[opensuse] SuseFirewall2 does not allow pings to ext network?
I have a network setup where I have a openSuSE 11.4 system acting as a firewall between an external and an internal network. Using SuSEfirewall2, I have enabled routing (FW_ROUTE="yes") and masquerading (FW_MASQUERATE="yes") between the two nets, and do not protect the firewall from the internal network. I have also set FW_ALLOW_PING_EXT="yes" in the SuSEfirewall2 configuration file. While I can ping all the devices in the external network from my firewall computer, I CANNOT ping any of the external devices from computers within my internal network. My grokking of the comments on this parameter is that by setting this value to yes, this is exactly what I should be able to do!? I tried pinging both with direct IP addresses and using names resolved via my DNS server with no difference, so that eliminates DNS name resolution as a possible cause. I get the feeling that this is some kind of routing or NAT issue because I am not able to access any other service provided by devices on the external network, from computers on the internal network, either. Although my firewall computer can do so just fine. On the external network I have a router which is the gateway between the external network and the internet. It too is set up to do NAT translations and has a simplified firewall, could it somehow be the cause of why my internal network cannot reach devices on my external network? That seems odd to me but then I don't claim to fully understand the way networks work. What am I missing? Thanks in advance for any ideas/thoughts, I am kinda stumped... Marc -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/27/2012 07:53 PM, Marc Chamberlin wrote:
I get the feeling that this is some kind of routing or NAT issue because I am not able to access any other service provided by devices on the external network, from computers on the internal network, either. Although my firewall computer can do so just fine. On the external network I have a router which is the gateway between the external network and the internet. It too is set up to do NAT translations and has a simplified firewall, could it somehow be the cause of why my internal network cannot reach devices on my external network? That seems odd to me but then I don't claim to fully understand the way networks work. What am I missing?
Either paste the output of the following to susepaste.org and send the paste id or send it to the list grep -v ^# /etc/sysconfig/SuSEfirewall2|sed /^$/d -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/28/2012 10:52 AM, Togan Muftuoglu wrote:
I get the feeling that this is some kind of routing or NAT issue because I am not able to access any other service provided by devices on the external network, from computers on the internal network, either. Although my firewall computer can do so just fine. On the external network I have a router which is the gateway between the external network and the internet. It too is set up to do NAT translations and has a simplified firewall, could it somehow be the cause of why my internal network cannot reach devices on my external network? That seems odd to me but then I don't claim to fully understand the way networks work. What am I missing? Either paste the output of the following to susepaste.org and send the
On 10/27/2012 07:53 PM, Marc Chamberlin wrote: paste id or send it to the list
grep -v ^# /etc/sysconfig/SuSEfirewall2|sed /^$/d
Thanks Togan , nice way to strip out comments! I have posted the SuSEfirewall2 configuration to http://susepaste.org/fe8e7b3a and left the default expiration at 1 week. Hopefully someone can find something interesting that I have overlooked! Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/28/2012 08:36 PM, Marc Chamberlin wrote:
Thanks Togan , nice way to strip out comments! I have posted the SuSEfirewall2 configuration to
and left the default expiration at 1 week. Hopefully someone can find something interesting that I have overlooked!
Ok first tighten up your config a bit and remove "any" from the DEV_EXT so it looks like FW_DEV_EXT="eth0" When you have FW_PROTECT_FROM_INT="no" then you do not need to specify FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP so you may want to remove them. Best way during testing is comment them and and empty versions of them with an empty line after the variable ie. FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" For testing purposes also make the following changes FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_ALL="yes" These will cause lots of logging so once you are done with the testing revert them back to their default no So for testing once the above is corrected with root privileges /sbin/SuSEfirewall2 start Begin trying to use your application and send the relevant part of the logs, ie if the service is unreachable then find the log entries which are dropped and send them or use susepaste.org which in that case send the paste id Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/29/2012 12:59 AM, Togan Muftuoglu wrote:
On 10/28/2012 08:36 PM, Marc Chamberlin wrote:
Thanks Togan , nice way to strip out comments! I have posted the SuSEfirewall2 configuration to
and left the default expiration at 1 week. Hopefully someone can find something interesting that I have overlooked! Ok first tighten up your config a bit and remove "any" from the DEV_EXT so it looks like FW_DEV_EXT="eth0"
When you have FW_PROTECT_FROM_INT="no" then you do not need to specify FW_SERVICES_INT_TCP and FW_SERVICES_INT_UDP so you may want to remove them. Best way during testing is comment them and and empty versions of them with an empty line after the variable ie.
