Re: [SLE] Firewall Help - Very flustered
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Yeah...I ran that exact command...the interfaces are configured. My masquerading works, as does the webserver from the Internet. Let's try this again: FW_MASQ_NETS="0/0"
try with 10.10.10.0/24 instead of 0/0 if it does not work there could be someother problem somewhere as the firewall configuration looks fine. Just an idea try to test the configuration via "/sbin/SuSEfirewall2 test" command and check the logs as in this case everything passes thru yet logs will show what would would have been the actual case. -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
OMG! That did it! I can't believe it. I'm just schocked. I've been working on this for 3 weeks now and finally it's fixed. Thanks for your persistance Togan! </Jared> On Thu, 2003-03-27 at 00:16, Togan Muftuoglu wrote:
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Yeah...I ran that exact command...the interfaces are configured. My masquerading works, as does the webserver from the Internet. Let's try this again: FW_MASQ_NETS="0/0"
try with 10.10.10.0/24 instead of 0/0 if it does not work there could be someother problem somewhere as the firewall configuration looks fine. Just an idea try to test the configuration via "/sbin/SuSEfirewall2 test" command and check the logs as in this case everything passes thru yet logs will show what would would have been the actual case.
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx -- "Turd Ferguson. Yeah, he's a funny guy." ~Burt Reynolds (As portrayed by Norm McDonald of SNL)
Nope, I lied...I the firewall was still in test mode. Here the log copy: Mar 27 00:48:15 gatekeeper kernel: SuSE-FW-ACCESS_DENIED_INT IN=eth1 OUT= MAC=00:10:4b:c9:86:c2:00:03:47:98:8c:a5:08:00 SRC=10.10.10.9 DST=208.186.104.XXX LEN=52 TOS=0x08 PREC=0x00 TTL=64 ID=35057 DF PROTO=TCP SPT=36214 DPT=80 WINDOW=20272 RES=0x00 ACK URGP=0 OPT (0101080A01BCE2F2005CEF51) bah, </Jared> On Thu, 2003-03-27 at 00:16, Togan Muftuoglu wrote:
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Yeah...I ran that exact command...the interfaces are configured. My masquerading works, as does the webserver from the Internet. Let's try this again: FW_MASQ_NETS="0/0"
try with 10.10.10.0/24 instead of 0/0 if it does not work there could be someother problem somewhere as the firewall configuration looks fine. Just an idea try to test the configuration via "/sbin/SuSEfirewall2 test" command and check the logs as in this case everything passes thru yet logs will show what would would have been the actual case.
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx -- "Turd Ferguson. Yeah, he's a funny guy." ~Burt Reynolds (As portrayed by Norm McDonald of SNL)
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Nope, I lied...I the firewall was still in test mode.
Here the log copy: Mar 27 00:48:15 gatekeeper kernel: SuSE-FW-ACCESS_DENIED_INT IN=eth1 ^^^^^^^^
Interesting you were saying your external is "eth0" but looks like here "eth1" is the incoming interface -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
I'm not quite sure what you mean. /dev/eth0 is the interface that goes to my ISP /dev/eth1 is the interface that goes to my internal network According to the output, that is how it is, right? FW_DEV_EXT="eth0" - External Interface FW_DEV_INT="eth1" - Internal Interface FW_MASQ_DEV="FW_DEV_EXT" as is correct per the documentation. Am I misunderstanding you? </Jared> On Thu, 2003-03-27 at 01:07, Togan Muftuoglu wrote:
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Nope, I lied...I the firewall was still in test mode.
Here the log copy: Mar 27 00:48:15 gatekeeper kernel: SuSE-FW-ACCESS_DENIED_INT IN=eth1 ^^^^^^^^
Interesting you were saying your external is "eth0" but looks like here "eth1" is the incoming interface
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx -- "Turd Ferguson. Yeah, he's a funny guy." ~Burt Reynolds (As portrayed by Norm McDonald of SNL)
Turd Ferguson wrote:
I'm not quite sure what you mean.
/dev/eth0 is the interface that goes to my ISP /dev/eth1 is the interface that goes to my internal network
According to the output, that is how it is, right?
FW_DEV_EXT="eth0" - External Interface FW_DEV_INT="eth1" - Internal Interface
FW_MASQ_DEV="FW_DEV_EXT" as is correct per the documentation.
Am I misunderstanding you?
Set this line: FW_PROTECT_FROM_INTERNAL="yes" to FW_PROTECT_FROM_INTERNAL="no" and test it again. De computer with the firewall functions now as a DMZ machine, I think... Your internal network is also looking at a firewall. With the option changed, the firewall for the internal network is down. Now only a external firewall. This should work..... If you need a firewall for the internal network, you should dig some more in de docs. Because I have no experience with it.
</Jared>
On Thu, 2003-03-27 at 01:07, Togan Muftuoglu wrote:
* Turd Ferguson; <turdferguson@infowest.com> on 27 Mar, 2003 wrote:
Nope, I lied...I the firewall was still in test mode.
Here the log copy: Mar 27 00:48:15 gatekeeper kernel: SuSE-FW-ACCESS_DENIED_INT IN=eth1
^^^^^^^^
Interesting you were saying your external is "eth0" but looks like here "eth1" is the incoming interface
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- -- Thanks in advance, Stefan -------------------------------------------------------------- Linux a world without borders, fences, windows and gates..... Titanic98 "Which computer do you want to sink today????"
participants (3)
-
S. Bulterman -
Togan Muftuoglu -
Turd Ferguson