-----BEGIN PGP SIGNED MESSAGE----- Hi Frédéric!

if my public ip is 193.252.183.24 and i select URL http://193.252.183.24 in explore i must see my server web ?

That depends. *g* If you want to access your web server from a machine connected to the internal network (192.168.1.0/24), you need to give the _private_ IP address of the web server: http://192.168.5.2 If I would want to access your web server, I'd give the _public_ IP address of your firewall: http://193.252.183.24 There are two reasons for this: Access to the external/public IP of the firewall is prohibited from the internal network for security reasons, you will see a SuSE-FW-NO_ACCESS_INT->FW_EXT if you log dropped packets. Futhermore, the firewall does only DNAT (redirect) connections coming in from the masquerading interface (ppp0) to the web server in the DMZ. To be able to access your web server in the DMZ from the 192.168.1.0/24 net, you need to forward connections between the DMZ and the internal net. SuSEfirewall2 does not route anything between different subnets by default. Masquerading is not involved here, therefore you need at least to set FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80" This will allow access to port 80 on your web server from any machine in the 192.168.1.0/24 net. And, please set FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" to be able to see what exactly is going wrong. Regards, Andy - -- Andreas J. Mueller email: PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPcvSV/obN5o9QdlBAQEsnQU/eqHZxsw042zzMexHI+Oy+s5+22EsBii5 WHYO3RaLijOir4QuYj/J4j3UP478/HLl3S1R2t5cxrkViV6Zrkj1YcR67TaJ4hhX C7QbssvzCnKZ4wcu+q88wJr6r0ACrodk321JzVWEDH0uq/L28lY6ENBmmHullzjk AN5qjjL4A8ygKasv3ZK8lgZ/TDJ57mA+BpFhiNFsaYjn438ThT/qpBLdZVkGZzdP =NpL/ -----END PGP SIGNATURE-----

Hi Frédéric, can you see your webserver when you try to reach it with http://192.168.5.1/ from your internal zone? if not, can you reach it on the webserver itself with e.g. wget http://192.168.5.1/ ? Thorsten

I don't understand i don't see my server web and i read susefirewall.pdf but nothing ! Help, help, help ! ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com

My susefirewall2 file is : # 1.) # 2.) FW_DEV_EXT="ppp0" # 3.) FW_DEV_INT="eth1" # 4.) FW_DEV_DMZ="eth2" # 5.) FW_ROUTE="yes" #6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24" # 7.) FW_PROTECT_FROM_INTERNAL="no" # 8.) FW_AUTOPROTECT_SERVICES="yes" # 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" # 10.) FW_TRUSTED_NETS="" # 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" # 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80" # 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80" # 15.) FW_REDIRECT="" # 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # 17.) FW_KERNEL_SECURITY="yes" # 18.) FW_STOP_KEEP_ROUTING_STATE="no" # 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" ___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com

Oops .. sorry ... FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80" is correct ... regards all the other changes have to be done. ... _____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco This is for real !!! ----- Original Message ----- From: "Chris FitzGerald" To: Sent: Friday, November 08, 2002 4:41 PM Subject: Re: [suse-security] SuseFirewall2 DMZ

Hi,

Make these changes :

FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="80" FW_SERVICES_EXT_IP="80"

This will allow Internetusers access to your webserver

FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="80" FW_SERVICES_INT_IP="80"

This will allow your LAN to access the webserver

FW_FORWARD="" This is only for Public IP adresses so leave this empty

This should do the trick ;)

Regards Chris

_____________________________________________ Make money while you work !!! No surfing required! http://www.degoo.com/index.php?refid=mersco

This is for real !!! ----- Original Message ----- From: "Frédéric Poulet" To: Sent: Friday, November 08, 2002 4:36 PM Subject: Re: [suse-security] SuseFirewall2 DMZ

...

My susefirewall2 file is :

# 1.)

# 2.) FW_DEV_EXT="ppp0"

# 3.) FW_DEV_INT="eth1"

# 4.) FW_DEV_DMZ="eth2"

# 5.) FW_ROUTE="yes"

#6 FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24 192.168.5.0/24"

# 7.) FW_PROTECT_FROM_INTERNAL="no"

# 8.) FW_AUTOPROTECT_SERVICES="yes"

# 9.) FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="80" FW_SERVICES_DMZ_IP="80" # FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP=""

# 10.) FW_TRUSTED_NETS=""

# 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

# 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no"

# 13.) FW_FORWARD="192.168.1.0/24,192.168.5.2,tcp,80"

# 14.) FW_FORWARD_MASQ="0/0,192.168.5.2,tcp,80"

# 15.) FW_REDIRECT=""

# 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

# 17.) FW_KERNEL_SECURITY="yes"

# 18.) FW_STOP_KEEP_ROUTING_STATE="no"

# 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes"

## # END of rc.firewall ##

# #

#-------------------------------------------------------------------------#

...

# # # EXPERT OPTIONS - all others please don't change these! # # #

#-------------------------------------------------------------------------#

...

# #

# # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_TRACEROUTE="yes"

# # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes"

# # 22.) # Allow/Ignore IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # If you do not want to allow them however ignore the annoying log entries, # set FW_IGNORE_FW_BROADCAST to yes. # # Choice: "yes" or "no", defaults to "no" if not set. # FW_ALLOW_FW_BROADCAST="no" # FW_IGNORE_FW_BROADCAST="yes"

# # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no"

# # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"

___________________________________________________________ Do You Yahoo!? -- Une adresse @yahoo.fr gratuite et en français ! Yahoo! Mail : http://fr.mail.yahoo.com

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here

Hello Frédéric, was not too good readable, should be: # 9.) FW_SERVICES_EXT_TCP="80" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" # FW_SERVICES_INT_TCP="80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" Thorsten

On Fri, 2002-11-08 at 16:46, Chris FitzGerald wrote:

Question ... because indeed www = tcp

the FW_SERVICES_IP ...

Is it then used for VPN and routerprotocols ?

just a bit confused ;)

greets

FW_SERVICES_[...]_IP is for accepting IP protocols like e.g. for IPSEC Protocol 50 (ESP) Thorsten