Hello everyone. I am currently using SuSEfirewall2 with the following configuration. FW_DEV_EXT="eth0" FW_DEV_INT="eth1 eth2" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24 192.168.254.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_INT_TCP="ssh" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="yes" I have a firewall with 3 interfaces. eth0 is outside,public. eth1 is one local subnet (192.168.0/24), private. eth2 is a second internal private subnet(192.168.254/24). I have routing setup beween both subnets and I am able to ping across the firewall/router from one subnet to the other. Currently I have a DHCP server installed in the 192.168.0/24 subnet. Address 192.168.0.2. On the firewall I installed the DHCP realy package from the suse 7.2 CD It listenes on eth2 and forwards all request to 192.168.0.2 (the DHCP server). when I check the dhcp server logs I see that it is creating a lease for the new host on eth2 of the firewall. However the host is not receiving the address. I sure that it is a small misconfiguration on the firewall, but I cannot figure out what it is. Any help is greatly appreciated. If you need more information just e-mail me and I will try to get it. Thanks is advance, Pablo A. Maurin
Hi Pablo, On Sat, Sep 29, 2001 at 02:47:22PM -0400, Pablo A. Maurin wrote:
Hello everyone.
I am currently using SuSEfirewall2 with the following configuration.
[ config ]
I don't know what FW_SERVICE_AUTODETECT exactly does, but my guess is that is concludes that there is a DHCP _server_ running on the firewall. (Otherwise no DHCP messages would be routed since you set FW_PROTECT_FROM_INTERNAL.) So it seems to allow incoming UDP traffic to port 67 from client port 68, and back. Thus, the relay agent can communicate with the DHCP client. However, now the relay agent has to talk to the DHCP server, and there it behaves like a DHCP client, port-wise. It looks like the SuSEfirewall2 grants outgoing UDP traffic from the client port, but the reply from the DHCP server can't get in because incoming UDP traffic to port *68* is blocked. Therefore, FW_SERVICES_INT_UDP="68" should help.
is a small misconfiguration on the firewall, but I cannot figure out what it is.
Peter -- Peter Poeml poeml at suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
Hi Pablo, On Sat, Sep 29, 2001 at 02:47:22PM -0400, Pablo A. Maurin wrote:
Hello everyone.
I am currently using SuSEfirewall2 with the following configuration.
[ config ]
I don't know what FW_SERVICE_AUTODETECT exactly does, but my guess is that is concludes that there is a DHCP _server_ running on the firewall. (Otherwise no DHCP messages would be routed since you set FW_PROTECT_FROM_INTERNAL.) So it seems to allow incoming UDP traffic to port 67 from client port 68, and back. Thus, the relay agent can communicate with the DHCP client. However, now the relay agent has to talk to the DHCP server, and there it behaves like a DHCP client, port-wise. It looks like the SuSEfirewall2 grants outgoing UDP traffic from the client port, but the reply from the DHCP server can't get in because incoming UDP traffic to port *68* is blocked. Therefore, FW_SERVICES_INT_UDP="68" should help.
is a small misconfiguration on the firewall, but I cannot figure out what it is.
Peter -- Peter Poeml poeml at suse.de ------------------------------------------------------------------------------- VFS: Busy inodes after unmount. Self-destruct in 5 seconds. Have a nice day...
participants (2)
-
Pablo A. Maurin
-
Peter Poeml