![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
I don't again see my server web. My config is : WEB | | (ppp0-eth0) | FIREWALL-----(eth2:192.168.5.1)-------- WEB SERVER (apache) 192.168.5.2 | (eth1) 192.168.1.1 | | INTERN NETWORK 192.168.1.x Susefirwall file : # 1.) # 2.) FW_DEV_EXT="ppp0" # 3.) FW_DEV_INT="eth1" # 4.) FW_DEV_DMZ="eth2" # 5.) FW_ROUTE="yes" #6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" # 7.) FW_PROTECT_FROM_INTERNAL="yes" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="" # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="0/0,192.168.1.0/24" # 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80" # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" I need help ! ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/49ee3123ed193d4075d0888a5537d4d7.jpg?s=120&d=mm&r=g)
You have to empty
FW_FORWARD="0/0,192.168.1.0/24"
this is only used for public IP adresses.
FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
should be ok then IMHO
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Frédéric Poulet"
I don't again see my server web. My config is :
WEB | | (ppp0-eth0) | FIREWALL-----(eth2:192.168.5.1)-------- WEB SERVER (apache) 192.168.5.2 | (eth1) 192.168.1.1 | | INTERN NETWORK 192.168.1.x
Susefirwall file :
# 1.)
# 2.) FW_DEV_EXT="ppp0"
# 3.) FW_DEV_INT="eth1"
# 4.) FW_DEV_DMZ="eth2"
# 5.) FW_ROUTE="yes"
#6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0"
# 7.) FW_PROTECT_FROM_INTERNAL="yes"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""
# 10.) FW_TRUSTED_NETS=""
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="0/0,192.168.1.0/24"
# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
# 15.) FW_REDIRECT=""
# 16.) FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# 17.) FW_KERNEL_SECURITY="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes"
## # END of rc.firewall ##
# #
#-------------------------------------------------------------------------#
# # # EXPERT OPTIONS - all others please don't change these! # # #
#-------------------------------------------------------------------------#
# #
# # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes"
# # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes"
# # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes"
# # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
# # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
I need help !
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
I deleted FW_FORWARD="0/0,192.168.1.0/24" so i have FW_FORWARD="" but i don't see my web server ! if my public ip is 193.252.183.24 and i select URL http://193.252.183.24 in explore i must see my server web ? ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/f3293d0a9102dbbd5f51ccb5fc2a01e3.jpg?s=120&d=mm&r=g)
-----BEGIN PGP SIGNED MESSAGE----- Hi Frédéric!
if my public ip is 193.252.183.24 and i select URL http://193.252.183.24 in explore i must see my server web ?
That depends. *g* If you want to access your web server from a
machine connected to the internal network (192.168.1.0/24), you need
to give the _private_ IP address of the web server: http://192.168.5.2
If I would want to access your web server, I'd give the _public_ IP
address of your firewall: http://193.252.183.24
There are two reasons for this: Access to the external/public IP of
the firewall is prohibited from the internal network for security
reasons, you will see a SuSE-FW-NO_ACCESS_INT->FW_EXT if you log
dropped packets. Futhermore, the firewall does only DNAT (redirect)
connections coming in from the masquerading interface (ppp0) to the
web server in the DMZ.
To be able to access your web server in the DMZ from the
192.168.1.0/24 net, you need to forward connections between the DMZ
and the internal net. SuSEfirewall2 does not route anything between
different subnets by default. Masquerading is not involved here,
therefore you need at least to set
FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
This will allow access to port 80 on your web server from any machine
in the 192.168.1.0/24 net. And, please set
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
to be able to see what exactly is going wrong.
Regards, Andy
- --
Andreas J. Mueller email:
![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
I don't see again my web server from internet ant from intern network. ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/860c0da9515338405d0cff20fa5e97da.jpg?s=120&d=mm&r=g)
Hi Frédéric, can you see your webserver when you try to reach it with http://192.168.5.1/ from your internal zone? if not, can you reach it on the webserver itself with e.g. wget http://192.168.5.1/ ? Thorsten
![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
can you see your webserver when you try to reach it with http://192.168.5.1/ from your internal zone?
