Hallo die Firewall meines remote Rechners sperrt mich aus wenn ich mich mit ssh verbinden möchte. Die Verbindung grundsätzlich wird hergestellt und die IP Adressen werden (fix) vergeben. bei der FW auf dem remote Rechner habe ich ssh zugelassen.. Aber das ist Offensichtlich nicht genug, was habe ich vergessen? Ich habe gegoogelt aber nur Hinweise auf FW_QUICKMODE="yes" gefunden. Das scheint mir aber nicht die Lösung zu sein da ich ja die FW2 verwende...??? Gruß und Dank Michael Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200 Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302) This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hello Michael, please note that this is an English speaking list.
die Firewall meines remote Rechners sperrt mich aus wenn ich mich mit ssh verbinden möchte. Die Verbindung grundsätzlich wird hergestellt und die IP Adressen werden (fix) vergeben. bei der FW auf dem remote Rechner habe ich ssh zugelassen.. Aber das ist Offensichtlich nicht genug, was habe ich vergessen? Ich habe gegoogelt aber nur Hinweise auf FW_QUICKMODE="yes" gefunden. Das scheint mir aber nicht die Lösung zu sein da ich ja die FW2 verwende...???
--> I think it would help if you outline your network configuration for us so we can better understand what kind of SSH connection you are trying to establish. On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart". If the remote host has an internal and an external IP, you have to use the external IP for the SSH-connection when coming from external net and the internal when coming from an internal net. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hello Armin thanks for the relpay:
I think it would help if you outline your network configuration for us so we can better understand what kind of SSH connection you are trying to establish.
My local machine is SuSE 9.2, updated. The remote machine is also SuSE 9.2 with the latest updates. To connect to the remote machine I dialin via isdn and provide static IP adresses. This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200 this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected. And the following can be found in /var/log/messages Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302) On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart".
I am not sure if this is the same as allowing in yast for ssh ??? Need to check.
If the remote host has an internal and an external IP, you have to use the external IP for the SSH-connection when coming from external net and the internal when coming from an internal net. I am using the following IP adresses (local is the remote machine!!) local IP address 192.168.55.100 remote IP address 192.168.55.200 So I think this is ok.
This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hello Michael,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected.
--> But you say that local (=192.168.55.100) is the remote host. So you have to connect to "ssh user@192.168.55.100" to reach the remote host. Another thing to check are the routes. Enter (as root) the command route -n in a terminal session on both machines AFTER you have established the connection with ipppd. Then post the result to the list.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart".
I am not sure if this is the same as allowing in yast for ssh ??? Need to check.
--> I guess it is. But since local and remote IPs are on the same subnet, probably you have to set FW_SERVICES_INT_TCP="ssh" because for the remote host, the SSH request is coming from internal, i.d. from the same subnet. Good luck! Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hello Armin,
I have attached the out put of route -n at the end of this mail. For consistency reasonsn I leave here an (almost) full quote.
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.100 I get rejected.
Another thing to check are the routes. Enter (as root) the command route -n in a terminal session on both machines AFTER you have established the connection with ipppd. Then post the result to the list.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart".
I am not sure if this is the same as allowing in yast for ssh ??? Need to check.
I guess it is. But since local and remote IPs are on the same subnet, probably you have to set FW_SERVICES_INT_TCP="ssh" because for the remote host, the SSH request is coming from internal, i.d. from the same subnet.
This is and was already active. omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 omicron:~ # This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hallo Michael,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.100 I get rejected.
Another thing to check are the routes. Enter (as root) the command route -n in a terminal session on both machines AFTER you have established the connection with ipppd. Then post the result to the list.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 omicron:~ #
--> OK, now we need to know the interface variables of the firewall FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ I suspect there's something wrong with these because the firewall complains about an ILL-TARGET, so probably a packet with a source IP coming from the wrong interface (at least the firewall thinks so). Cheers, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi!
--> OK, now we need to know the interface variables of the firewall FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ
I suspect there's something wrong with these because the firewall complains about an ILL-TARGET, so probably a packet with a source IP coming from the wrong interface (at least the firewall thinks so).
