[opensuse] Accepting all in the FORWARD chain
What's the "correct" way to persuade SuSEfirewall2 in 10.2 to accept all forwarding? I've looked in /etc/sysconfig/SuSEfirewall2 and found the FW_FORWARD but even though I set it to "10.100.200.0/24,0/0" it seems to drop some packages. I have my server (with only one NIC) as the client PC's default gateway and it's set up as a transparent squid proxy with a PREROUTING rule taking care of redirecting port 80 to squids 3128. All other traffic should be forwarded right through the system ('iptables -L FORWARD' should give "Chain FORWARD (policy ACCEPT)" and nothing else). I could ditch SuSEfirewall2 entirely and hack up my own little firewall script but I'm kinda interrested in doing it the proper way. I'd also like to find out how to restart the firewall w/o using yast. Do I have to stop and start both SuSEfirewall2_init and SuSEfirewall2_setup or is one enough? - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 12/12/06 16:15, suseuser@freeway.org wrote:
What's the "correct" way to persuade SuSEfirewall2 in 10.2 to accept all forwarding? I've looked in /etc/sysconfig/SuSEfirewall2 and found the FW_FORWARD but even though I set it to "10.100.200.0/24,0/0" it seems to drop some packages. Maybe you meant "drop some packets" :-P Is packet forwarding enabled? (i.e.: /proc/sys/net/ipv4/ip_forward set to 1). Did you put the appropriate rules in POSTROUTING chain?
BTW, is not safe to allow forwarding from 0/0. - -- Hoper (aka QED) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFfuwXH+Dh0Dl5XacRAwrGAJ9yTbiNQ5KYr+o4T6DoaeKkY3J1zACfeTt3 rX6Qr/lXCX/bJKbbv+babxA= =ILoP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 December 2006 18:51, Hoper Edei Deixai wrote:
On 12/12/06 16:15, suseuser@freeway.org wrote:
What's the "correct" way to persuade SuSEfirewall2 in 10.2 to accept all forwarding? I've looked in /etc/sysconfig/SuSEfirewall2 and found the FW_FORWARD but even though I set it to "10.100.200.0/24,0/0" it seems to drop some packages.
Maybe you meant "drop some packets" :-P Is packet forwarding enabled? (i.e.: /proc/sys/net/ipv4/ip_forward set to 1). Did you put the appropriate rules in POSTROUTING chain?
BTW, is not safe to allow forwarding from 0/0.
The rule says to forward to 0/0, not from, which should be safe enough But given that the network is 10.x.x.x, which is private, I wonder if perhaps masquerading shouldn't be used instead, since otherwise it won't be possible to reach external addresses The simplest method is to use YaST, the firewall module, and simply enable masquerading. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On 12/12/06 18:55, Anders Johansson wrote:
What's the "correct" way to persuade SuSEfirewall2 in 10.2 to accept all forwarding? I've looked in /etc/sysconfig/SuSEfirewall2 and found the FW_FORWARD but even though I set it to "10.100.200.0/24,0/0" it seems to drop some packages. Maybe you meant "drop some packets" :-P Is packet forwarding enabled? (i.e.: /proc/sys/net/ipv4/ip_forward set to 1). Did you put the appropriate rules in POSTROUTING chain?
BTW, is not safe to allow forwarding from 0/0. The rule says to forward to 0/0, not from, which should be safe enough My fault, I don't know much about SuSEfirewall2. I don't like it, cause I want to know what the firewall is doing.
But given that the network is 10.x.x.x, which is private, I wonder if perhaps masquerading shouldn't be used instead, since otherwise it won't be possible to reach external addresses That's what I meant with "appropriate POSTROUTING rules".
Hoper Edei Deixai (όπερ΄έδει δεϊξαι) aka QED OpenPGP key ID: 0x58D14EB3 Key fingerprint: 00B9 3E17 630F F2A7 FF96 DA6B AEE0 EC27 58D1 4EB3 Check fingerprints before trusting a key! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFFfvRGH+Dh0Dl5XacRA08/AJ4pLvT19EsHd8Kc22xaFW2zqqDU3QCfSpZf U72+8cKNo8wRQGrpKCnb65M= =Ud4I -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tuesday 12 December 2006 19:26, Hoper Edei Deixai wrote:
My fault, I don't know much about SuSEfirewall2. I don't like it, cause I want to know what the firewall is doing.