I can't see
if not, can you reach it on the webserver itself with e.g. wget http://192.168.5.1/ ?
I can't see But IP webserver is 192.168.5.2 ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/9ea1cabc7fae4e5f0c0daddea9fc2c12.jpg?s=120&d=mm&r=g)
* Frédéric Poulet;
I don't again see my server web. My config is :
Set the parameters for the following as follows all others OK FW_MASQ_NETS=192.168.1.0/24 192.168.5.2/32
# 13.) FW_FORWARD="0/0,192.168.1.0/24"
Leave this _BLANK_ FW_FORWARD=""
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="yes" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
I need help !
Do the above changes then rcSuSEfirewall2 restart start surfing your websever and then get the firewall log see where the problem is. and most important please read the firewall2.pdf I do think it will help you to understand what is going on. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
![](https://seccdn.libravatar.org/avatar/860c0da9515338405d0cff20fa5e97da.jpg?s=120&d=mm&r=g)
Hi Frédéric, try #6. ) FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24" You do not want to masq everything, just your internal network and your DMZ # 9.) FW_SERVICES_EXT_TCP="80" FW_SERVICES_DMZ_TCP="80" FW_SERVICES_INT_TCP="80" You have to let the packets to your webserver through. Therefore you have to accept the port on your firewall. # 13.) FW_FORWARD="" Should be empty, only for public adresses. # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" Log everything which is blocked, so you can see whether the packets are blocked somewhere. Try to access your webserver and try tail -f /var/log/messages on the firewall to see, which packets are block. Thorsten
![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
I don't understand i don't see my server web and i read susefirewall.pdf but nothing ! Help, help, help ! ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/49ee3123ed193d4075d0888a5537d4d7.jpg?s=120&d=mm&r=g)
Could you give a complete Extract of the SuSEfirewall2 file like it is now ?
Thanks
Chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Frédéric Poulet"
I don't understand i don't see my server web and i read susefirewall.pdf but nothing !
Help, help, help !
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/398e7ea0cb84898f0fc96a58413d1390.jpg?s=120&d=mm&r=g)
My susefirewall2 file is : # 1.) # 2.) FW_DEV_EXT="ppp0" # 3.) FW_DEV_INT="eth1" # 4.) FW_DEV_DMZ="eth2" # 5.) FW_ROUTE="yes" #6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24" # 7.) FW_PROTECT_FROM_INTERNAL="no" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="" # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80" # 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80" # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
![](https://seccdn.libravatar.org/avatar/49ee3123ed193d4075d0888a5537d4d7.jpg?s=120&d=mm&r=g)
Hi,
Make these changes :
FW_SERVICES_EXT_TCP="80"
FW_SERVICES_EXT_UDP="80"
FW_SERVICES_EXT_IP="80"
This will allow Internetusers access to your webserver
FW_SERVICES_INT_TCP="80"
FW_SERVICES_INT_UDP="80"
FW_SERVICES_INT_IP="80"
This will allow your LAN to access the webserver
FW_FORWARD=""
This is only for Public IP adresses so leave this empty
This should do the trick ;)
Regards
Chris
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Frédéric Poulet"
My susefirewall2 file is :
# 1.)
# 2.) FW_DEV_EXT="ppp0"
# 3.) FW_DEV_INT="eth1"
# 4.) FW_DEV_DMZ="eth2"
# 5.) FW_ROUTE="yes"
#6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24"
# 7.) FW_PROTECT_FROM_INTERNAL="no"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""
# 10.) FW_TRUSTED_NETS=""
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
# 15.) FW_REDIRECT=""
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# 17.) FW_KERNEL_SECURITY="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes"
## # END of rc.firewall ##
# #
#-------------------------------------------------------------------------#
# # # EXPERT OPTIONS - all others please don't change these! # # #
#-------------------------------------------------------------------------#
# #
# # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes"
# # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes"
# # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes"
# # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
# # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/49ee3123ed193d4075d0888a5537d4d7.jpg?s=120&d=mm&r=g)
Oops ..
sorry ...
FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
is correct ...
regards
all the other changes have to be done. ...
