SuSEfirewall for DEV_WORLD=eth1:0
Hi, I'm running SuSEfirewall V2.0. One of my "DEV_WORLD"-devices is eth1:0, which is an alternate IP-Address for eth0. SuSEfirewall complaints about "no such command", obviously when executing FW_DEV_WORLD_eth1:0="62.153.66.51 255.255.255.248". What's wrong there? Regards - Winni -
On Sun, Jun 11, 2000 at 22:51 +0200, Winfried Trautsch wrote:
I'm running SuSEfirewall V2.0. One of my "DEV_WORLD"-devices is eth1:0, which is an alternate IP-Address for eth0.
SuSEfirewall complaints about "no such command", obviously when executing FW_DEV_WORLD_eth1:0="62.153.66.51 255.255.255.248".
What's wrong there?
Try asking your shell's manpage. I guess colons aren't supposed to appear in variable's names. Issue this command at an interactive prompt and you will get the same result (BTW: You snipped the full error message above not saying _which_ command cannot be found. This could have given some clue, maybe.). One solution seems to be substituting special characters in the device name, but this had to be done for LHS (variable names) only -- the RHS still needs an unmodified value. But using an aliased interface as the outside device is questionable, anyway. What do you expect in terms of protection, when the inside still shares the same wire to the outside and could get there bypassing the router? So this might even be by design not to expect aliases in the script, although these conditions could be tested and rejected with a message before failing for syntactical reasons. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
On 12 Jun. 2000 at 09:48 Gerhard Sittig wrote:
SuSEfirewall complaints about "no such command", obviously when executing FW_DEV_WORLD_eth1:0="62.153.66.51 255.255.255.248".
Try asking your shell's manpage. I guess colons aren't supposed to appear in variable's names.
I escaped the colon - all the same. But that's not the point: I expect the people at SuSE to take the posting as a kind of "bug report" and change the behaviour of the script.
Issue this command at an interactive prompt and you will get the same result (BTW: You snipped the full error message above not saying _which_ command cannot be found. This could have given some clue, maybe.).
There it is: | /sbin/SuSEfirewall: FW_DEV_WORLD_eth1:0=X.X.X.X Y.Y.Y.Y: command not found
But using an aliased interface as the outside device is questionable, anyway.
Background: Some IRC-Servers reject the connection, if it comes from a nameserver. As the primary nameserver for my domain runs on the firewall, I had to put up another IP-Adress for DNS. Another NIC is not an option because "outside" is a cisco router. Both interfaces (eth1 and eth1:0) are therefore used for connections to the wilderness. The cisco is part of my ADSL-setup and I have no access to this routers management software (Thanks to DTAG :-( ).
If you don't understand or are scared by any of the above ask your parents or an adult to help you.
Nice. ;-) Regards/Gruss - Winni -
Winfried Trautsch wrote:
On 12 Jun. 2000 at 09:48 Gerhard Sittig wrote:
SuSEfirewall complaints about "no such command", obviously when executing FW_DEV_WORLD_eth1:0="62.153.66.51 255.255.255.248".
Try asking your shell's manpage. I guess colons aren't supposed to appear in variable's names.
I escaped the colon - all the same.
But that's not the point: I expect the people at SuSE to take the posting as a kind of "bug report" and change the behaviour of the script.
That is not the way it should work. SuSE has a possibility to post bug reports. This is a security related listing and I prefer to keep it that way ;-).` And beside that you are invited to do some hacking before you start to mail this list with that kind of complaints. E`ven worse, you got a good advice from experienced people why to use a virtual IP address in this case. Your reaction did not show up here. You are invited to do that at least before you start complaining. Regards, Fred
On Mon, Jun 12, 2000 at 20:41 +0200, Winfried Trautsch wrote:
On 12 Jun. 2000 at 09:48 Gerhard Sittig wrote:
SuSEfirewall complaints about "no such command", obviously when executing FW_DEV_WORLD_eth1:0="62.153.66.51 255.255.255.248".
Try asking your shell's manpage. I guess colons aren't supposed to appear in variable's names.
I escaped the colon - all the same.
