RE: SuSEfirewall2: external ip aliases with forward / masq?
I tried these configs and having the aliases eth0:1 and eth0:2 only in
FW_DEV_DMZ and all I got was SuSE-FW-UNAUTHORIZED-TARGET and by adding eth0
in there as well got me SuSE-FW-DROP-SPOOF messages in my logfile. By
putting the aliases in FW_DEV_EXT, I obtained more progress in that I can
now see SuSE-FW-ACCEPT-TRUST inbound messages from my test machine (emulated
vendor) and destined for the ip address of the eth0:1 alias, but a complete
lack of the FW_FORWARD_MASQ operation happening. According to all the
examples I've looked at, it seems the first ip address in each line of
FW_FORWARD_MASQ must be the outside address coming in (i.e. my vendor who
wants to get to one of my my internal pcanywhere hosts), and the second
address in each FW_FORWARD_MASQ line is the internal address of the
destination internal host. I guess what I need is a was to specify three ip
addresses for each forward_masq operation, first the originating source
address, secondly the external ip alias on the firewall, and thirdly the
interior ip address of the particular pcanywhere host something like:
vendor's ip address = x.y.z.123
external ip of eth0 = a.b.c.100
external ip of eth0:1 = a.b.c.101
external ip of eth0:2 = a.b.c.102
interior pcanywhere host 1 = 192.168.1.10
interior pcanywhere host 2 = 192.168.1.11
interior pcanywhere host 3 = 192.168.1.12
If only the FW_FORWARD_MASQ supported the concept of three addresses such
as:
source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber
then I'd be really happy.
FW_FORWARD_MASQ = "x.y.z.123,a.b.c.100,192.168.1.10,tcp,5631 \
x.y.z.123,a.b.c.100,192,168,1,10,udp,5632 \
x.y.z.123,a.b.c.101,192.168.1.11,tcp,5631 \
x.y.z.123,a.b.c.101,192.168.1.11,udp,5632 \
x.y.z.123,a.b.c.102,192.168.1.12,tcp,5631 \
x.y.z.123,a.b.c.102,192.168.1.12,udp,5632"
but alas, it only supports two ip addresses of originating source and final
internal destination like:
FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \
x.y.z.123,192,168,1,10,udp,5632"
and putting the external firewall address in the first part, doesn't work
If anyone has any other ideas of making such a scenario work, I'd sure
appreciate the help, otherwise I guess I'm going to go back to the single
external ip on the firewall with alternate port numbers for my various
interior pcanywhere hosts and just tell my vendor that his poor little
childish support staff are just going to have to learn how to deal with
using alternate ports in their pca remotes, that this is all I can support
on my end and if he wants to continue to get my business he'll have to do
things my way.
-----Original Message-----
From: Togan Muftuoglu
Sent: Tuesday, November 26, 2002 5:37 PM
To: Suse-Security
Subject: Re: [suse-security] SuSEfirewall2: external ip aliases with
forward / masq?
* Howard, Neal;
I'll try it out tomorrow, it's been a long day here in Texas too and my brain hurts right now!
I know the feeling :-)
I'm guessing I should use the external ip aliases in the first part of each stanza of FW_FORWARD_MASQ instead of putting the vendor's ip address in that place like I was doing?
Now although I said
FW_DEV_EXT="eth0 eth0:1 eth0:2"
It's better to have the aliases eth0:1 and eth0:2 in FW_DEV_DMZ and then FW_FORWARD_MASQ them for the vendor this way it should be both secure and doable (cross your fingers) -- Togan Muftuoglu -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
* Howard, Neal;
but alas, it only supports two ip addresses of originating source and final internal destination like:
FW_FORWARD_MASQ = "x.y.z.123,192.168.1.10,tcp,5631 \ x.y.z.123,192,168,1,10,udp,5632"
Actually there is one more parameter that you can do which is the destination port x.y.z.123,192.168.1.10,tcp,5631,5858 source_ip,destination_ip,protocol,destination_port,redirected_port This will mean you will be setting the pcanywhere ports on your machines -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----BEGIN PGP SIGNED MESSAGE----- Hi Neal! Sorry if I'm a little bit late on your specific problem, but nevertheless:
If only the FW_FORWARD_MASQ supported the concept of three addresses such as: source_ip,firewalls_external_ip,interior_destination_ip,protocol,portnumber
Well, in that case you might consider upgrading to the SuSEfirewall2
supplied with SuSE Linux 8.1, which allows exactly that:
# [...]
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
# Optional is an target IP address on which should the masquerading be decided.
# You have to set the optional port option to use this.
#
# Example:
# 200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202
# The class C network 200.200.200.0/24 trying to access 202.202.202.202 port
# 80 will be forwarded to the internal server 10.0.0.10 on port 81.
For you that would be "source_ip,interior_destination_ip,protocol,
portnumber,portnumber (again),firewalls_external_ip". Please note
that a few other things have changed with the new firewall script,
most notably the FW_SERVICE_{DNS,DHCLIENT,DHCPD,SQUID,SAMBA} options.
If you don't want to or cannot upgrade, I could send you a modified
/sbin/SuSEfirewall2 which includes *only* the above mentioned
FW_FORWARD_MASQ semantics from the new version.
Regards, Andy
- --
Andreas J. Mueller email:
participants (3)
-
Andreas J Mueller
-
Howard, Neal
-
Togan Muftuoglu