How to replace FW_ALLOW_INCOMING_HIGHPORTS_UDP?
Ok, I have a dialup connection to the internet. I want to let hosts on my internal net use my ISP's domain name service. For 9.1 I had: FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000" But in 9.2 the startup process complained about this line so I commented it out in SuSEfirewall2. Now of course, attempts by hosts on my internal net to use dns fail and lines like this appear in /var/log/messages: Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10 192.168.86.4 is a host on my internal net and 199.170.88.10 and 199.170.88.29 are my ISP's dns servers! I believe the log entries are complaining about a UDP packet that was trying to go from my ISP's domain name service to my a host on my internal net. Now that FW_ALLOW_INCOMING_HIGHPORTS_UDP is not allowed, how do allow packets like this to go thru? Thank You. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
Am Freitag, 4. Februar 2005 06:38 schrieb Paul Elliott:
Ok, I have a dialup connection to the internet. I want to let hosts on my internal net use my ISP's domain name service.
For 9.1 I had:
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
But in 9.2 the startup process complained about this line so I commented it out in SuSEfirewall2.
Now of course, attempts by hosts on my internal net to use dns fail and lines like this appear in /var/log/messages:
Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
192.168.86.4 is a host on my internal net and 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
I believe the log entries are complaining about a UDP packet that was trying to go from my ISP's domain name service to my a host on my internal net.
Now that FW_ALLOW_INCOMING_HIGHPORTS_UDP is not allowed, how do allow packets like this to go thru?
Thank You. Well, you can user a custom script and add your own rules - learning this will provide you with the ability to allow/forbid any service/traffic you like, independent from SuSEfirewall's capabilities... But I would advise you to use a local caching-only dns server - setup is very easy with suse - it's in the handbook. then open dns ports on your server to the internal net and that's it. The advantages are (a little) fewer dialups, probably faster dns name resolution, and one type of connection less from your internal Pcs to the internet. Furthermore, you can control the dns-resolution centrally. Did that help? -- Mit freundlichen Grüßen Markus Feilner
Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
On Fri, Feb 04, 2005 at 01:06:36PM +0100, Markus Feilner wrote:
Well, you can user a custom script and add your own rules - learning this will provide you with the ability to allow/forbid any service/traffic you like, independent from SuSEfirewall's capabilities... But I would advise you to use a local caching-only dns server - setup is very easy with suse - it's in the handbook. then open dns ports on your server to the internal net and that's it. The advantages are (a little) fewer dialups, probably faster dns name resolution, and one type of connection less from your internal Pcs to the internet. Furthermore, you can control the dns-resolution centrally. Did that help?
Does this mean that there is no easy way with SuSEfirewall2, to allow hosts on the internal network to use specific dns servers on the external network? -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
Am Samstag, 5. Februar 2005 02:47 schrieb Paul Elliott:
On Fri, Feb 04, 2005 at 01:06:36PM +0100, Markus Feilner wrote:
Well, you can user a custom script and add your own rules - learning this will provide you with the ability to allow/forbid any service/traffic you like, independent from SuSEfirewall's capabilities... But I would advise you to use a local caching-only dns server - setup is very easy with suse - it's in the handbook. then open dns ports on your server to the internal net and that's it. The advantages are (a little) fewer dialups, probably faster dns name resolution, and one type of connection less from your internal Pcs to the internet. Furthermore, you can control the dns-resolution centrally. Did that help?
Does this mean that there is no easy way with SuSEfirewall2, to allow hosts on the internal network to use specific dns servers on the external network? Sure there is. But why would you? Is there a necessity?
- The easiest way is an caching-only dns server. definitely. RTFM + five minutes. - The second easiest is ading three (or four) lines of iptables to a custom script. - The third way is to read about SuSEfirewall and add the right source IP/ destination IP/protocol/port to FW_FORWARD, and FW_ALLOW_INCOMING_HIGHPORTS_UDP opening the right ports in external/internal udp (port 53) and check if it works. But: The third solution needs as much reading as the others, but it don't get you that far. ;-). The first solution is the most secure one (beat me if I'm telling nonsense, list... ;-) -- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
Paul Elliott wrote:
Ok, I have a dialup connection to the internet. I want to let hosts on my internal net use my ISP's domain name service.
For 9.1 I had:
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS domain 4000"
But in 9.2 the startup process complained about this line so I commented it out in SuSEfirewall2.
Only the special keyword "DNS" is no longer supported. Nevertheless I would recommend to avoid FW_ALLOW_INCOMING_HIGHPORTS_UDP if possible.
Now of course, attempts by hosts on my internal net to use dns fail and lines like this appear in /var/log/messages:
Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.29 LEN=56 TOS=0x10 PREC=0x00 TTL=63 ID=1 DF PROTO=UDP SPT=1034 DPT=53 LEN=36 Feb 3 23:26:49 hrnowl kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0 SRC=192.168.86.4 DST=199.170.88.10 LEN=56 TOS=0x10
192.168.86.4 is a host on my internal net and 199.170.88.10 and 199.170.88.29 are my ISP's dns servers!
I believe the log entries are complaining about a UDP packet that was trying to go from my ISP's domain name service to my a host on my internal net.
No, read the message carefully: IN=eth0 OUT=modem0. It's got nothing to do with FW_ALLOW_INCOMING_HIGHPORTS_UDP as it happens in the forward chain in outgoing direction. You need to configure masquerading to make this work. As others already suggested it's generally a good idea to set up bind as caching only nameserver instead. See MODIFY_NAMED_CONF_DYNAMICALLY in /etc/sysconfig/network/config if your nameservers are assigned dynamically by your provider. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
On Thu, Feb 03, 2005 at 11:38:29PM -0600, Paul Elliott wrote:
Ok, I have a dialup connection to the internet. I want to let hosts on my internal net use my ISP's domain name service.
For 9.1 I had:
OK, I found out what the real problem was, the outgoing interface changed from ppp0 in 9.1 to modem0 in 9.2. When I added modem0 to the FW_DEV_EXT line, the problem went away. I don't need the FW_ALLOW_INCOMING_HIGHPORTS_TCP line. -- Paul Elliott 1(512)837-1096 pelliott@io.com PMB 181, 11900 Metric Blvd Suite J http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
participants (3)
-
Ludwig Nussel -
Markus Feilner -
Paul Elliott