SuSEfirewall2 on 8.0 masq problem
I am at my wits end with this problem. Server in dmz, internal net, http, https, ssh, imap, etc on server accessible from the outside. The internal net should have access to the same services on the server as are available from the outside. Problems: ntpdate -q outside does not work on server, dito on firewall. reaching http://outside from server doesn't work. From outside, imap and 7777 are not reachable on server, although http https are reachable and imap and 7777 are configured identically. The internal net can't reach the server (yes I use FW_FORWARD). SuSE 8.0 with all updates current as of yesterday. I tried the same setup on 2 different machines so it's not the hardware (unless realtek 8139 net cards go dead on some ports only, not likely). FW_DEV_EXT="eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.2.0/24 192.168.1.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain" FW_SERVICES_EXT_UDP="domain ntp" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain ssh" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="domain ssh" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD=" 192.168.2.0/24,192.168.1.1,tcp,80 192.168.2.0/24,192.168.1.1,tcp,443 192.168.2.0/24,192.168.1.1,tcp,143 192.168.2.0/24,192.168.1.1,tcp,25 192.168.2.0/24,192.168.1.1,tcp,22 192.168.2.0/24,192.168.1.1,tcp,7777 192.168.2.0/24,192.168.1.1,udp,123 " FW_FORWARD_MASQ=" 0/0,192.168.1.1,tcp,80 0/0,192.168.1.1,tcp,443 0/0,192.168.1.1,tcp,143 0/0,192.168.1.1,tcp,25 0/0,192.168.1.1,tcp,22 0/0,192.168.1.1,tcp,7777 " FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from SuSE 8.0 an essentially identical setup works as expected (there's no DNS server on that box). Ideas are very much appreciated. Thanks in advance, Volker If you don't want to reply to the list change my email address to list0570 at (sorry). -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
Hi, I know there is a problem with Realtek 8139 cards and the 2.4 kernel: http://sdb.suse.de/en/sdb/html/mjb_rtl8139_24.html I am by no means a firewall expert but maybe the problem is the card and not the configuration. Sorry I can't be of more help. Q On Wed, 2002-09-04 at 06:36, Volker Kuhlmann wrote:
I am at my wits end with this problem. Server in dmz, internal net, http, https, ssh, imap, etc on server accessible from the outside. The internal net should have access to the same services on the server as are available from the outside.
Problems: ntpdate -q outside does not work on server, dito on firewall. reaching http://outside from server doesn't work. From outside, imap and 7777 are not reachable on server, although http https are reachable and imap and 7777 are configured identically. The internal net can't reach the server (yes I use FW_FORWARD).
SuSE 8.0 with all updates current as of yesterday. I tried the same setup on 2 different machines so it's not the hardware (unless realtek 8139 net cards go dead on some ports only, not likely).
FW_DEV_EXT="eth2" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.2.0/24 192.168.1.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="domain" FW_SERVICES_EXT_UDP="domain ntp" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain ssh" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="domain ssh" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD=" 192.168.2.0/24,192.168.1.1,tcp,80 192.168.2.0/24,192.168.1.1,tcp,443 192.168.2.0/24,192.168.1.1,tcp,143 192.168.2.0/24,192.168.1.1,tcp,25 192.168.2.0/24,192.168.1.1,tcp,22 192.168.2.0/24,192.168.1.1,tcp,7777 192.168.2.0/24,192.168.1.1,udp,123 " FW_FORWARD_MASQ=" 0/0,192.168.1.1,tcp,80 0/0,192.168.1.1,tcp,443 0/0,192.168.1.1,tcp,143 0/0,192.168.1.1,tcp,25 0/0,192.168.1.1,tcp,22 0/0,192.168.1.1,tcp,7777 " FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"
On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from SuSE 8.0 an essentially identical setup works as expected (there's no DNS server on that box).
Ideas are very much appreciated. Thanks in advance,
Volker
If you don't want to reply to the list change my email address to list0570 at (sorry).
-- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Quinton Delpeche Internet Infrastructure Team Leader Tel : (011) 445 8100 Tel : (011) 445 8142 (Direct) Fax : (011) 445 8101 Mob : (083) 445 0752 Knowledge Factory A MEMBER OF THE PRIMEDIA GROUP Visit our websites: http://www.knowledgefactory.co.za/ http://www.tpz.co.za/ http://www.saptg.co.za/
I know there is a problem with Realtek 8139 cards and the 2.4 kernel: http://sdb.suse.de/en/sdb/html/mjb_rtl8139_24.html
Yes thanks, but that article only says use module 8139too, which I am doing. Those cards can still trip up with 8139too, I have one which randomly stops dead in one direction. It's not related to the current problem. Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
On Wednesday 04 September 2002 06.36, Volker Kuhlmann wrote:
I am at my wits end with this problem. Server in dmz, internal net, http, https, ssh, imap, etc on server accessible from the outside. The internal net should have access to the same services on the server as are available from the outside.