Sounds like wrong direction. SuSEfirewall has following limitations: internal ip - external interface of firewall will be blocked external ip - internal interface of firewall will be blocked If you want to access this simply add a line in custom rules script to allow this action (even if it's insecure). Other possibility to not block high ports as they are needed by tcp/ip. TCP works like this: connection to server-ip:target_port response to client-ip:dynamical_portrange_1024-65535 TCP-example:1.2.3.4 from 4.3.2.1 = 1.2.3.4:21 (ftp = port 21) - 4.3.2.1:1024-65535 UDP in the opposite answers on the same port the connection is started. Routing seems to work? Why there are two routes to eth0? Normally for routing to the same interface you need a virtual interface (e.g. /dev/eth0:1) which has to be created or is the second route for eth1? Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQtTcskNg1DRVIGjBAQK65Qb/cYPj+j56psbIBb/VqXhPA4fWGQ8KqSfw PRq831y98ENOEbhE3iHHxyBxj31M1Ms1UMw27740iK+H9pVRNCptQdo8ikjYC9ku PArQk4FitSrW2icHWx1fDjdsJGsye6XvBBOIARvWSVWtoIqGrNqFgaw/h8tVxghN B6rsv2rn02g3Ad+H1TjG2CTI8lAOwOUYu2raFJ1rRF+CZZoYaFiYQgU/w7aYWdp6 ZPjyhbllV8DaNWKJYy/hhcmICXvUKA6RD/YWcMwyJYc9HGny4Vzy4SAw16eo9vuU eJcjzgrZhAk= =B+dR -----END PGP SIGNATURE-----
On Wed, 13 Jul 2005, Armin Schoech wrote:
Hallo Michael,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.100 I get rejected.
Another thing to check are the routes. Enter (as root) the command route -n in a terminal session on both machines AFTER you have established the connection with ipppd. Then post the result to the list.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0
looks strange to me, not the zeroconf 169. network, but ippp0 is in the eth0 network and default gateway ? but i never used ippps.
Hello Engelbert, I am not an expert, I do not know the 169.254.... specialy on eth0. The only connection to the internet is done via ippp1, ippp0 is used for dial in, eth0 is only internal. Can I drop the 169.254.0.0 from the routing table? What would be the command?? Is there way to find out more about the 169.254.x.x ??
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0
looks strange to me, not the zeroconf 169. network, but ippp0 is in the eth0 network and default gateway ? but i never used ippps. Michael This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hello Armin,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh ssh -X user@192.168.55.100 I get rejected.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 omicron:~ #
OK, now we need to know the interface variables of the firewall FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ
Here are my values: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ="" While I checked the system I had to realize that the firewall is totally shut off, So the route -n is from the system with no firewall... (That there is no fw is not a nightmare, since there is no connection to the world besides the dial in and no critical data is (unitl now) available) Since I am now really remote I can switch the fw on but if the test fails.... I need to travel :-) I don't know where the second eth0 comes from (there are two cards in the machine but one is deactivated) and I do not know where this IP Adr.. 169.254.0.0 comes from -- can I get rid of it ??? How ? Sorry this is a dummy question I found some info in the man pages but beeing remote I am afraid to fiddle a round. Thanks a lot Michael This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
On Thu, 14 Jul 2005, Michael Hoeller wrote:
Hello Armin,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh ssh -X user@192.168.55.100 I get rejected.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 omicron:~ #
OK, now we need to know the interface variables of the firewall FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ
Here are my values: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ=""
While I checked the system I had to realize that the firewall is totally shut off, So the route -n is from the system with no firewall...
sounds strange a deactivated firewall does not produce logfile entries. like SFW2-IN-ILL-TARGET IN=ippp0 OUT=
(That there is no fw is not a nightmare, since there is no connection to the world besides the dial in and no critical data is (unitl now) available) Since I am now really remote I can switch the fw on but if the test fails.... I need to travel :-)
I don't know where the second eth0 comes from (there are two cards in the machine but one is deactivated) and I do not know where this IP Adr.. 169.254.0.0 comes from -- can I get rid of it ??? How ? Sorry this is a dummy question I found some info in the man pages but beeing remote I am afraid to fiddle a round.
