Statefull packet inspection in SuSEfirewall2
Hi, Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses. Example: Incoming traffic to my web server in a DMZ with private addresses FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80 I also need to set up the following rules in order to let responses out FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535" This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world. Dont know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones dont. Any suggestion? Is it possible to math the SYN, ACK and FIN TCP bits with SuSEfirewall2? Thanks in advance. Pablo Ronco
pronco@conae.gov.ar wrote:
Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses.
Example: Incoming traffic to my web server in a DMZ with private addresses
FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80
I also need to set up the following rules in order to let responses out
FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world.
Dont know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones dont.
You found a bug.
Any suggestion?
You may take SuSEfirewall2 from FACTORY as soon as I have submitted a package with the fix. It should work on 10.0 as well (feel free to file a bug if not). In the meantime you could use one of the hook functions to just insert the required rules. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Ludwig Nussel wrote:
pronco@conae.gov.ar wrote:
Is it there any way to configure stateful packet inspection rules in SuSEfirewall2 for masquerade networks? When I configure a rule in FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I also have to configure a rule for responses.
Example: Incoming traffic to my web server in a DMZ with private addresses
FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80”
I also need to set up the following rules in order to let responses out
FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
This rule permits not only established sessions, but additionally it allows my web server to establish connections to the outside world.
Don’t know why the FW_FORWARD rules are stateful as I want, but FW_MASQ_NETS ones don’t.
You found a bug.
Any suggestion?
You may take SuSEfirewall2 from FACTORY as soon as I have submitted a package with the fix. It should work on 10.0 as well (feel free to file a bug if not). In the meantime you could use one of the hook functions to just insert the required rules.
Could this bug fix get into a SuSE 9.3 update ? We use here many FW_FORWARD_MASQ rules and have to maintain lots of resonse rules, allowing too much! An update to SuSE 10.0 or 10.1 is not possible, since there are still no drivers for this propietary hardware (won't buy FSComputers again!). Thanks, Richard
Richard Ems wrote:
Ludwig Nussel wrote:
[...] You may take SuSEfirewall2 from FACTORY as soon as I have submitted a package with the fix. It should work on 10.0 as well (feel free to file a bug if not). In the meantime you could use one of the hook functions to just insert the required rules.
Could this bug fix get into a SuSE 9.3 update ?
I don't plan to.
We use here many FW_FORWARD_MASQ rules and have to maintain lots of resonse rules, allowing too much!
An update to SuSE 10.0 or 10.1 is not possible, since there are still no drivers for this propietary hardware (won't buy FSComputers again!).
I'd expect the 10.1 SuSEfirewall2 rpm to work on 9.3, you don't need to update the whole distro. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Ludwig Nussel wrote:
I'd expect the 10.1 SuSEfirewall2 rpm to work on 9.3, you don't need to update the whole distro.
On 10.1 I have SuSEfirewall2-3.4_SVNr142-5 (Sun 23 Apr 2006) on 9.3 SuSEfirewall2-3.3-18.4 (Thu 30 Jun 2005) Aren't there any new netfilter/iptables features introduced on 10.0 or 10.1 used by SuSEfirewall2-3.4_SVNr142-5 ? Is someone on this list using the 10.1 version on a 9.3 system? This is a production system, and security is VERY important, just updating to test if it works is not possible. 8) Thanks, Richard
On Monday 24 July 2006 07:08, Richard Ems wrote:
Ludwig Nussel wrote:
I'd expect the 10.1 SuSEfirewall2 rpm to work on 9.3, you don't need to update the whole distro.
On 10.1 I have SuSEfirewall2-3.4_SVNr142-5 (Sun 23 Apr 2006) on 9.3 SuSEfirewall2-3.3-18.4 (Thu 30 Jun 2005)
Aren't there any new netfilter/iptables features introduced on 10.0 or 10.1 used by SuSEfirewall2-3.4_SVNr142-5 ?
I usually find Shorewall (shorewall.net) much easier to deal with for anything but the most simple of firewalls. Its also vastly better documented. It still relies of netfilter, but the author really knows his stuff, and makes it easy to understand. -- _____________________________________ John Andersen
participants (4)
-
John Andersen -
Ludwig Nussel -
pronco@conae.gov.ar -
Richard Ems