Impenetrable firewall - SuSE 9.2
Greetings, I have a small home network of machines connected through the internal ethernet port of my SuSE linux server (192.168.42.xxx). The external ethernet port is connected to a LinkSys dsl modem (192.168.1.2 on the server to 192.168.1.1 - the modem). I have a fixed IP and the domain name asgard.org.nz to go with it - in the /etc/hosts file against the sever machine name srv too. I set up the firewall so that the local net could access the internet - but not vice versa. All has worked very well for months. By the way the HOSTNAME file appears to contain srv.asgard.org.nz correctly! Needing to publish a small web site now, I have set up apache 2.0.55 suitably configured - which works well on the local network. However, despite the fact that the host (called server.asgard.org.nz on the modem port) has the same name as the Apache ServerName and I appear to have the correct firewall settings as far as my reading of the config file and the examples tells me - ------- # 1 FW_QUICKMODE="no" #2 FW_DEV_EXT="eth-id-00:90:27:a7:d3:d2" #3 FW_DEV_INT="eth-id-00:50:8b:62:08:e6" #4 FW_DEV_DMZ="" #5 FW_ROUTE="yes" #6 FW_MASQUERADE="yes" #6a FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" #7 FW_PROTECT_FROM_INTERNAL="no" #8 FW_AUTOPROTECT_SERVICES="yes" #9 FW_SERVICES_EXT_TCP="5801 5901 domain http https" FW_SERVICES_EXT_UDP="domain isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="http https 80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="ftp http https 80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" #9a FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" #10 FW_TRUSTED_NETS="" #11 FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" #13 FW_FORWARD="" #14 FW_FORWARD_MASQ="" #15 FW_REDIRECT="" #16 FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" #17 FW_KERNEL_SECURITY="yes" #17a FW_ANTISPOOF="no" #18 FW_STOP_KEEP_ROUTING_STATE="no" #19 FW_ALLOW_PING_FW="yes" #19a FW_ALLOW_PING_DMZ="no" #19b FW_ALLOW_PING_EXT="yes" ## # END of /etc/sysconfig/SuSEfirewall2 ## # EXPERT OPTIONS - all others please don't change these! #20 FW_ALLOW_FW_TRACEROUTE="yes" #21 FW_ALLOW_FW_SOURCEQUENCH="yes" #22 FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" #23 FW_ALLOW_CLASS_ROUTING="no" #25 FW_CUSTOMRULES="" #26 FW_REJECT="no" #27 FW_HTB_TUNE_DEV="" #28 FW_IPv6="" #28a FW_IPv6_REJECT_OUTGOING="yes" #29 FW_IPSEC_TRUST="int" -------------------------------- I cannot seem to get any local browser to access the web server with the external (srv.asgard.org.nz) IP address. I have tried external port scanners and they seem to see no open ports at all. Having spent two days getting nowhere - but learning a lot, I feel I need to humbly ask for help. It's probably something obvious to you experts - sorry, I don't see what might be wrong. Help, please! Keith Hopper -- Sky Development
Hi Keith, I didn't take a close look at your FW rules, but on first glance they look reasonable enough, except the thing about
FW_SERVICES_DMZ_TCP="http https 80" As you don't have a DMZ interface no services can be present there.
