SuSEfirewall2 blocks all external network traffic to or from any computer on my nework, including the firewall-machine itself
I have a problem that I haven't seen addressed in the archives. I have configured my gateway computer according to the Scenario 3 (a small university wants to use masquerading to provide internet access to its internal network) in the EXAMPLES file with the following settings: FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/24" Of course, I also set START_FW2="yes" in /etc/rc.config. Whenever I start the firewall, I am unable to ping the outside world from the gateway machine itself or any machine configured to use it as a gateway. This configuration worked with SuSEfirewall(1), but now that I'm using kernel 2.4.16, I really think I aught to use SuSEfirewall2. -- Sebastian J. Bronner waschtl@sbronner.com
Sebastian J. Bronner wrote (on 27 Jan 2002 at 21:29):
I have a problem that I haven't seen addressed in the archives.
I have configured my gateway computer according to the Scenario 3 (a small university wants to use masquerading to provide internet access to its internal network) in the EXAMPLES file with the following settings:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
That looks odd. Does the same Ethernet card point both to the LAN and to the Internet? T. -- -- Tony Crawford -- tc@crawfords.de -- +49-3341-30 99 99 --
On Monday 28 January 2002 00:34, you wrote:
Sebastian J. Bronner wrote (on 27 Jan 2002 at 21:29):
I have a problem that I haven't seen addressed in the archives.
I have configured my gateway computer according to the Scenario 3 (a small university wants to use masquerading to provide internet access to its internal network) in the EXAMPLES file with the following settings:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
That looks odd. Does the same Ethernet card point both to the LAN and to the Internet?
Yes, it does. I know that this isn't an optimal configuration, as it can lead to traffic collisions, but it should still work (as it has in the past). -- Sebastian J. Bronner waschtl@sbronner.com
--- "Sebastian J. Bronner"
Sebastian J. Bronner wrote (on 27 Jan 2002 at 21:29):
I have a problem that I haven't seen addressed in the archives.
I have configured my gateway computer according to the Scenario 3 (a small university wants to use masquerading to provide internet access to its internal network) in the EXAMPLES file with
On Monday 28 January 2002 00:34, you wrote: the
following settings:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
That looks odd. Does the same Ethernet card point both to the LAN and to the Internet?
Yes, it does. I know that this isn't an optimal configuration, as it can lead to traffic collisions, but it should still work (as it has in the past).
Are you sure that this aliasing can work on different subnets? Eduard __________________________________________________ Do You Yahoo!? Great stuff seeking new owners in Yahoo! Auctions! http://auctions.yahoo.com
On Monday 28 January 2002 01:43, Eduard Avetisyan wrote:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
That looks odd. Does the same Ethernet card point both to the LAN and to the Internet?
Yes, it does. I know that this isn't an optimal configuration, as it can lead to traffic collisions, but it should still work (as it has in the past).
Are you sure that this aliasing can work on different subnets?
It's not aliasing, as such. This is the standard method for defining
multiple IP addresses on one network card. Here is the output of "ip addr"
to illustrate more fully:
1: lo:
* Sebastian J. Bronner wrote on Mon, Jan 28, 2002 at 01:23 -1000:
On Monday 28 January 2002 00:34, you wrote:
Sebastian J. Bronner wrote (on 27 Jan 2002 at 21:29):
I have a problem that I haven't seen addressed in the archives.
I have configured my gateway computer according to the Scenario 3 (a small university wants to use masquerading to provide internet access to its internal network) in the EXAMPLES file with the following settings:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
Did you tried: FW_DEV_EXT="eth0" FW_DEV_INT="eth0" ?
Yes, it does. I know that this isn't an optimal configuration, as it can lead to traffic collisions, but it should still work (as it has in the past).
Really cool statement, plugging the internal network into the big bad internet, configuring a firewall with a single network card and finally think about traffic collisions... hum. In your case, I would set up masq by IP range, not by interface. I don't know what SuSEfirewall does. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Tuesday 29 January 2002 23:15, Steffen Dettmer wrote:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
Did you tried:
FW_DEV_EXT="eth0" FW_DEV_INT="eth0"
I have. It does not work either. It worked with SuSEfirewall(1), but now with SuSEfirewall2, the examples explicitly state that the eth0:0 syntax can be used.
Really cool statement, plugging the internal network into the big bad internet, configuring a firewall with a single network card and finally think about traffic collisions... hum.
At this point, find your input hardly constructive. It seems as though you are trying to show everyone else what a great network administrator you are, rather than seriously trying to add to the pool of knowledge.
In your case, I would set up masq by IP range, not by interface. I don't know what SuSEfirewall does.
