On Thu, 14 Dec 2006, Darryl Gregorash wrote:
On 2006-12-14 02:33, Peder wrote:
I've been following this thread with some interest, and I cannot see what problem you were having with SuSEfirewall2. AFAICT, all that you did should have worked. What relevant differences are there between what SuSEfirewall2 delivers, and your own rules?
SuSEfirewall2 sends FORWARDED packets to the forward_ext chain where it does some magic tricks with it like setting TOS IIRC and other stuff (there was like 10-15 rules in that chain). My rules just sets default action to ACCEPT and nothing else.
It would have helped, of course, if you had given us an example or two of traffic that was being dropped.
This is from one session: SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16576 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16577 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16578 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0 SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16579 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0 SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48TOS=0x00 PREC=0x00 TTL=127 ID=16610 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16611 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 (10.100.200.10 is my client and 10.111.40.15 my web server on the DMZ) so it seems like it accepts the initial SYN but drops the following ACKs. From what I recall the FW_FORWARD="10.100.200.0/24,0/0" led to NEW,RELATED and ESTABLISHED being accepted from 10.100.200.0/24 and RELATED and ESTABLISHED being accepted back. Hmmm, I think I realize now why it doesn't work. Since my squid server isn't a router in its true meaning it doesn't see the ACK my web server sends as a reply to the SYN (since that traffic goes directly from the web server to the client). Therefore it doesn't see my client's subsequent ACK as RELATED or ESTABLISHED. I guess my setup is a bit too unorthdox for SuSEfirewall2 but I still don't get why it doesn't have an option to accept _all_ forwarding. - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org