But I did take a look on the DNS entries for your server, which you conveniently called server.asgard.org.nz) and found that there is no DNS entry for it. wolfgang@wolfgang:~> host server.asgard.org.nz ns1.inspire.net.nz Using domain server: Name: ns1.inspire.net.nz Address: 203.114.128.1#53 Aliases: Host server.asgard.org.nz not found: 3(NXDOMAIN) As you can see, your own nameserver doesn't know about your server, who could others? HTH regards from Vienna Wolfgang -- ----------------------------------------------------- Wolfgang Leithner Pinguin-Systeme.at CEO/CTO Systems and Security EMail: wolfgang.leithner@pinguin-systeme.at http://www.pinguin-systeme.at ----------------------------------------------------- GPG Key Fingerprint: 21FE FB64 BD83 8385 364A E927 BB2F F331 84FD 12A9 ----------------------------------------------------- GPG Public Key can be found at: http://www.pinguin-systeme.at/privacy/wl.asc ----------------------------------------------------- Registered Linux User # 388544 To support the Cause of Linux and OpenSource please register at: http://counter.li.org ----------------------------------------------------- Der Inhalt dieser Nachricht ist persoenlich und vertraulich und lediglich fuer die Verwendung durch den/die Adressaten bestimmt. Sollten Sie diese Nachricht irrtuemlich erhalten haben, infor- mieren Sie bitte postmaster@pinguin-systeme.at. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@pinguin-systeme.at -----------------------------------------------------
Greetings, Thanks for the helpful suggestions - it seems my thoughts about removing the DMZ services - since I don't have one - might be something to do to clean things up. The failure of a DNS look-up was also pointed out by a couple of people and I will make my next step to sort out the DNS set up before trying again. I will report on my success (or otherwise). Again my thanks, Keith -- Sky Development
mailto:suse-security-unsubscribe-john.l.meyer=gmail.com@suse.com
erk wrote:
mailto:suse-security-unsubscribe-john.l.meyer=gmail.com@suse.com
That's my unsubscription link, not yours!
Ah, sorry, thanks for playing, Saddest of all... if they are using say, kmail, all they have to do is open the client, (in this case client = program to those of you who are new to the computer game ) under the title bar there are several words across the top of the window , third across is "view" select that then a list opens then select "headers" ( first one in the list , really, it is ) then choose "all headers" ( it's the last one in the list of
On July Sunday 16 2006 1:13 pm, erk wrote in an electronic and somewhat quixotic manner: headers ) once you do that, open any message from the list , and you find the line
"mailto:suse-security-unsubscribe-john.q.user=gmail.com@suse.com" , as above
all you need do then, is click that line.. it's a link and a new message appears w/ that in the "to" and you just click "send" C'mon kids, it isn't that hard... I figured it out and I'm a girl .. and I'm using linux, isn't that supposed to be too hard for me to do???? geeze, -- j Warning: Individuals throwing objects at the crocodiles will be asked to retrieve them!
J, On Sunday 16 July 2006 11:42, jfweber@gilweber.com wrote:
...
Saddest of all... if they are using say, kmail, all they have to do is open the client, (in this case client = program to those of you who are new to the computer game ) under the title bar there are several words across the top of the window , third across is "view" select that then a list opens then select "headers" ( first one in the list , really, it is ) then choose "all headers" ( it's the last one in the list of headers )
For me, checking headers is something I do frequently enough that I've put two buttons on the toolbar so I can easily choose between "Fancy" and "All" header display. KMail is the best!
j
RRS
Am Sonntag, 16. Juli 2006 20:42 schrieb jfweber@gilweber.com:
Saddest of all...
is in my opinion the fact that exactly THIS list of all the lists about / run by suse attracts the brainless like no other list does... i mean, suse-security is the only one out of eight suse lists i've subscribed to that gets these brainless unsubscribe messages on a regular basis... if you think about it... maybe thats the reason why there are so many security problems? not with linux, but with that other OS (you know which one i mean)? if the people who're involved with computer security can't even use email well enough to handle a simple mailing list... bye, [L]
Mathias Homann wrote:
Am Sonntag, 16. Juli 2006 20:42 schrieb jfweber@gilweber.com:
Saddest of all...
is in my opinion the fact that exactly THIS list of all the lists about / run by suse attracts the brainless like no other list does...
i mean, suse-security is the only one out of eight suse lists i've subscribed to that gets these brainless unsubscribe messages on a regular basis... (snip)
To quote John McEnroe: "You cannot be serious!". At suse-linux-e we get an unsubscribe request about every other day. Today we got two actually. Regards, -- Jos van Kan registered Linux user #152704
Am Sonntag, 16. Juli 2006 23:02 schrieb Jos van Kan:
Mathias Homann wrote:
i mean, suse-security is the only one out of eight suse lists i've subscribed to that gets these brainless unsubscribe messages on a regular basis...
