Marc Heuse writes:
I've been upgrading to Firewall 1.8 and had a problem within SuSEfirewall itself. It appears to wedge under SuSE 6.2 on an ipchains DENY for IP@ppp0 which happens to be my dynamic dialup IP.
This happens in the IP Spoofing & Circumventrion [sic] section where there is a for j in $DEV_INT_NET $FW_LOCALNETS; do $IPCHAINS -A input -j "$DENY" -i $i -s $j $LDC done
It wedges on $FW_LOCALNETS which is set to IP@ppp0.
Omitting $FW_LOCALNETS allows the script to run to completion and the firewall to be "set up". I don't (yet) understand what is trying to be achieved in this particular section of code. I especially don't understand why ipchains would wedge. Perhaps it's because there is no DNS as such on the firewall.
I'm also getting other warnings about ipchains not understanding IP@ppp0.
Have I messed up the rc.firewall configuration?
YES! ;-) FW_LOCALNETS are networks in your internal LAN which should be allowed to access the internet via masquerading. don't put any ip addresses of the firewall there.
I'm setting FW_LOCALNETS to the network address (and address width) of the internal LAN _only_. (FW_LOCALNETS="203.6.142.0/24") eth0 Link encap:Ethernet HWaddr 00:40:F6:20:F2:A4 inet addr:203.6.142.19 Bcast:203.6.142.255 Mask:255.255.255.0 ppp0 Link encap:Point-to-Point Protocol inet addr:203.12.8.5 P-t-P:203.12.0.24 Mask:255.255.255.255 The IP@ppp0 value of FW_LOCALNETS inside SuSEfirewall seems to be being "manufactured". i.e. I didn't put it there. Looks like I'll have to do some testing with my config to find out where this is happening. <sigh> -- Real Name: Bernd Felsche Email: nospam.bernie@perth.DIALix.com.au http://www.perth.dialix.com.au/~bernie - Private HP