Mailinglist Archive: opensuse-bugs (4243 mails)

< Previous Next >
[Bug 1017936] New: No DMZ routing with Yast2 configured FW & Wicked
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 03 Jan 2017 17:05:05 +0000
  • Message-id: <bug-1017936-21960@http.bugzilla.opensuse.org/>
http://bugzilla.opensuse.org/show_bug.cgi?id=1017936


Bug ID: 1017936
Summary: No DMZ routing with Yast2 configured FW & Wicked
Classification: openSUSE
Product: openSUSE Distribution
Version: Leap 42.2
Hardware: x86-64
OS: openSUSE 42.2
Status: NEW
Severity: Normal
Priority: P5 - None
Component: YaST2
Assignee: yast2-maintainers@xxxxxxx
Reporter: lvl@xxxxxxxxxxx
QA Contact: jsrain@xxxxxxxx
Found By: ---
Blocker: ---

Had to rebuild a firewall box last week, .. and Yast2/Wicked setup the three
IFs & routing correctly with USB NICs. Replaced them with GbE NICs, and routing
is broken to the DMZ:

Tried the previous working 13.2 FW configuration (after adjusting IF names), no
success; tried tweaking various FW options, no success; started over with
default 42.2 SuSEfirewal2 config from virgin installation and built with Yast2.

Currently, connections work fine from the FW box, but any traffic from the
Internal network is blocks at the FW box:

$ traceroute <DMZ Host>
traceroute to mail (<DMZ IP>), 30 hops max, 60 byte packets
1 marvel (10.0.0.254) 0.237 ms 0.212 ms 0.195 ms
2 marvel (10.0.0.254) 0.212 ms 0.197 ms 0.200 ms

The routes seem correct:

Destination Gateway Genmask Flags Metric Ref Use Iface
default 24-107-128-1.dh 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 * 255.255.255.0 U 0 0 0 p132p1
24-107-128-0.dh * 255.255.252.0 U 0 0 0 eth0
206.197.251.0 * 255.255.255.0 U 0 0 0 p128p1

However the Yast2 generated ruleset does not work, nor does it save the static
route for DMZ traffic [shown correctly in Yast2 UI]:

# grep ^FW_ /etc/sysconfig/network/SuSEfirewall2
FW_DEV_EXT="eth0"
FW_DEV_INT="p132p1"
FW_DEV_DMZ="p128p1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV=""
FW_MASQ_NETS=""
FW_NOMASQ_NETS=""
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_CONFIGURATIONS_EXT=""
FW_SERVICES_DMZ_TCP="<ssh port>"
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_CONFIGURATIONS_DMZ=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_CONFIGURATIONS_INT=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_DROP_DMZ=""
FW_SERVICES_DROP_INT=""
FW_SERVICES_REJECT_EXT=""
FW_SERVICES_REJECT_DMZ=""
FW_SERVICES_REJECT_INT=""
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_DMZ=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_RELATED_EXT=""
FW_SERVICES_ACCEPT_RELATED_DMZ=""
FW_SERVICES_ACCEPT_RELATED_INT=""
FW_TRUSTED_NETS=""
FW_FORWARD=""
FW_FORWARD_REJECT=""
FW_FORWARD_DROP=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY=""
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW=""
FW_ALLOW_PING_DMZ=""
FW_ALLOW_PING_EXT=""
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="no"
FW_ALLOW_FW_BROADCAST_INT="no"
FW_ALLOW_FW_BROADCAST_DMZ="no"
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_REJECT_INT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
FW_ZONE_DEFAULT=''
FW_USE_IPTABLES_BATCH=""
FW_LOAD_MODULES="nf_conntrack_netbios_ns"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_FORWARD_ALLOW_BRIDGING=""
FW_WRITE_STATUS=""
FW_RUNTIME_OVERRIDE=""
FW_LO_NOTRACK=""
FW_BOOT_FULL_INIT="no"

Network config files:

# cat ifcfg-eth0 (MB builtin)
BOOTPROTO='dhcp4'
BROADCAST=''
DHCLIENT_SET_DEFAULT_ROUTE='yes'
ETHTOOL_OPTIONS=''
IPADDR=''
MTU=''
NAME='NetLink BCM57788 Gigabit Ethernet PCIe'
NETMASK=''
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'

# cat ifcfg-p128p1 (PCIE slot)
BOOTPROTO='static'
STARTMODE='manual'
NAME='RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR='<Address in DMZ>/24'
MTU='1500'
NETWORK=''
REMOTE_IPADDR=''
USERCONTROL='no'
PREFIXLEN='24'

# cat ifcfg-p132p1 (PCIE slot)
BOOTPROTO='static'
BROADCAST=''
ETHTOOL_OPTIONS=''
IPADDR='10.0.0.254/24'
MTU=''
NAME='RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
NETWORK=''
REMOTE_IPADDR=''
STARTMODE='auto'

# cat ifroute-eth0
default <public gw> - eth0

# cat ifroute-p128p1
<DMZ subnet> - 255.255.255.0 p128p1

--
You are receiving this mail because:
You are on the CC list for the bug.
< Previous Next >