1. you can test the firewall with test option :: /sbin/SuSEfirewall2 test then everything that would be blocked should be logged. 2. when working remote ill start an at command that should get me in e.g. switch to test mode in 5 minutes. if all works well i remove the at entry. 3. 169.254.0.0 is Zeroconf, it is configured by default. -- BINGO: definitive merger agreement --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
Upps!!!! I need be more price the I wrote the firewall was and is off at the time when I run the route -n but the logs are from a time when the firewall was up :-) Sorry did not though that this leads to confusion. Michael H U G O B O S S engelbert.gruber@ssg.co.at 14.07.2005 08:13 An Michael Hoeller <Michael_Hoeller@hugoboss.com> Kopie suse-security@suse.com Thema Re: [suse-security] SFW2-IN-ILL-TARGET [Hugo Boss: Virus checked] On Thu, 14 Jul 2005, Michael Hoeller wrote:
Hello Armin,
To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh ssh -X user@192.168.55.100 I get rejected.
And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 omicron:~ #
OK, now we need to know the interface variables of the firewall FW_DEV_EXT, FW_DEV_INT, FW_DEV_DMZ
Here are my values: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ=""
While I checked the system I had to realize that the firewall is totally shut off, So the route -n is from the system with no firewall...
(That there is no fw is not a nightmare, since there is no connection to the world besides the dial in and no critical data is (unitl now) available) Since I am now really remote I can switch the fw on but if the test fails.... I need to travel :-)
I don't know where the second eth0 comes from (there are two cards in
sounds strange a deactivated firewall does not produce logfile entries. like SFW2-IN-ILL-TARGET IN=ippp0 OUT= the
machine but one is deactivated) and I do not know where this IP Adr.. 169.254.0.0 comes from -- can I get rid of it ??? How ? Sorry this is a dummy question I found some info in the man pages but beeing remote I am afraid to fiddle a round.
1. you can test the firewall with test option :: /sbin/SuSEfirewall2 test then everything that would be blocked should be logged. 2. when working remote ill start an at command that should get me in e.g. switch to test mode in 5 minutes. if all works well i remove the at entry. 3. 169.254.0.0 is Zeroconf, it is configured by default. -- BINGO: definitive merger agreement --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+ -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hello, I am a little bit confused by the answers, can I try to summarize? I still get rejected .. I dial in from 192.168.55.100 to 192.168.55.200 the interface ippp0 is used the IP Adresses are fix. I can actually dial in and I do get the IP Adresses, the connection stays up. But as soon as I try to log in via ssh user@192.168.55.100 I get the ILL_TARGET Message from the firewall: Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302) Here are my DEV variables: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ="" ippp1 is used fo connect to the internet ippp0 to dial in eth0 is only internal I don't know why SuSE passed ippp1 3 times to the variable but since I am not an expert I have not touched it.. This is the route I get WITHOUT firewall: omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0 I hope that some one has a hint which can light the dark Thanks a lot Michael This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Michael Hoeller wrote:
I am a little bit confused by the answers, can I try to summarize? I still get rejected ..
I dial in from 192.168.55.100 to 192.168.55.200 the interface ippp0 is used the IP Adresses are fix.
I can actually dial in and I do get the IP Adresses, the connection stays up.
But as soon as I try to log in via ssh user@192.168.55.100 I get the ILL_TARGET Message from the firewall:
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
Here are my DEV variables: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ=""
The config is ok. SuSEfirewall2 does not set up rules for interfaces that don't exist so you need to run SuSEfirewall2 when the interface is up. That is supposed to happen automatically if you checked the Firewall checkbox in YaST. Alternatively verify manually that FIREWALL=yes in the config files as already mentioned in a previous mail.
I don't know why SuSE passed ippp1 3 times to the variable but since I am not an expert I have not touched it..
One is sufficient. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Hello Ludwig, thanks for the answer, so if the config is correct and I do set up the fw when I start the interface. What might be the reason for the ILL TARGET ???? Do you agree with Arimin suggestion which I find helpfull to try different subnets? Michael H U G O B O S S Ludwig Nussel <ludwig.nussel@suse.de> 14.07.2005 14:10 An suse-security@suse.com Kopie Thema Re: [suse-security] SFW2-IN-ILL-TARGET [Hugo Boss: Virus checked] Michael Hoeller wrote:
I am a little bit confused by the answers, can I try to summarize? I still get rejected ..
I dial in from 192.168.55.100 to 192.168.55.200 the interface ippp0 is used the IP Adresses are fix.
I can actually dial in and I do get the IP Adresses, the connection stays up.