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
For testing purposes also make the following changes
FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_ALL="yes"
These will cause lots of logging so once you are done with the testing revert them back to their default no
So for testing once the above is corrected with root privileges /sbin/SuSEfirewall2 start
Begin trying to use your application and send the relevant part of the logs, ie if the service is unreachable then find the log entries which are dropped and send them or use susepaste.org which in that case send the paste id
Togan Thanks for the good suggestions Togan, on how to improve SuSEFirewall2! Much appreciated.
I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy. I did a tail -f /var/log/firewall and post the output to http://susepast.org/34186a92 but I don't think much of relevance really got logged. Perhaps you will see something I don't.. I can try an do it a few more time, the output is different each time and I suspect mostly from other systems on my internal network communicating with the internet. Marc.. -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-10-30 18:34, Marc Chamberlin wrote:
I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy.
Both internal an external sides are in fact private networks? You do not need NAT, you can use direct routing, unless you have a reason for it - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCQLzUACgkQja8UbcUWM1x5hQD+KObEZkX8ZF+zVrpB/UY5M2+m 3jHN8GsaFFH6HdTaptUA/1SdD0gF0ssUf6v86VPQdiVatR9JbupvZqd6GCuBq/be =IEWN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/30/2012 12:49 PM, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy. Both internal an external sides are in fact private networks? You do not need NAT, you can use
On 2012-10-30 18:34, Marc Chamberlin wrote: direct routing, unless you have a reason for it
- -- Cheers / Saludos,
Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iF4EAREIAAYFAlCQLzUACgkQja8UbcUWM1x5hQD+KObEZkX8ZF+zVrpB/UY5M2+m 3jHN8GsaFFH6HdTaptUA/1SdD0gF0ssUf6v86VPQdiVatR9JbupvZqd6GCuBq/be =IEWN -----END PGP SIGNATURE----- Carlos - Perhaps, I can look into direct routing, and if I get it to work, are you implying that NAT is not fully working in SuSEFirewall2? Seem like a pretty serious bug to me, IMHO! Pings and NAT should be fairly straightforward functions that SuSEFirewall2 should handle across two different private networks.... I was guessing that I simply have something misconfigured, and your suggestion of using direct routing as a workaround comes as a surprise! I do know, that at some level NAT must be working, how else could all my systems on my private network be accessing the internet without a problem? So why shouldn't NAT work when I simply am trying to access my external (private) network?
Having never configured direct routing before, guess it is time for me to figure it out... ;-) And I probably could use some help here also...... I have tried the following setting, (simply guessing) but no joy... FW_TRUSTED_NETS="192.168.2.0/24" and I took a guess and also tried the following setting in SuSEfirewall2 - FW_FORWARD="192.168.2.0/24,169.254.1.0/24 believing that would allow any service on the 169 network to be accessible from the 192 network, but the comments stipulate that this only works for non-private nets, so guess I am not surprised that it did not help either.... Since these changes did not help matters, I have backed them out. So how do I configure SuSEFirewall2 to do direct routing? Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-10-31 01:22, Marc Chamberlin wrote:
On 10/30/2012 12:49 PM, Carlos E. R. wrote:
Carlos - Perhaps, I can look into direct routing, and if I get it to work, are you implying that NAT is not fully working in SuSEFirewall2? Seem like a pretty serious bug to me, IMHO!
No, I'm not implying its buggy. I'm wondering why are you using it to connect two internal networks. The default is to route.
Pings and NAT should be fairly straightforward functions that SuSEFirewall2 should handle across two different private networks....
NAT has "side effects". It maybe that SuSEfirewall blocks ping only.
I was guessing that I simply hav.e something misconfigured, and your suggestion of using direct routing as a workaround comes as a surprise! I do know, that at some level NAT must be working, how else could all my systems on my private network be accessing the internet without a problem? So why shouldn't NAT work when I simply am trying to access my external (private) network?
I don't know, and I do not have at my disposal a network to play with and find out ;-)
Since these changes did not help matters, I have backed them out. So how do I configure SuSEFirewall2 to do direct routing?
