[SLE] another confused firewall....
I'm trying to use the SUSe packet filter to set up simple firewall
masquerading - am getting somewhat confused about what it is doing.
Using SUSe 6.4, kernel 2.2.16.....
The masquerading part seems to be working, it's just the firewall seems
to block packets for no reason.
At the offset, when Linux boots up, the last thing displayed is:
Warning: interface ppp0 is faulty. Ignore if it's not active yet (eg
[i]pp0) /sbin/ipchains: invalid mask '60' specified.
This last "invalid mask '60' specified" message repeats 5 times.
Locally, I have ip addr: 192.168.0.1, DNS (locally) and DHCP servers
running, a windows box on 192.168.0.2. All the external IP information
is assigned automatically - IP, DNS, gateway etc.
here's the basics of the script:
FW_DEV_WORLD="ppp0"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS="192.168.0.0/60"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_GLOBAL_SERVICES="no" # "yes" is a good choice
FW_SERVICES_EXTERNAL_TCP="domain"
FW_SERVICES_EXTERNAL_UDP="domain"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_DNS="yes" # if yes, FW_TCP_SERVICES_* needs to have port
53
# (or "domain") set to allow incoming queries.
# also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to
be "yes"
FW_SERVICE_DHCLIENT="yes" # if you use dhclient to get an ip
address
# you have to set this to "yes" !
FW_SERVICE_DHCPD="yes" # set to yes, if this server is a DHCP server
FW_FORWARD_TCP="" # Beware to use this!
FW_FORWARD_UDP="" # Beware to use this!
FW_ALLOW_PING_FW="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
Now, running from the local Linux box, when connected, trying something
like "ping www.yahoo.co.uk" I get denies of my ISP's DNS servers:
Aug 19 09:57:45 fridge pppd[591]: local IP address 212.126.132.2
Aug 19 09:57:45 fridge pppd[591]: remote IP address 195.8.83.22
Aug 19 09:57:45 fridge pppd[591]: primary DNS address 195.8.69.9
Aug 19 09:57:45 fridge pppd[591]: secondary DNS address 195.8.69.7
[...]
Aug 19 10:00:10 fridge kernel: Packet log: input DENY ppp0 PROTO=17
195.8.69.9:53 212.126.132.2:1026 L=198 S=0x00 I=28179 F=0x0000 T=62
(#29)
Resorting to IP address only, I get denies on the ping data.
However, if I now try this on my Win95 box across the internal net, it
can do the DNS resolution okay, I then get denies on the ping data(?):
Aug 19 09:58:22 fridge named[284]: ns_forw: query(www.yahoo.co.uk) NS
points to CNAME (ns.europe.yahoo.com:)
Aug 19 09:58:51 fridge kernel: Packet log: forward DENY ppp0 PROTO=6
192.168.0.2:1073 212.126.144.27:3128 L=64 S=0xC0 I=24072 F=0x4000 T=127
SYN (#1)
--
== jon bird - software engineer
==
Jon,
At the offset, when Linux boots up, the last thing displayed is:
Warning: interface ppp0 is faulty. Ignore if it's not active yet (eg [i]pp0) /sbin/ipchains: invalid mask '60' specified.
This last "invalid mask '60' specified" message repeats 5 times.
Locally, I have ip addr: 192.168.0.1, DNS (locally) and DHCP servers running, a windows box on 192.168.0.2. All the external IP information is assigned automatically - IP, DNS, gateway etc.
here's the basics of the script:
FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/60" ^^ ------> you mean 24 here do you? It is the amount of leading bits for the network part of the IP addresses, so 3 x 8 = 24 for the first 3 bytes of your IP address as being used for the network mask. I am guessing only that you want to operate on a standard class C net definition with your addresses above but even then, 60 is definitely an invalid value there.
Kind Regards, Michael Doerner -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq
In message
Jon,
[...]
FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.0.0/60" ^^ ------> you mean 24 here do you? oops, yes thanks, for some unknown reason I was believing that was the number of IP's I wanted to support......
Thats fixed it - that and putting the '/sbin/SuSEfirewall' line in the
dialler script - as per the instructions (idiot).
--
== jon bird - software engineer
==
participants (2)
-
michael@baypc.co.nz
-
news@onastick.clara.co.uk