(snip)
To quote John McEnroe: "You cannot be serious!". At suse-linux-e we get an unsubscribe request about every other day. Today we got two actually.
well, since i didn't subscribe to suse-e, i wouldn't know that... bye MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
On July Sunday 16 2006 5:02 pm, Jos van Kan wrote in an electronic and somewhat quixotic manner:
Mathias Homann wrote:
Am Sonntag, 16. Juli 2006 20:42 schrieb jfweber@gilweber.com:
Saddest of all...
is in my opinion the fact that exactly THIS list of all the lists about / run by suse attracts the brainless like no other list does...
i mean, suse-security is the only one out of eight suse lists i've subscribed to that gets these brainless unsubscribe messages on a regular basis...
(snip)
To quote John McEnroe: "You cannot be serious!". At suse-linux-e we get an unsubscribe request about every other day. Today we got two actually. Jos,
Yeah, I was going to copy my instructions over there and decided that would get me in trouble for "cross posting" perhaps someone could copy the relevant bits over to SLE and the OT list ??? Maybe we can put something to the effect of "There is a clickable link in your headers to unsubscribe you from this or any other Suse mailing list , should you have the need ." Because it is clear that no matter which list these people don't save their "Welcome" messages and at the same time , they seem unable to comprehend or simply do not see the instructions each list prints at the bottom of each message. H + S = (GKP)(GKP) -- j Where does the "self" go when we sleep, or are sedated by chemical means ?
Hi Keith,
I cannot seem to get any local browser to access the web server with the external (srv.asgard.org.nz) IP address. I have tried external port scanners and they seem to see no open ports at all.
--> this is a feature of the Firewall and is supposed to work like this. Try to search the list archives for "protect from internal". Some people have suggested rules to insert into /etc/sysconfig/scripts/SuSEfirewall2-custom to make this work. See also no. 25.) in /etc/sysconfig/SuSEfirewall2 Another solution is split-brain DNS which gives the local clients the internal IP when they ask for the name of your webserver. Good luck! Armin
Hi Keith. I use 9.2 pro as well. I had a similar problem with my Speedtouch 4 port ADSL router. I don't use SuSE Firewall, so I cannot really comment on your FW settings you have shown, but have written my own bash script to program IPTables packet filtering directly. I had to open port 80 in the script to the outside world. On the Speedtouch router, I had to set up NAT, to forward requests for port 80 directly to my ethernet card IP address of 10.0.0.1:80. So any http requests for my website actual get forwarded by the router to the eth0 interface (local IP address 10.0.0.1) that Apache listens on for connection attempts from the outside world. To test that you have opened port 80 so it can be accessed from the outside, you could go to http://www.grc.com, and use the ShieldsUp security scanner. Click on the common ports box, and this will then test your server and report whether, amongst others, port 80 is open or not. Once you are sure that port 80 is opened, you could have a look at your router settings to set up NAT - Network Address and Port Translation - usually available via a web browser GUI, and an address like http://10.0.0.xxx. HTH Keith Roberts In theory, theory and practice are the same; in practice they are not. more below... On Thu, 13 Jul 2006, Keith Hopper wrote:
To: suse-security@suse.com From: Keith Hopper
Subject: [suse-security] Impenetrable firewall - SuSE 9.2 Greetings, I have a small home network of machines connected through the internal ethernet port of my SuSE linux server (192.168.42.xxx). The external ethernet port is connected to a LinkSys dsl modem (192.168.1.2 on the server to 192.168.1.1 - the modem). I have a fixed IP and the domain name asgard.org.nz to go with it - in the /etc/hosts file against the sever machine name srv too. I set up the firewall so that the local net could access the internet - but not vice versa. All has worked very well for months. By the way the HOSTNAME file appears to contain srv.asgard.org.nz correctly!
