Re: [suse-security] Firewall2 and Masquerading
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 11/10/02, 3:46:04 PM, "Joe & Sesil Morris (NTM)"
On 11/10/2002 10:23 PM, dave cunningham wrote:
I'm afraid I don't quite follow. eth0 is my internal network which is using the linux box as an internet gateway.
Exactly. You external interface has (or gets) a public (internet routeable) IP address. It doesn't need masqueraded. Your internal network should have private, non-internet routeable IP addresses, so for them to access the internet, their packets need masqueraded to a routeable address. HTH.
That was mu Initial reaction too but i checked my script because i did did not know what terminology is used exactly ( which device is masqueraded (INT:eth0) or is masquareded on (EXT, ippp0 clip from the conf script shows clearly ********************* start clip of /etc/sysconfig/SuSefirewall2 - suse 8.1 ****************** # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # # e.g. "ippp0" or "$FW_DEV_EXT" FW_MASQ_DEV="$FW_DEV_EXT" ********************* end clip of /etc/sysconfig/SuSefirewall2 - suse 8.1 ****************** and than writing this i see that Dave is using suse 7.3 so dave probably the script gives you the answer == you say With Firewall2 active I cannot access the internet from this box (though masquerading appears to be functioning correctly as computers on the LAN can now use the gateway). Trying to ping www.suse.com from the firewall box gives this message in the firewall log " SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.7 DST=62.136.92.111 LEN=1 44 TOS=0x00 PREC=0x00 TTL=59 ID=12419 PROTO=UDP SPT=53 DPT=1090 LEN=124 SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.4 DST=62.136.92.111 LEN=1 " where 195.112.4.4 / 195.112.4.7 are my ISP's DNS servers (statically assigned) and 62.136.92.111 is the dynamic IP address that has been assigned by my ISP for the session. == What you see from the above is that the resution of the url www.suse.com (eg the ip adres) is not allowed in , so the Ip adres of suse is not resolved .. so i suggest play with routing DNS ( allow high etc DNS ? Regards Frank
------- Original message follows -------
Trying to ping www.suse.com from the firewall box gives this message in the firewall log
" SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.7 DST=62.136.92.111 LEN=1 44 TOS=0x00 PREC=0x00 TTL=59 ID=12419 PROTO=UDP SPT=53 DPT=1090 LEN=124 SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=195.112.4.4 DST=62.136.92.111 LEN=1 "
where 195.112.4.4 / 195.112.4.7 are my ISP's DNS servers (statically assigned) and 62.136.92.111 is the dynamic IP address that has been assigned by my ISP for the session. == What you see from the above is that the resution of the url www.suse.com (eg the ip adres) is not allowed in , so the Ip adres of suse is not resolved ..
so i suggest play with routing DNS ( allow high etc DNS ?
I think perhaps the DNS lookup failure is a red herring - if I try pinging an ip address from the firewall box (in this case suse.com / 213.95.15.200) I get the this log message: "SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=213.95.15.200 DST=62.136.64.55 LEN=84 TOS=0x00 PREC=0x00 TTL=240 ID=2463 PROTO=ICMP TYPE=0 CODE=0 ID=53102 SEQ=256 " Similarly, trying to open 213.95.15.200 using Konquerer on the firewall box yields "SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=213.95.15.200 DST=62.136.85.98 LEN=64 TOS=0x08 PREC=0x00 TTL=63 ID=56421 DF PROTO=TCP SPT=80 DPT=1395 WINDOW=8760 RES=0x00 ACK SYN URGP=0 OPT (020405B401010402010303000101080A02BD3B2B01ED6340) " It seems to me that replies being made to all traffic originating from the firewall box are being dropped. -- Dave Cunningham PGP Key http://www.upsilon.org.uk/dc.asc
-----BEGIN PGP SIGNED MESSAGE----- Hi Dave!
It seems to me that replies being made to all traffic originating from the firewall box are being dropped.
One likely reason for this behaviour is that the firewall rules are
not reloaded after your dynamic IP has been assigned. Manually do a
"/sbin/SuSEfirewall2" (or similiar, don't know where the script is
located on SuSE 7.3) _after_ you have dialled in. If that solves the
problem, find a way to automatically reload the rules every time you
get a new IP address (look in /etc/ppp/ip-up on how to do this).
Regards, Andy
- --
Andreas J. Mueller email:
------- Original message follows ------- Hi Andy,
One likely reason for this behaviour is that the firewall rules are not reloaded after your dynamic IP has been assigned. Manually do a "/sbin/SuSEfirewall2" (or similiar, don't know where the script is located on SuSE 7.3) _after_ you have dialled in. If that solves the problem, find a way to automatically reload the rules every time you get a new IP address (look in /etc/ppp/ip-up on how to do this).
Seems you've got it nailled - this has sorted the problem. Many thanks indeed. -- Dave Cunningham PGP Key http://www.upsilon.org.uk/dc.asc
Dave try dhcp client on ? FW_SERVICE_DHCLIENT="no" to yes ?
>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 11/10/02, 6:00:31 PM, Andreas J Mueller
participants (3)
-
Andreas J Mueller -
dave cunningham -
Frank W.Kooistra