http://bugzilla.opensuse.org/show_bug.cgi?id=939363 Bug ID: 939363 Summary: SuSEfirewall2: A particular syntax for FW_MASQ_DEV is broken! Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Network Assignee: bnc-team-screening@forge.provo.novell.com Reporter: olafmartens@web.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Build Identifier: The file /etc/sysconfig/SuSEfirewall2 states for the variable FW_MASQ_DEV that the devices on which to masquerade internal networks may be specified with e. g. zone:ext - unfortunately this syntax is broken and prevents any internal networks from being forwarded to public ip addresses. Reproducible: Always Steps to Reproduce: 1. Set FW_DEV_MASQ to zone:ext 2. Set FW_MASQ_NETS to any network with private IP addresses. 3. Try to ping an outside IP address. Actual Results: PING (and any other service) fails to reach the public IP address space. Expected Results: Traffic should be routed to the public IP address space. This does not affect any private virtual subnets generated by e. g. StrongSwan, because the rules that affect those IP addresses are set by the Charon daemon and not the firewall script. Any traffic that originates from an IPsec tunnel is routed normally. As a workaround FW_MASQ_DEV can be explicitly set to any device identifiers that point to the public IP address space to have any traffic routed as it should. -- You are receiving this mail because: You are on the CC list for the bug.