IIRC, like this: FW_ROUTE="yes" FW_FORWARD="192.168.1.0/24,192.168.2.0/24" But I'm more used to do it with routers, not PCs, so I don't remember offhand the exact setting. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCQiJwACgkQja8UbcUWM1wfCAD/UUomLw6YQ4DP1g1SD3JvcqxY qj3hCWOqCv8OOcg1BRoA/RmU5XRlBvTeiPF3WCdtcoVEG7Rjo2q32HTjmYn+1AlC =Kg5T -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/30/2012 06:34 PM, Marc Chamberlin wrote:
Begin trying to use your application and send the relevant part of the logs, ie if the service is unreachable then find the log entries which are dropped and send them or use susepaste.org which in that case send the paste id
Togan Thanks for the good suggestions Togan, on how to improve SuSEFirewall2! Much appreciated.
I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy. I did a tail -f /var/log/firewall and post the output to
There is nothing related to ping in the logs you put up there
but I don't think much of relevance really got logged. Perhaps you will see something I don't.. I can try an do it a few more time, the output is different each time and I suspect mostly from other systems on my internal network communicating with the internet.
Please provide the output of ip a sh ip ro sh and logs of the firewall when pinging grep -i icmp /var/log/firewall -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/30/2012 2:14 PM, Togan Muftuoglu wrote:
On 10/30/2012 06:34 PM, Marc Chamberlin wrote:
Begin trying to use your application and send the relevant part of the logs, ie if the service is unreachable then find the log entries which are dropped and send them or use susepaste.org which in that case send the paste id
Togan Thanks for the good suggestions Togan, on how to improve SuSEFirewall2! Much appreciated.
I made the changes you suggested, then restarted the firewall, and tried to ping devices on my external network, from inside my internal network. No joy. I did a tail -f /var/log/firewall and post the output to
http://susepast.org/34186a92 There is nothing related to ping in the logs you put up there
but I don't think much of relevance really got logged. Perhaps you will see something I don't.. I can try an do it a few more time, the output is different each time and I suspect mostly from other systems on my internal network communicating with the internet. Please provide the output of ip a sh ip ro sh See http://susepaste.org/5548ce9d
and logs of the firewall when pinging grep -i icmp /var/log/firewall
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network! However, I do see ICMP messages coming IN to my firewall machine from various external addresses on the internet. I suspect you don't want to see those... AND I do see ICMP messages when I ping some external site, such as www.google.com, from within my 192.168.2.x private network! I suspect you don't want to see those either.... AND I do see ICMP messages when I ping a device on my external 169.254.1.x network from the firewall machine itself! Seems very odd that nothing is being logged when I execute a ping from my internal network to some device on my external 169.254.1.x private network! Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/31/2012 01:47 AM, Marc Chamberlin wrote:
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network! However, I do see ICMP messages coming IN to my firewall machine from various external addresses on the internet. I suspect you don't want to see those... AND I do see ICMP messages when I ping some external site, such as www.google.com, from within my 192.168.2.x private network! I suspect you don't want to see those either.... AND I do see ICMP messages when I ping a device on my external 169.254.1.x network from the firewall machine itself!
Seems very odd that nothing is being logged when I execute a ping from my internal network to some device on my external 169.254.1.x private network!
To be frank having a configured 169 network is odd to me, but anyway. 1) /sbin/SuSEfirewall2 status paste the output 2) /sbin/SuSEfirewall2 test ping from internal and grep the icmp parts and paste Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marc Chamberlin wrote:
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network!
You are aware that 169.254 is link-local, it won't pass any routing or forwarding? -- Per Jessen, Zürich (2.2°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-10-31 10:44, Per Jessen wrote:
Marc Chamberlin wrote:
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network!
You are aware that 169.254 is link-local, it won't pass any routing or forwarding?
Ah! No, I wasn't. - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCQ+24ACgkQja8UbcUWM1xrygD/UbCwr8h18WHQtolZIRTIeJf3 spAS2Q2Mg4blu7Z+ezkBAI9soa28gc1j8k+HZL29OkW1IJ831BwC1VflTEhADhYB =AtX/ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 10/31/2012 2:44 AM, Per Jessen wrote:
Marc Chamberlin wrote:
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network! You are aware that 169.254 is link-local, it won't pass any routing or forwarding?