But as soon as I try to log in via ssh user@192.168.55.100 I get the ILL_TARGET Message from the firewall:
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
Here are my DEV variables: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ=""
The config is ok. SuSEfirewall2 does not set up rules for interfaces that don't exist so you need to run SuSEfirewall2 when the interface is up. That is supposed to happen automatically if you checked the Firewall checkbox in YaST. Alternatively verify manually that FIREWALL=yes in the config files as already mentioned in a previous mail.
I don't know why SuSE passed ippp1 3 times to the variable but since I am not an expert I have not touched it..
One is sufficient. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Michael Hoeller wrote:
thanks for the answer, so if the config is correct and I do set up the fw when I start the interface. What might be the reason for the ILL TARGET
I don't know. Please post your full config file and the output of 'SuSEfirewall2 status' when you get that log message.
Do you agree with Arimin suggestion which I find helpfull to try different subnets?
SuSEfirewall2 does not care about IP addresses and netmasks as long as you don't enable the obsolete anti-spoof rules. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
I will do, but need to be on a user side the next days -- I will post the data next week Thanks all Michael H U G O B O S S Ludwig Nussel <ludwig.nussel@suse.de> 14.07.2005 15:50 An suse-security@suse.com Kopie Thema Re: [suse-security] Antwort: Re: [suse-security] SFW2-IN-ILL-TARGET [Hugo Boss: Virus checked] Michael Hoeller wrote:
thanks for the answer, so if the config is correct and I do set up the fw when I start the interface. What might be the reason for the ILL TARGET
I don't know. Please post your full config file and the output of 'SuSEfirewall2 status' when you get that log message.
Do you agree with Arimin suggestion which I find helpfull to try different subnets?
SuSEfirewall2 does not care about IP addresses and netmasks as long as you don't enable the obsolete anti-spoof rules. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hello Michael,
But as soon as I try to log in via ssh user@192.168.55.100 I get the ILL_TARGET Message from the firewall:
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
Here are my DEV variables: FW_DEV_EXT="ippp1 ippp1 ippp1" FW_DEV_INT="eth-id-00:e0:81:20:30:04 ippp0" FW_DEV_DMZ=""
ippp1 is used fo connect to the internet ippp0 to dial in eth0 is only internal
I don't know why SuSE passed ippp1 3 times to the variable but since I am not an expert I have not touched it..
--> You can definitely remove it 2 times.
This is the route I get WITHOUT firewall:
omicron:~ # route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.55.200 0.0.0.0 255.255.255.255 UH 0 0 0 ippp0 192.168.55.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.55.200 0.0.0.0 UG 0 0 0 ippp0
--> Just a guess. The firewall script is confused because the interface configuration for eth0 with the netmask 255.255.255.0 tells it that 192.168.55.200 (and 192.168.55.100) should be on the eth0 interface. Instead 192.168.55.200 is on another interface. Have you tried to vary the netmasks ? Like using eth0 IP/mask 192.168.55.4/255.255.255.3 ippp0 IP/mask 192.168.55.1/255.255.255.254 dialin IP/mask 192.168.55.2/255.255.255.254 This is not standard netmasks, though. But from my understanding of netmasks (which may be wrong), this would be two different subnets. Or try using a different subnet for the ippp0 dialin connection like ippp0 IP/mask 192.168.56.1/255.255.255.0 dialin IP/mask 192.168.56.2/255.255.255.0 Good luck! Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
On Tue, 12 Jul 2005, Michael Hoeller wrote:
Hello Armin
thanks for the relpay:
I think it would help if you outline your network configuration for us so we can better understand what kind of SSH connection you are trying to establish.
My local machine is SuSE 9.2, updated. The remote machine is also SuSE 9.2
with the latest updates. To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected. And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart".
I am not sure if this is the same as allowing in yast for ssh ??? Need to check.
If the remote host has an internal and an external IP, you have to use the external IP for the SSH-connection when coming from external net and the internal when coming from an internal net. I am using the following IP adresses (local is the remote machine!!) local IP address 192.168.55.100 remote IP address 192.168.55.200 So I think this is ok.
i prefer ascii art :: private remote network isdn dial up gets 192.168.55.200 assigned from server | | isdn dial in 192.168.55.100 server is this right ? -- BINGO: Strukturiertes Vorgehen --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
Hello Engelbert, You are rigth, I mixed the local and remote in my last mail ..
i prefer ascii art ::
private remote network isdn dial up gets 192.168.55.200 assigned from server | | isdn dial in 192.168.55.100 server
is this right ?
