RE: SuSEfirewall2: external ip aliases with forward / masq?
I tried these configs and having the aliases eth0:1 and eth0:2 only in FW_DEV_DMZ and all I got was SuSE-FW-UNAUTHORIZED-TARGET and by adding eth0 in there as well got me SuSE-FW-DROP-SPOOF messages in my logfile. By putting the aliases in FW_DEV_EXT, I obtained more progress in that I can now see SuSE-FW-ACCEPT-TRUST inbound messages from my test machine (emulated vendor) and destined for the ip address of the eth0:1 alias, but a complete lack of the FW_FORWARD_MASQ operation happening. According to all the examples I've looked at, it seems the first ip address in each line of FW_FORWARD_MASQ must be the outside address coming in (i.e. my vendor who wants to get to one of my my internal pcanywhere hosts), and the second address in each FW_FORWARD_MASQ line is the internal address of the destination internal host. I guess what I need is a was to specify three ip addresses for each forward_masq operation, first the originating source address, secondly the external ip alias on the firewall, and thirdly the interior ip address of the particular pcanywhere host something like: vendor's ip address = x.y.z.123 external ip of eth0 = a.b.c.100 external ip of eth0:1 = a.b.c.101 external ip of eth0:2 = a.b.c.102 interior pcanywhere host 1 = 192.168.1.10 interior pcanywhere host 2 = 192.168.1.11 interior pcanywhere host 3 = 192.168.1.12 If only the FW_FORWARD_MASQ supported the concept of three addresses such as: source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber then I'd be really happy. FW_FORWARD_MASQ = "x.y.z.123,a.b.c.100,192.168.1.10,tcp,5631 \ x.y.z.123,a.b.c.100,192,168,1,10,udp,5632 \ x.y.z.123,a.b.c.101,192.168.1.11,tcp,5631 \ x.y.z.123,a.b.c.101,192.168.1.11,udp,5632 \ x.y.z.123,a.b.c.102,192.168.1.12,tcp,5631 \ x.y.z.123,a.b.c.102,192.168.1.12,udp,5632" but alas, it only supports two ip addresses of originating source and final internal destination like: FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \ x.y.z.123,192,168,1,10,udp,5632" and putting the external firewall address in the first part, doesn't work If anyone has any other ideas of making such a scenario work, I'd sure appreciate the help, otherwise I guess I'm going to go back to the single external ip on the firewall with alternate port numbers for my various interior pcanywhere hosts and just tell my vendor that his poor little childish support staff are just going to have to learn how to deal with using alternate ports in their pca remotes, that this is all I can support on my end and if he wants to continue to get my business he'll have to do things my way. -----Original Message----- From: Togan Muftuoglu Sent: Tuesday, November 26, 2002 5:37 PM To: Suse-Security Subject: Re: [suse-security] SuSEfirewall2: external ip aliases with forward / masq? * Howard, Neal; <nhoward@cwftx.net> on 26 Nov, 2002 wrote:
I'll try it out tomorrow, it's been a long day here in Texas too and my brain hurts right now!
I know the feeling :-)
I'm guessing I should use the external ip aliases in the first part of each stanza of FW_FORWARD_MASQ instead of putting the vendor's ip address in that place like I was doing?
Now although I said
FW_DEV_EXT="eth0 eth0:1 eth0:2"
It's better to have the aliases eth0:1 and eth0:2 in FW_DEV_DMZ and then FW_FORWARD_MASQ them for the vendor this way it should be both secure and doable (cross your fingers) -- Togan Muftuoglu -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Howard, Neal; <nhoward@cwftx.net> on 27 Nov, 2002 wrote:
but alas, it only supports two ip addresses of originating source and final internal destination like:
FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \ x.y.z.123,192,168,1,10,udp,5632"
Actually there is one more parameter that you can do which is the destination port x.y.z.123,192.168.1.10,tcp,5631,5858 source_ip,destination_ip,protocol,destination_port,redirected_port This will mean you will be setting the pcanywhere ports on your machines -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----BEGIN PGP SIGNED MESSAGE----- Hi Neal! Sorry if I'm a little bit late on your specific problem, but nevertheless:
If only the FW_FORWARD_MASQ supported the concept of three addresses such as: source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber
Well, in that case you might consider upgrading to the SuSEfirewall2 supplied with SuSE Linux 8.1, which allows exactly that: # [...] # Optional is a port after the destination port, to redirect the request to # a different destination port on the destination IP, e.g. # "4.0.0.0/8,1.1.1.1,tcp,80,81" # # Optional is an target IP address on which should the masquerading be decided. # You have to set the optional port option to use this. # # Example: # 200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202 # The class C network 200.200.200.0/24 trying to access 202.202.202.202 port # 80 will be forwarded to the internal server 10.0.0.10 on port 81. For you that would be "source_ip,interior_destination_ip,protocol, portnumber,portnumber (again),firewalls_external_ip". Please note that a few other things have changed with the new firewall script, most notably the FW_SERVICE_{DNS,DHCLIENT,DHCPD,SQUID,SAMBA} options. If you don't want to or cannot upgrade, I could send you a modified /sbin/SuSEfirewall2 which includes *only* the above mentioned FW_FORWARD_MASQ semantics from the new version. Regards, Andy - -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPef2KfobN5o9QdlBAQEe/AU/cJPUfZ4i4gfmcWw6xTKnHm5es/c1qAmq tveBnxYuCaUSKgXELJ2PYT7MDmyTxGoJaer+YYSSgfV2MmRTy+D2D9Dza6GSzYCd 6xZEguFrkm99au0dRKt/ivYp/wQqdfYZt4IooOJTfERFX5UdVhk5oIyKqHzK2wvV ErlGqTrkPgXs7TfRyOCsb7i0GOzDDmlD3m2+lh8ZoreH0dvJ5dlXGFon8zLdAHQO =/lw8 -----END PGP SIGNATURE-----
participants (3)
-
Andreas J Mueller
-
Howard, Neal
-
Togan Muftuoglu