3 SuSEfirewall2 questions
![](https://seccdn.libravatar.org/avatar/19611e60f867b7e7c3730af4df75dc40.jpg?s=120&d=mm&r=g)
Hi list. This is my 2nd try. I hope this time I get some answers ;-) I have 3 questions about SuSEfirewall2. This is a SuSE Linux 8.1 system. 1) What is NEW_FW_MASQ_DEV good for? I have in my /etc/sysconfig/SuSEfirewall2 FW_DEV_EXT="eth0 eth0:3" and FW_MASQ_DEV="$FW_DEV_EXT" but in /sbin/SuSEfirewall2 (from SuSEfirewall2-3.1-26) FW_MASQ_DEV is "filtered" and eth0:3 discarded. So after this filtering I have only FW_MASQ_DEV="eth0". Is this needed/wanted? Why? ========== 2) I'm trying to connect from a public external ip (a) to a private internal masqueraded ip, over the public ip address (b) at eth0:3. From tcpdump on both the external and internal devices, pakets are being correctly forwarded from ext to int, but when responses arrive at the internal device they are being dropped on the last forward_int chain rule. For this to work I have set on /etc/sysconfig/SuSEfirewall2 FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8" where 1.2.3.4 is the ext source public ip (a) and 5.6.7.8 is the public ip address (b) Does someone have any clue? ========== 3) What do _ext/_int/_dmz mean on forward_xxx or input_xxx ? [forward|input]_pakets_COMING_FORM_xxx or [forward|input]_pakets_GOING_TO_xxx ??? Many thanks, Richard -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
![](https://seccdn.libravatar.org/avatar/360c89473e19c7f8c9fe5ca60e12f8ce.jpg?s=120&d=mm&r=g)
* Richard Ems wrote on Tue, Jan 21, 2003 at 18:32 +0100:
1) What is NEW_FW_MASQ_DEV good for?
I don't know. Isn't there documentation for SuSEfirewall2?
FW_DEV_EXT="eth0 eth0:3" "filtered" and eth0:3 discarded. So after this filtering I have only FW_MASQ_DEV="eth0".
eth0:3 isn't a device but an alias IP. eth0 and eth0:anything is always the same device (you cannot know on which of the logical device a packet get's received :))
2) I'm trying to connect from a public external ip (a) to a private internal masqueraded ip, over the public ip address (b) at eth0:3.
From tcpdump on both the external and internal devices, pakets are being correctly forwarded from ext to int, but when responses arrive at the internal device they are being dropped on the last forward_int chain rule.
I didn't understood you setup completly, but shouldn't the response packet get masqueraded?
For this to work I have set on /etc/sysconfig/SuSEfirewall2 FW_FORWARD_MASQ="1.2.3.4,192.168.30.15,tcp,2222,22,5.6.7.8"
huh, what does the "tcp" in a masq rule? I do not know SuSEfirewall2 at all, but Masq is done on IP level and works without knowledge of the encapsulated protocol, so you can also ping through masq :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Richard Ems
-
Steffen Dettmer