Hallo, I want to connect two networks via openvpn. Each network is connected over a suse linux 9.2 router to the internet. On each router i created a tap0 device for the openvpn connection and bridged it to the eth0 device which is the device to the internal network. Everything works fine, but I have problems with the firewall. I can ping router 1 form router 2 and router 2 from router 1. If I try to ping a pc behind router 1 from router 2 and on the other way, it doesn't work. In the log file I get the following message: SFW2-FWDint-DROP-ICMP-CRIT IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.0.1 DST=192.168.1.50 .......... Broadcasts were also filtered. Does somebody know how to configure the SuSEFirwall2, that all traffic from PHYSIN=tap0 to PHYSOUT=eth0 and on the other way with a source address of the internal network can go through the firewall. Thanks in advance Marc
Marc Rieber wrote:
I want to connect two networks via openvpn. Each network is connected over a suse linux 9.2 router to the internet. On each router i created a tap0 device for the openvpn connection and bridged it to the eth0 device which is the device to the internal network. Everything works fine, but I have problems with the firewall. I can ping router 1 form router 2 and router 2 from router 1. If I try to ping a pc behind router 1 from router 2 and on the other way, it doesn't work. In the log file I get the following message:
SFW2-FWDint-DROP-ICMP-CRIT IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.0.1 DST=192.168.1.50 ..........
Broadcasts were also filtered.
Does somebody know how to configure the SuSEFirwall2, that all traffic from PHYSIN=tap0 to PHYSOUT=eth0 and on the other way with a source address of the internal network can go through the firewall.
SuSEfirewall2 doesn't support forwarding based on interfaces yet, FW_FORWARD only accepts IPs. You'll have to use FW_CUSTOMRULES. Alternatively write a patch for SuSEfirewall2 and send it to me :-) cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Hallo, Ludwig Nussel wrote:
Marc Rieber wrote:
I want to connect two networks via openvpn. Each network is
over a suse linux 9.2 router to the internet. On each router i created a tap0 device for the openvpn connection and bridged it to the eth0 device which is the device to the internal network. Everything works fine, but I have problems with the firewall. I can ping router 1 form router 2 and router 2 from router 1. If I try to ping a pc behind router 1 from router 2 and on the other way, it doesn't work. In the log file I get the following message:
SFW2-FWDint-DROP-ICMP-CRIT IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.0.1 DST=192.168.1.50 ..........
Broadcasts were also filtered.
Does somebody know how to configure the SuSEFirwall2, that all
connected traffic
from PHYSIN=tap0 to PHYSOUT=eth0 and on the other way with a source address of the internal network can go through the firewall.
SuSEfirewall2 doesn't support forwarding based on interfaces yet, FW_FORWARD only accepts IPs. You'll have to use FW_CUSTOMRULES. Alternatively write a patch for SuSEfirewall2 and send it to me :-)
I don't know very much about iptables, therefore maybe somebody can help me to configure the SuSEFirewall-custom script. I think I must use something like iptables -A FORWARD physdev --physdev-in=tap0 --physdev-out=eth0 -j ACCEPT In which section of the SuSEFirewall-custom script do I have to put the iptbales commands? I have the following configuration for my two networks. Network A has the address range 192.168.1.0/16 and network B has 192.168.0.0/16. I want the DHCP requests filtered and not routed through the bridge, because on each router there is an own dhcp server running. Each other IP traffic coming from network 192.168.0.0/16 should be forwarded from tap0 to eth0. Also all broadcasts should be forwarded because I want to use windows file sharing over the vpn tunnel. Kind regards Marc Rieber
Is SuSE doing development on SuSEFirewall 2? just mantening it? I've been doing some work with SuSEFirewall, and I've found some shortcoming or missing features. I was wondering what to do with this, forking on my own or contributing back to SuSE. Andres On Thu, 2005-04-07 at 10:59 +0200, Ludwig Nussel wrote:
Marc Rieber wrote:
I want to connect two networks via openvpn. Each network is connected over a suse linux 9.2 router to the internet. On each router i created a tap0 device for the openvpn connection and bridged it to the eth0 device which is the device to the internal network. Everything works fine, but I have problems with the firewall. I can ping router 1 form router 2 and router 2 from router 1. If I try to ping a pc behind router 1 from router 2 and on the other way, it doesn't work. In the log file I get the following message:
SFW2-FWDint-DROP-ICMP-CRIT IN=br0 OUT=br0 PHYSIN=tap0 PHYSOUT=eth0 SRC=192.168.0.1 DST=192.168.1.50 ..........
Broadcasts were also filtered.
Does somebody know how to configure the SuSEFirwall2, that all traffic from PHYSIN=tap0 to PHYSOUT=eth0 and on the other way with a source address of the internal network can go through the firewall.
SuSEfirewall2 doesn't support forwarding based on interfaces yet, FW_FORWARD only accepts IPs. You'll have to use FW_CUSTOMRULES. Alternatively write a patch for SuSEfirewall2 and send it to me :-)
cu Ludwig
-- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Andres tarallo wrote:
Is SuSE doing development on SuSEFirewall 2? just mantening it?
It was almost dead for quite some time but now it's in development again.
I've been doing some work with SuSEFirewall, and I've found some shortcoming or missing features. I was wondering what to do with this, forking on my own or contributing back to SuSE.
Send patches to me. You can find the current development version at http://www.suse.de/~lnussel/SuSEfirewall2/ or people/lnussel on the ftp server. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (3)
-
Andres tarallo -
Ludwig Nussel -
Marc Rieber