Then read it. It's a shell script, which simplifies tedious tasks If you're going to be advising beginners, please don't start them out on the advanced course. Enabling masquerading is one checkbox in yast, it doesn't have to be harder than that -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, 12 Dec 2006, Anders Johansson wrote:
On Tuesday 12 December 2006 18:51, Hoper Edei Deixai wrote:
Maybe you meant "drop some packets" :-P
Heh! (On a side note, I tried uninstalling MozillaFirefox and this is what I got: [root@squid ~]# rug remove -N MozillaFirefox Waking up ZMD...Done Resolving Dependencies... The following packages will be removed: 3ddiag 0.738-29 (system) cabextract 1.2-16 (system) CheckHardware 0.1-1017 (system) desktop-translations 10.1-66 (system) evms-gui 2.5.5-67 (system) ghostscript-x11 8.15.3-24 (system) lsb 3.1-22 (system) MozillaFirefox 2.0-30 (system) numlockx 1.1-23 (system) openssh-askpass 4.4p1-24 (system) opensuse-manual_en 10.2-28 (system) sax2-gui 8.1-83 (system) tightvnc 1.2.9-224 (system) unclutter 8-874 (system) x11 10.2-145 (system) pattern:x11-10.2-145.i586[System packages] dependend on MozillaFirefox pattern:x11-10.2-145.i586[System packages] is missing the requirement MozillaFirefox x11-input-synaptics 0.14.6-24 (system) x11-input-wacom 0.7.6-18 (system) x11-tools 0.1-57 (system) xaw3d 1.5E-263 (system) xdg-utils 1.0.1-7 (system) xdmbgrd 0.6-21 (system) xkeyboard-config 0.9-24 (system) xlockmore 5.23-11 (system) xorg-x11-libX11-ccache 7.2-12 (system) xtermset 0.5.2-153 (system) yast2-control-center 2.14.1-6 (system) how the f*#%k can all these packages depend on Firefox beind installed?? Talk about dependency hell.)
Is packet forwarding enabled? (i.e.: /proc/sys/net/ipv4/ip_forward set to 1). Did you put the appropriate rules in POSTROUTING chain?
Packet forwarding is enabled and I don't need any POSTROUTING rules.
The rule says to forward to 0/0, not from, which should be safe enough But given that the network is 10.x.x.x, which is private, I wonder if perhaps masquerading shouldn't be used instead, since otherwise it won't be possible to reach external addresses
Nope, I don't need masquerading, the squid box sits before my firewall (and has only one NIC). The idea is that the client PC's are default routed to the squid box. Outgoing web requests are captured by a PREROUTING rule to hand them over to squid. All other traffic should just be forwarded to the default route of the squid box, which is my firewall. I've had this setup on an Mandriva box before so I know it works, it's just the antics of SuSEfirewall2 and how to completely allow forwarding in it I don't quite grasp. - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wednesday 13 December 2006 08:22, suseuser@freeway.org wrote:
Nope, I don't need masquerading, the squid box sits before my firewall (and has only one NIC). The idea is that the client PC's are default routed to the squid box. Outgoing web requests are captured by a PREROUTING rule to hand them over to squid. All other traffic should just be forwarded to the default route of the squid box, which is my firewall.
So let me get this straight. You use the squid box as default gateway for your internal machines even though it only has one NIC, and then you have the router as default gateway for the squid And you say it drops "some" packages, but not all. Which packages does it drop? BTW, I wouldn't have set it up that way, I would have done it on the router, with a redirect of web traffic to the squid box and a normal masquerading for everything else
I've had this setup on an Mandriva box before so I know it works, it's just the antics of SuSEfirewall2 and how to completely allow forwarding in it I don't quite grasp.
As far as I know, FW_ROUTE="yes" and your FW_FORWARD rule should be enough But I have to say, I've never had much luck with implementing a router with only one NIC, on any platform. Your squid box is effectively a router, and as such should have two NICs -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
So let me get this straight. You use the squid box as default gateway for your internal machines even though it only has one NIC, and then you have the router as default gateway for the squid And you say it drops "some" packages, but not all. Which packages does it drop?
Correct. I also have it set up so that my internal web servers don't get "squidded". It seems to have dropped the initial http requests tom my internal web but eventually let them through, resulting in an initial delay of a second or two.
But I have to say, I've never had much luck with implementing a router with only one NIC, on any platform. Your squid box is effectively a router, and as such should have two NICs
Well it works just fine with only one :) It's not really a router either since for all non http traffic it only sees the outgoing traffic. All returning goes straight to the clients since there's no masquerading going on. I have now ditched SuSEfirewall2 and gone back to using my own fw ruleset and now it's up and running. The only problem I got by that is that the /proc/sys/net/ipv4/ip_forward got set to 0. I checked that boot.ipconfig set it to 1 and even mande an entry in sysctl.conf but something later on in the startup routine still changed it. I ended up having to set it in my fw-script startup. - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2006-12-14 02:33, Peder wrote: I've been following this thread with some interest, and I cannot see what problem you were having with SuSEfirewall2. AFAICT, all that you did should have worked. What relevant differences are there between what SuSEfirewall2 delivers, and your own rules? It would have helped, of course, if you had given us an example or two of traffic that was being dropped.