Oh boy! Thanks Per Jessen, I think you have hit on the reason I am unable to ping these devices on my external network! I did some research on link-local addressees and what they are, and learned something new! ;-) I am actually locked in to using the 169.254.1.x network addresses because my external network devices are Motorola Canopy wireless access points and subscriber modules. These are used to provide wireless internet service links over distances of up to 30 miles and are usually mounted on towers. Kinda makes it difficult to get at them easily ;-) and while I can (temporarily) change their address to anything I want, Motorola has designed these such that in the event of a reboot or power failure/restart they will not boot up with any address other than one in the 169.254.1.x address space. So I gave up on trying to use a different (more common) address space for them. But this link-local restriction is sure inconvenient because it means I can only test and configure them from my firewall computer, and not from any other place within my local networks. Sigh... Marc... -- "The Truth is out there" - Spooky -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-10-31 16:58, Marc Chamberlin wrote:
On 10/31/2012 2:44 AM, Per Jessen wrote:
from my firewall computer, and not from any other place within my local networks. Sigh...
Oh boy, indeed... I would, nevertheless, try to disable NAT and use normal routing, to see what happens... - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCRdIEACgkQja8UbcUWM1wQ3AEAiR4tCa6GaDDRLNoOAW89Sjeo 9Mu61UQ31MKN8Ic5XhAA/jrN64ADfz3CpLTjou5oyHxcK2ONaxlYwWjEpMUUsqVN =9SEg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, 1 Nov 2012 02:28:02 Marc Chamberlin wrote:
On 10/31/2012 2:44 AM, Per Jessen wrote:
Marc Chamberlin wrote:
Well, absolutely nothing is logged when I try to ping devices in the external 169.254.1.x net from the internal 192.168.2.x network!
You are aware that 169.254 is link-local, it won't pass any routing or forwarding?
Oh boy! Thanks Per Jessen, I think you have hit on the reason I am unable to ping these devices on my external network! I did some research on link-local addressees and what they are, and learned something new! ;-) I am actually locked in to using the 169.254.1.x network addresses because my external network devices are Motorola Canopy wireless access points and subscriber modules. These are used to provide wireless internet service links over distances of up to 30 miles and are usually mounted on towers. Kinda makes it difficult to get at them easily ;-) and while I can (temporarily) change their address to anything I want, Motorola has designed these such that in the event of a reboot or power failure/restart they will not boot up with any address other than one in the 169.254.1.x address space. So I gave up on trying to use a different (more common) address space for them. But this link-local restriction is sure inconvenient because it means I can only test and configure them from my firewall computer, and not from any other place within my local networks. Sigh...
Marc...
Marc, I have extensive experience with the Motorola Canopy AP's and SM's and I can say for sure that if yours are defaulting back to their factory-assigned IP address range either a) you have something misconfigured on the units themselves, b) your installers have left a "default plug" plugged in which causes a reset to factory default settings on power up (but even this can be disabled in software via the web interface - just don't lose the IP address if you do disable it) or c) they're configured for DHCP or BOOTP and your DHCP or BOOTP server is serving the wrong addresses. I have a WAN running 3 clusters with numerous AP's on each and manually assigned IP addresses and I have *never* seen what you describe except intentionally when the default plug is plugged in. If you want to email me offline (since this is OT for this group) I'll be happy to assist you in figuring it out (if I can). Regards, Rodney. -- ========================================================================== Rodney Baker VK5ZTV rodney.baker@iinet.net.au ========================================================================== -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2012-11-01 03:30, Rodney Baker wrote:
If you want to email me offline (since this is OT for this group) I'll be happy to assist you in figuring it out (if I can).
If you manage to solve this, just drop a note to say so here :-) - -- Cheers / Saludos, Carlos E. R. (from 11.4 x86_64 "Celadon" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iF4EAREIAAYFAlCSVaAACgkQja8UbcUWM1ys+gEAk2XeSqhaqnCvKXggE6kaOO0Z z6tJwNtOuOIObmz8FOIA/iFIT7mlrEcf98lFrVHdtwOlTc78+b3TzNkDMTvREDO5 =8ByX -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Marc Chamberlin -
Per Jessen -
Rodney Baker -
Togan Muftuoglu