I have a script that works that I can use until I get SuSEfirewall2 working, but that is not an optimal configuration, as it does not integrate nicely with the other processes, but is rather tacked on to the booting process as an afterthought. In SuSEfirewall, masquerading is performed on the indicated interfaces, but limited to a subnet specified with another variable. -- Sebastian J. Bronner waschtl@sbronner.com
* Sebastian J. Bronner wrote on Wed, Jan 30, 2002 at 02:03 -1000:
On Tuesday 29 January 2002 23:15, Steffen Dettmer wrote:
FW_DEV_EXT="eth0:0" FW_DEV_INT="eth0"
Did you tried:
FW_DEV_EXT="eth0" FW_DEV_INT="eth0"
I have. It does not work either. It worked with SuSEfirewall(1), but now with SuSEfirewall2, the examples explicitly state that the eth0:0 syntax can be used.
Huh?! The example tells, "eth0:0" is a device? I think it's only some syntax for ifconfig and similar tools. There is no difference between eth0:0 and eth0 execpt the IP. I cannot imagine that SuSEfirewall2 states that eth0:0 is a device (otherwise it was a good idea not to use it :) SCNR). But maybe it's just some shorthand for something. Who knows.
Really cool statement, plugging the internal network into the big bad internet, configuring a firewall with a single network card and finally think about traffic collisions... hum.
At this point, find your input hardly constructive.
Yes, you're right, not very constructive saying. But this is not entirely wrong. Single-NIC firewalls are no real firewalls, since they are not able to really drop any packets, since it's the same wire.
It seems as though you are trying to show everyone else what a great network administrator you are, rather than seriously trying to add to the pool of knowledge.
Now you are not constructive. And this is not a statement you are "allowed" to make as question maker. I spent my free time to try to help you, and you come with such things, this is not nice.
I have a script that works that I can use until I get SuSEfirewall2 working, but that is not an optimal configuration, as it does not integrate nicely with the other processes,
What does this mean? You made a small script that sets up some firewall rules? Why isn't this integrating nicely?
but is rather tacked on to the booting process as an afterthought. In SuSEfirewall, masquerading is performed on the indicated interfaces, but limited to a subnet specified with another variable.
like "--source $home --dest ! $home --dev device"? In this case, the device usually shouldn't matter at all. I don't think it's very logic to do address translation "on" a interface. Well, at least you can now compare your rules with the rules generated by SuSEfirewall and adapt Sfw2 to your needs. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Thursday 31 January 2002 09:21, Steffen Dettmer wrote:
* Sebastian J. Bronner wrote on Wed, Jan 30, 2002 at 02:03 -1000:
On Tuesday 29 January 2002 23:15, Steffen Dettmer wrote:
Huh?! The example tells, "eth0:0" is a device? I think it's only some syntax for ifconfig and similar tools. There is no difference between eth0:0 and eth0 execpt the IP.
So the poster can filter on destination address, rather than interface, if the netfilter code doesn't understand eth0:0 aliasing.
Yes, you're right, not very constructive saying. But this is not entirely wrong. Single-NIC firewalls are no real firewalls, since they are not able to really drop any packets, since it's the same wire.
They're not entirely useless though, so long as he can be sure of the address allocation of the protected hosts. A virtual subnet, can be a useful stepping stone towards a cleaner configuration, it's better than doing nothing. As for collisions, if he has a full duplex connection on a switching hub, that is hardly going to be a problem.
like "--source $home --dest ! $home --dev device"? In this case, the device usually shouldn't matter at all. I don't think it's
Choose either rules based on addresses, or rules based on devices, but be consistent. Rob
On Wednesday 30 January 2002 23:21, Steffen Dettmer wrote:
I cannot imagine that SuSEfirewall2 states that eth0:0 is a device (otherwise it was a good idea not to use it :) SCNR). But maybe it's just some shorthand for something. Who knows.
I'm guessing that it should work either way.
Now you are not constructive. And this is not a statement you are "allowed" to make as question maker. I spent my free time to try to help you, and you come with such things, this is not nice.
I are correct as well. I should accept the non-constructive with the constructive. I guess that makes us even.
What does this mean? You made a small script that sets up some
I didn't make it. It's taken verbatim from http://www.linuxdoc.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html I don't trust it as much as I would trust SuSEfirewall's script, after all SuSE (hopefully) spent a lot of time on it, working out all the different contingencies.
firewall rules? Why isn't this integrating nicely?
I put a symlink to it in /etc/init.d/boot.d/ so it starts on bootup, instead of controlling it from /etc/rc.config (preferable) like SuSEfirewall{1,2}
like "--source $home --dest ! $home --dev device"? In this case, the device usually shouldn't matter at all. I don't think it's very logic to do address translation "on" a interface. Well, at
As I have only marginal experience with firewalls, I cannot explain to you why the configuration file is the way it is either.
least you can now compare your rules with the rules generated by SuSEfirewall and adapt Sfw2 to your needs.
Perhaps. I guess I will keep hacking at it until it works (or SuSE releases another version (whichever comes first)). -- Sebastian J. Bronner waschtl@sbronner.com
participants (5)
-
Eduard Avetisyan -
Robert Davies -
Sebastian J. Bronner -
Steffen Dettmer -
Tony Crawford