noticed that the ip addresses are set up incorrectly then is suspect there would be further trouble setting up proxy arp. Simply set up a rfc 1918 address range (192.168.1.* ) and mask it or use a second one on the other nic. This is not only best practice it is far simpler to configure for a new user. Also consider using the yast config for the firewall. This is simple enough for the settings he needs Brett Stevens On 25/5/04 23:18, "Thomas Seliger" <CRJLJAKTJORB@spammotel.com> wrote:
Hi,
I use a similar setup at work to split a range of 64 ip adresses into multiple demilitarized zones. I did not choose to use subnetting, as i wanted to move hosts easily between DMZs without changing their IP-Address. The setting you want is possible if you use a technique called "proxy arp".
I also suggest you use the shoreline firewall script to setup your firewalling and routing, instead of the SuSEfirewall script. It is easy to setup, even for complex settings (i dont want to start a flamewar, but shorewall is much more suited for complicated settings than SuSEfirewall IMHO). You can configure proxy arp very easily there.
Get shorewalll and shorewall tutorial from
In any case, i suggest you read the following about proxy arp:
http://www.sjdjweis.com/linux/proxyarp/ http://lartc.org/howto/lartc.bridging.proxy-arp.html
The second has an example, it should be easy to customize it to your needs.
peace, Tom
David Livingston wrote:
Internet | | eth0 (1.1.1.1) | FireWall---eth1 (1.1.1.2) | | Webserver (1.1.1.3)
Hi *, Brett Stevens wrote:
Simply set up a rfc 1918 address range (192.168.1.* ) and mask it or use a second one on the other nic. This is not only best practice it is far simpler to configure for a new user.
Internet | | eth0 (1.1.1.1) | FireWall---eth1 (1.1.1.2) | | Webserver (1.1.1.3)
I think Brett ist right, i misread your config. Somehow i saw 3 interfaces in your config. Putting a rfc1918 subnet behind eth1 and masquerading / portforwarding traffic would be a solution. Proxy arp only makes sense in your setting for example: if you are in, lets say, a class c network and got no central firewall. If you want to secure computers with various IP-Adresses (not a subnet) and have no possibility to put a central firewall in front of the network, then a proxy arp firewall could be used to split off those hosts and put them in a dmz. But Brett is right, thats kind of an advanced setting. Perhaps you could provide us with more details (why you want the setup you described: no masquerading etc.)? peace, Tom
participants (6)
-
Armin Schoech -
b@rry.co.za -
Brett Stevens -
David Livingston -
Thomas Seliger -
Tony Stohne