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Chris FitzGerald"
Hi,
Make these changes :
FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="80" FW_SERVICES_EXT_IP="80"
This will allow Internetusers access to your webserver
FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="80" FW_SERVICES_INT_IP="80"
This will allow your LAN to access the webserver
FW_FORWARD="" This is only for Public IP adresses so leave this empty
This should do the trick ;)
Regards Chris
_____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco
This is for real !!! ----- Original Message ----- From: "Frédéric Poulet"
To: Sent: Friday, November 08, 2002 4:36 PM Subject: Re: [suse-security] SuseFirewall2 DMZ My susefirewall2 file is :
# 1.)
# 2.) FW_DEV_EXT="ppp0"
# 3.) FW_DEV_INT="eth1"
# 4.) FW_DEV_DMZ="eth2"
# 5.) FW_ROUTE="yes"
#6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24"
# 7.) FW_PROTECT_FROM_INTERNAL="no"
# 8.) FW_AUTOPROTECT_SERVICES="yes"
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""
# 10.) FW_TRUSTED_NETS=""
# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"
# 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
# 15.) FW_REDIRECT=""
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
# 17.) FW_KERNEL_SECURITY="yes"
# 18.) FW_STOP_KEEP_ROUTING_STATE="no"
# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes"
## # END of rc.firewall ##
# #
#-------------------------------------------------------------------------#
# # # EXPERT OPTIONS - all others please don't change these! # # #
#-------------------------------------------------------------------------#
# #
# # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes"
# # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes"
# # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes"
# # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
# # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/9ea1cabc7fae4e5f0c0daddea9fc2c12.jpg?s=120&d=mm&r=g)
* Frédéric Poulet;
FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24"
This is good you can even say 192.168.0.0/16
# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80"
No leave these empty here is the reasoning # # 9.) # Which services ON THE FIREWALL should be accessible from either the # internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX Meaning If you want to have access to your FIREWALL from the DMZ then enter the services when you say 80 here you are saying I have a wervice availbale at the FIREWALL at this is at port 80 and People coming from the DMZ towards my FIREWALL are allowed if they want a request for port 80. I do not think this is what you want. You have yoyr Webserver at the DMZ, NOT_ON_THE_FIREWALL am I correct to understand
# 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"
This is correct
# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"
This is correct
# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
Good Basicly wişth this setup you should be able to have your webserver accessible from the Internet and from your local net. If you can not reach from the internal net it should give you some error messages. What does the logs say. Try after this setup to go to your webserver. If you go in then everything is OK if not logs should say why it dropped send that part to the list and let's try again
# 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"
Hint If you place FW_MASQ_NETS=192.168.0.0/16 then enable this one to yes and make sure is set empty FW_FORWARD="" This will make that interfaces on the same class in this case /16 can do routing among eachother without FW_FORWARD rules -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
![](https://seccdn.libravatar.org/avatar/860c0da9515338405d0cff20fa5e97da.jpg?s=120&d=mm&r=g)
Hello Frédéric, was not too good readable, should be: # 9.) FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" Thorsten
![](https://seccdn.libravatar.org/avatar/49ee3123ed193d4075d0888a5537d4d7.jpg?s=120&d=mm&r=g)
Question ...
because indeed www = tcp
the FW_SERVICES_IP ...
Is it then used for VPN and routerprotocols ?
just a bit confused ;)
greets
_____________________________________________
Make money while you work !!! No surfing required!
http://www.degoo.com/index.php?refid=mersco
This is for real !!!
----- Original Message -----
From: "Thorsten Preuss"
![](https://seccdn.libravatar.org/avatar/860c0da9515338405d0cff20fa5e97da.jpg?s=120&d=mm&r=g)
On Fri, 2002-11-08 at 16:46, Chris FitzGerald wrote:
Question ... because indeed www = tcp
the FW_SERVICES_IP ...
Is it then used for VPN and routerprotocols ?
just a bit confused ;)
greets
FW_SERVICES_[...]_IP is for accepting IP protocols like e.g. for IPSEC Protocol 50 (ESP) Thorsten
participants (5)
-
Andreas J Mueller
-
Chris FitzGerald
-
Frédéric Poulet
-
Thorsten Preuss
-
Togan Muftuoglu