On Tue, 12 Jul 2005, Michael Hoeller wrote:
Hello Armin
thanks for the relpay:
I think it would help if you outline your network configuration for us so we can better understand what kind of SSH connection you are trying to establish.
My local machine is SuSE 9.2, updated. The remote machine is also SuSE 9.2
with the latest updates. To connect to the remote machine I dialin via isdn and provide static IP adresses.
This is the log from the remote machine, so "local" is actually the remote machine I connect to: Jul 9 21:34:18 omicron ipppd[7273]: local IP address 192.168.55.100 Jul 9 21:34:18 omicron ipppd[7273]: remote IP address 192.168.55.200
this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected. And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
On the remote machine I have setup the firewall2 via yast, IP Forwarding is activated and I allow for ssh.
On the remote host, you have to set FW_SERVICES_EXT_TCP="ssh" in the /etc/sysconfig/SuSEfirewall2 file, then restart the firewall on the remote host with "rcSuSEfirewall2 restart".
I am not sure if this is the same as allowing in yast for ssh ??? Need to check.
If the remote host has an internal and an external IP, you have to use the external IP for the SSH-connection when coming from external net and the internal when coming from an internal net. I am using the following IP adresses (local is the remote machine!!) local IP address 192.168.55.100 remote IP address 192.168.55.200 So I think this is ok.
This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
Hallo Michael,
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
Try this?: +--------- [ /etc/sysconfig/scripts/SuSEfirewall2-custom ] | for DEV in $FW_DEV_INT; do | for IP in $DEV_EXT; do | $IPTABLES -A INPUT -i $DEV -d $IP -j "ACCEPT" | done | done +--------- Ciao, Chris
Christian Wagener wrote:
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
Try this?:
+--------- [ /etc/sysconfig/scripts/SuSEfirewall2-custom ] | for DEV in $FW_DEV_INT; do | for IP in $DEV_EXT; do | $IPTABLES -A INPUT -i $DEV -d $IP -j "ACCEPT" | done | done +---------
This code will fail as 9.3+ doesn't filter for IP addresses at all anymore (9.2 only if FW_ANTISPOOF="yes", default is "no"), it relies on rp_filter instead. Therefore DEV_EXT doesn't exist starting from 9.3. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Michael Hoeller wrote:
[...] this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected. And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
ILL-TARGET means your interface is not assigned to any zone. You need FW_DEV_EXT=ippp0. SuSEfirewall2 will run automatically when the interface is brought up or down if you enable the init scripts and make sure FIREWALL=yes in /etc/sysconfig/network/* cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Hello Ludwig,
Michael Hoeller wrote:
[...] this seems to work. But as soon I try to connect via ssh user@192.168.55.200 I get rejected. And the following can be found in /var/log/messages
Jul 9 21:34:22 omicron kernel: SFW2-IN-ILL-TARGET IN=ippp0 OUT= MAC= SRC=192.168.55.200 DST=192.168.55.100 LEN=6 0 TOS=0x00 PREC=0x00 TTL=64 ID=48935 DF PROTO=TCP SPT=1032 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B404 02080A01E052360000000001030302)
ILL-TARGET means your interface is not assigned to any zone. You need FW_DEV_EXT=ippp0. SuSEfirewall2 will run automatically when the interface is brought up or down if you enable the init scripts and make sure FIREWALL=yes in /etc/sysconfig/network/*
I will be able to check the machine in some hours, but I am 99% sure that the ippp0 is defined as _internal_ interface, Isn't that correct? Since I dial in and provide IP addresses in the same subnet 192.168.55.100 and 192.168.55.200 where the .200 is the machine which dials in. I am not sure about the init scripts, think they are switched of for ippp0. Think the idea was that the ippp0 is an internal interface only used for the dial in where allways an IP address from the same subnet is used.. all the best Michael This e-mail (and/or attachments) is confidential and may be privileged. Use or disclosure of it by anyone other than a designated addressee is unauthorized. If you are not an intended recipient, please delete this e-mail from the computer on which you received it. We thank you for notifying us immediately.
participants (6)
-
Armin Schoech -
Christian Wagener -
engelbert.gruber@ssg.co.at -
Ludwig Nussel -
Michael Hoeller -
Philippe Vogel