That's why I wrote this: <cite> One solution seems to be substituting special characters in the device name, but this had to be done for LHS (variable names) only -- the RHS still needs an unmodified value. </cite> Escaping the colon is not sufficiant (especially when you don't know how many times the parameters get passed down the chain from the rc.config(?) parameter bundle to the shell assigning the value and evaluating it -- how is the variable's name generated?). If "substituting" is not what you want, try "replacing" it. :) You didn't get the first message: A colon is something that doesn't fit into a variable's name! You want to fiddle with the firewall script like this (don't have it around here, just guessing and stealing from i4l ...). Replace these phrases eval I4L_IDLETIME=\$I4L_IDLETIME$I with something like eval I4L_IDLETIME=\$I4L_IDLETIME$( echo $I | tr '-:' '__' ) when $I was your device with "non var letters" in it. Or stuff the things into variables once and use it a few times: DEV_RHS=$DEVICE DEV_LHS=$( echo $DEV_RHS | tr '-:' '__' ) eval SCRIPTVAR=\$PREFIX$DEV_LHS
Background: Some IRC-Servers reject the connection, if it comes from a nameserver. As the primary nameserver for my domain runs on the firewall, I had to put up another IP-Adress for DNS.
That's where I would even think about moving the DNS server away from the firewall and instead hide it inside _behind_ a filter. Or at least don't expose the primary NS this way and just put a caching secondary there. I really would think more than twice before putting "real" functionality on any firewall except for filters and logging mechanisms. virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
* Gerhard Sittig wrote on Mon, Jun 12, 2000 at 22:11 +0200:
On Mon, Jun 12, 2000 at 20:41 +0200, Winfried Trautsch wrote:
Escaping the colon is not sufficiant (especially when you don't know how many times the parameters get passed down the chain from the rc.config(?) parameter bundle to the shell assigning the value and evaluating it -- how is the variable's name generated?).
Well, it's some kind of variables that perl calls a symbolic reference I think. Personally I don't like this style of coding, especially in security relevant scripts. So you may write your own script or patch it; but IMHO the SuSE-Firewall isn't really flexible, since is a design issue. If you don't prefere to lose functionality, make it your own :)
You didn't get the first message: A colon is something that doesn't fit into a variable's name!
Well, I don't think that Winfried has a lot of experience in shell scripting, he has just tried out a modification, ain't?
Background: Some IRC-Servers reject the connection, if it comes from a nameserver. As the primary nameserver for my domain runs on the firewall, I had to put up another IP-Adress for DNS.
That's where I would even think about moving the DNS server away from the firewall and instead hide it inside _behind_ a filter.
You're right, but keep in mind that there are some small networks out there :) Maybe there are not enough machines to deploy a DNS Server on another host. OK, a SuSE bind package isn't installed chroot with a own user AFAIK, so I wouldn't use such a config in production. Bind had some problems last time...
I really would think more than twice before putting "real" functionality on any firewall except for filters and logging mechanisms.
Yepp, but maybe that's the onliest linux/un*x machine there, who knows. Anyway, I don't think it's a solution to set up a new server when a script is just to silly to do the work, IMHO. And there may be other cases things go wrong on such a design, but don't thing I know or use the SuSE firewall script (I took a look once upon a while and I didn't like it, but's this was years ago IIRC). My firewall setup logs via syslog, which is mailed or "SMSed" to me, and the script catches up errors when executing the ipchains command. It may be a good idea to add such a feature to the SuSE firewall script, if possible (and neccesary). About firewalls and services: It's better to have a packet filter on a dns server like no packet filter IMHO :). BTW: just a packet filter is no real firewall in my opinion, it's just a packet filter :). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Fri, Jun 16, 2000 at 00:05 +0200, Steffen Dettmer wrote:
About firewalls and services: It's better to have a packet filter on a dns server like no packet filter IMHO :). BTW: just a packet filter is no real firewall in my opinion, it's just a packet filter :).
There's no disagreement here. Of course every server (and workstations, too) should have (at least) a filter to protect itself. But a dedicated firewall machine shouldn't do anything else but block and filter the traffic running through it. Although you pointed out there's not always enough hardware available to separate the logically separate things the way they deserve. But then: how much is hardware today compared to the cost of an admin you need anyway? virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you.
participants (4)
-
Fred Mobach -
Gerhard Sittig -
Steffen Dettmer -
Winfried Trautsch