<snip>
I have now ditched SuSEfirewall2 and gone back to using my own fw ruleset and now it's up and running. The only problem I got by that is that the /proc/sys/net/ipv4/ip_forward got set to 0. I checked that boot.ipconfig set it to 1 and even mande an entry in sysctl.conf but something later on in the startup routine still changed it. I ended up having to set it in my fw-script startup. Yast/System, sysconfig editor. Network/general/IP_FORWARD="yes". File: /etc/sysconfig/sysctl
-- The best way to accelerate a computer running Windows is at 9.81 m/s² -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Thu, 14 Dec 2006, Darryl Gregorash wrote:
On 2006-12-14 02:33, Peder wrote:
I've been following this thread with some interest, and I cannot see what problem you were having with SuSEfirewall2. AFAICT, all that you did should have worked. What relevant differences are there between what SuSEfirewall2 delivers, and your own rules?
SuSEfirewall2 sends FORWARDED packets to the forward_ext chain where it does some magic tricks with it like setting TOS IIRC and other stuff (there was like 10-15 rules in that chain). My rules just sets default action to ACCEPT and nothing else.
It would have helped, of course, if you had given us an example or two of traffic that was being dropped.
This is from one session: SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16576 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16577 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16578 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0 SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=524 TOS=0x00 PREC=0x00 TTL=127 ID=16579 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK PSH URGP=0 SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48TOS=0x00 PREC=0x00 TTL=127 ID=16610 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402) SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16611 DF PROTO=TCP SPT=4192 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 (10.100.200.10 is my client and 10.111.40.15 my web server on the DMZ) so it seems like it accepts the initial SYN but drops the following ACKs. From what I recall the FW_FORWARD="10.100.200.0/24,0/0" led to NEW,RELATED and ESTABLISHED being accepted from 10.100.200.0/24 and RELATED and ESTABLISHED being accepted back. Hmmm, I think I realize now why it doesn't work. Since my squid server isn't a router in its true meaning it doesn't see the ACK my web server sends as a reply to the SYN (since that traffic goes directly from the web server to the client). Therefore it doesn't see my client's subsequent ACK as RELATED or ESTABLISHED. I guess my setup is a bit too unorthdox for SuSEfirewall2 but I still don't get why it doesn't have an option to accept _all_ forwarding. - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
This is from one session:
SFW2-FWDext-ACC-FORW IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=16576 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
SFW2-FWDext-DROP-DEFLT-INV IN=eth0 OUT=eth0 SRC=10.100.200.10 DST=10.111.40.15 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=16577 DF PROTO=TCP SPT=4190 DPT=80 WINDOW=65535 RES=0x00 ACK URGP=0 Now I am confused.. I thought you said your firewall was redirecting all http traffic to the squid proxy.
<snip> Hmmm, I think I realize now why it doesn't work. Since my squid server isn't a router in its true meaning it doesn't see the ACK my web server sends as a reply to the SYN (since that traffic goes directly from the web server to the client). Therefore it doesn't see my client's subsequent ACK as RELATED or ESTABLISHED. Since I don't use a proxy, I'm probably way off-mark here, but I thought all the traffic was supposed to travel through the proxy -- nothing
On 2006-12-15 01:21, Peder wrote: direct between web server and client.
I guess my setup is a bit too unorthdox for SuSEfirewall2 but I still don't get why it doesn't have an option to accept _all_ forwarding.
I don't think anyone anticipated doing things as you are doing them :-) You essentially have a single network card functioning as both the internal and external interfaces. You may be able to continue to use SuSEfirewall2, by placing your own rule(s) into the fw_custom_before_masq function in /etc/sysconfig/scripts/SuSEfirewall2-custom. Make sure to set the FW_CUSTOMRULES variable in the firewall config file (Yast/System/sysconfig editor, Network/firewall/susefirewall2) if you do. -- The best way to accelerate a computer running Windows is at 9.81 m/s² -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Now I am confused.. I thought you said your firewall was redirecting all http traffic to the squid proxy.
Since I don't use a proxy, I'm probably way off-mark here, but I thought all the traffic was supposed to travel through the proxy -- nothing direct between web server and client.
Hehe, who said my setup was normal. I proxy all web traffic except to my webservers on the DMZ.
I guess my setup is a bit too unorthdox for SuSEfirewall2 but I still don't get why it doesn't have an option to accept _all_ forwarding. I don't think anyone anticipated doing things as you are doing them :-) You essentially have a single network card functioning as both the internal and external interfaces.
Why can't they anticipate my actions, dammit? :) Well, since I now have a working setup I don't think I'll tinker with it any more. Thanx for the suggestions though. - Peder -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Anders Johansson -
Darryl Gregorash -
Hoper Edei Deixai -
Peder -
suseuser@freeway.org