Problems like these are easiest solved by examining logs. I see you already log almost everything in the firewall. What does that show? Do you see anything interesting if you turn on logging on all accepted packets? Perhaps you should set up a few iptables rules on the dmz server to log what happens there. I suspect it will make your problem a lot easier to locate. regards Anders
Hi,
I am at my wits end with this problem. Server in dmz, internal net, http, https, ssh, imap, etc on server accessible from the outside. The internal net should have access to the same services on the server as are available from the outside.
Maybe you get a problem here with the access to the DMZ server from the internal network to the external IP address. http://lists.suse.com/archive/suse-security/2002-May/0415.html
Problems: ntpdate -q outside does not work on server, dito on firewall. reaching http://outside from server doesn't work. From outside, imap and 7777 are not reachable on server, although http https are reachable and imap and 7777 are configured identically. The internal net can't reach the server (yes I use FW_FORWARD).
No ping, nothing!? What about the logs on the firewall?
FW_SERVICES_EXT_TCP="domain" FW_SERVICES_EXT_UDP="domain ntp" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain ssh" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="domain ssh" FW_SERVICES_INT_UDP="domain"
You need access from the internet to your domain name server!? You have a ntp server (like xntpd) on the firewall which must reachable from the internet only?
FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD=" 192.168.2.0/24,192.168.1.1,tcp,80 192.168.2.0/24,192.168.1.1,tcp,443 192.168.2.0/24,192.168.1.1,tcp,143 192.168.2.0/24,192.168.1.1,tcp,25 192.168.2.0/24,192.168.1.1,tcp,22 192.168.2.0/24,192.168.1.1,tcp,7777 192.168.2.0/24,192.168.1.1,udp,123 " FW_FORWARD_MASQ=" 0/0,192.168.1.1,tcp,80 0/0,192.168.1.1,tcp,443 0/0,192.168.1.1,tcp,143 0/0,192.168.1.1,tcp,25 0/0,192.168.1.1,tcp,22 0/0,192.168.1.1,tcp,7777 "
Uohhhh, that can't work well, I think, better is: FW_FORWARD="\ 192.168.2.0/24,192.168.1.1,tcp,80 \ 192.168.2.0/24,192.168.1.1,tcp,443 \ 192.168.2.0/24,192.168.1.1,tcp,143 \ 192.168.2.0/24,192.168.1.1,tcp,25 \ 192.168.2.0/24,192.168.1.1,tcp,22 \ 192.168.2.0/24,192.168.1.1,tcp,7777 \ 192.168.2.0/24,192.168.1.1,udp,123 \ " FW_FORWARD_MASQ="\ 0/0,192.168.1.1,tcp,80 \ 0/0,192.168.1.1,tcp,443 \ 0/0,192.168.1.1,tcp,143 \ 0/0,192.168.1.1,tcp,25 \ 0/0,192.168.1.1,tcp,22 \ 0/0,192.168.1.1,tcp,7777 \ "
FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no"
On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from SuSE 8.0 an essentially identical setup works as expected (there's no DNS server on that box).
Maybe you get a problem here with the access to the DMZ server from the internal network to the external IP address.
The internal machines use the private IP of the server. The server is pingable, albeit no response from port 80.
http://lists.suse.com/archive/suse-security/2002-May/0415.html
I only have 1 external IP and 1 server.
No ping, nothing!? What about the logs on the firewall?
The logs indicate that packets disappear on the firewall without trace.
You need access from the internet to your domain name server!? You have a ntp server (like xntpd) on the firewall which must reachable from the internet only?
Ignore these exact settings for now, it's not part of the problem (and yes, your xntp daemon reads the time servers on port 123).
FW_FORWARD=" 192.168.2.0/24,192.168.1.1,tcp,80 192.168.2.0/24,192.168.1.1,tcp,443
Uohhhh, that can't work well, I think, better is:
FW_FORWARD="\ 192.168.2.0/24,192.168.1.1,tcp,80 \ 192.168.2.0/24,192.168.1.1,tcp,443 \
That makes absolutely no difference (tried that before posting, and again now). iptables -nvL shows a lot of rules with ACCEPT target and with ports 143 and 123 (didn't check the other ports). Volker -- Volker Kuhlmann is possibly list0570 with the domain in header http://volker.orcon.net.nz/ Please do not CC list postings to me.
participants (4)
-
Anders Johansson -
Kai-H. Weutzing -
Quinton Delpeche -
Volker Kuhlmann