Needing to publish a small web site now, I have set up apache 2.0.55 suitably configured - which works well on the local network. However, despite the fact that the host (called server.asgard.org.nz on the modem port) has the same name as the Apache ServerName and I appear to have the correct firewall settings as far as my reading of the config file and the examples tells me -
------- # 1 FW_QUICKMODE="no" #2 FW_DEV_EXT="eth-id-00:90:27:a7:d3:d2" #3 FW_DEV_INT="eth-id-00:50:8b:62:08:e6" #4 FW_DEV_DMZ="" #5 FW_ROUTE="yes" #6 FW_MASQUERADE="yes" #6a FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="0/0" #7 FW_PROTECT_FROM_INTERNAL="no" #8 FW_AUTOPROTECT_SERVICES="yes" #9 FW_SERVICES_EXT_TCP="5801 5901 domain http https" FW_SERVICES_EXT_UDP="domain isakmp" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="http https 80" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="ftp http https 80" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="esp" FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status" FW_SERVICES_DROP_EXT="" FW_SERVICES_REJECT_EXT="0/0,tcp,113" #9a FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" #10 FW_TRUSTED_NETS="" #11 FW_ALLOW_INCOMING_HIGHPORTS_TCP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="" #13 FW_FORWARD="" #14 FW_FORWARD_MASQ="" #15 FW_REDIRECT="" #16 FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" #17 FW_KERNEL_SECURITY="yes" #17a FW_ANTISPOOF="no" #18 FW_STOP_KEEP_ROUTING_STATE="no" #19 FW_ALLOW_PING_FW="yes" #19a FW_ALLOW_PING_DMZ="no" #19b FW_ALLOW_PING_EXT="yes"
## # END of /etc/sysconfig/SuSEfirewall2 ##
# EXPERT OPTIONS - all others please don't change these!
#20 FW_ALLOW_FW_TRACEROUTE="yes" #21 FW_ALLOW_FW_SOURCEQUENCH="yes" #22 FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" #23 FW_ALLOW_CLASS_ROUTING="no" #25 FW_CUSTOMRULES="" #26 FW_REJECT="no" #27 FW_HTB_TUNE_DEV="" #28 FW_IPv6="" #28a FW_IPv6_REJECT_OUTGOING="yes" #29 FW_IPSEC_TRUST="int" --------------------------------
I cannot seem to get any local browser to access the web server with the external (srv.asgard.org.nz) IP address. I have tried external port scanners and they seem to see no open ports at all.
You cannot access your own IP address directly over the internet from that same IP address - IP protocol doesn't work like that. If you want to access your own web server over the internet, you will have to use a proxy browser, so it appears that the request is coming from an external source, which it would be. You access the proxy server, and the proxy server then accesses your own server on your machine on your behalf, then returns the website back to you on your machine. You might like to try http://proxybrowsing.com/ to see if this helps. I use the above proxy for testing access to my own site. (I have set up name based virtual hosting with Apache 2.2.0, but I cannot get it to work, as all the proxy browsers I have found only support HTTP/1.0 protocol, and name based virtual hosting requires HTTP/1.1 for this to work.) first you need to make sure that Apache is up and running, and you can access it locally, from something like: http://localhost/ or http://127.0.0.1 Once that is working OK, you need to set up your firewall so that port 80 is open to the outside world. Next check and make sure that NAPT is set-up in your router correctly. Any connections to your static IP address need to be forwarded by your router to the interface that Apache is listening on.
Having spent two days getting nowhere - but learning a lot, I feel I need to humbly ask for help. It's probably something obvious to you experts - sorry, I don't see what might be wrong.
Help, please!
Keith Hopper
-- Sky Development
participants (11)
-
Armin Schoech
-
erk
-
jfweber@gilweber.com
-
John Meyer
-
Jos van Kan
-
Keith Hopper
-
Keith Roberts
-
Mathias Homann
-
Randall R Schulz
-
Thomas Peters
-
Wolfgang Leithner