I sorry but i forget mention that I have another problem besides which I had
already spoken them.
The problem numbers 2 it is the following:
1) I have my mail server with SuSe 7.1 and postfix in www.opc.com.uy /
200.61.85.10
2) In order to could read the mail from any pc of the exterior, I configure
the address server in accounts of clients mail like www.opc.com.uy and there
are no problems.
3) But in order to could read the mail in pc of the internal net, I have to
configure the outlook express address server like 172.16.0.1 instead of
www.opc.com.uy or 200.61.85.10
I suspect that it is the same problem that doesn't allow to see routed ports
to the internal net from pc's of the internal net that I mentioned them in
the previous mail .
Best regards
Alberto
----- Original Message -----
From: "linux"
Do you have FW_SERVICES_INT_TCP set as well? Yes i do. This is my firewall2.rc.confg file 2.) FW_DEV_EXT="eth1" 3.) FW_DEV_INT="eth0" 4.) FW_DEV_DMZ="" 5.) FW_ROUTE="yes" 6.) FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="172.16.0.0/16" 7.) FW_PROTECT_FROM_INTERNAL="yes" 8.) FW_AUTOPROTECT_SERVICES="yes" 9.) FW_SERVICES_EXT_TCP="http-alt ssh smtp pop3 domain ftp www" FW_SERVICES_EXT_UDP="domain" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="ssh ftp smtp domain www telnet pop3 137 138 139 901 3128" FW_SERVICES_INT_UDP="domain 137 138 139" FW_SERVICES_INT_IP="" 10.) FW_TRUSTED_NETS="" 11.) FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" 12.) FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SAMBA="no" 13.) FW_FORWARD="" 14.) FW_FORWARD_MASQ="0/0,172.16.0.3,tcp,8080,80" 15.) FW_REDIRECT="172.16.0.0/16,0/0,tcp,80,3128" 16.) FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" 17.) FW_KERNEL_SECURITY="yes" 18.) FW_STOP_KEEP_ROUTING_STATE="no" 19.) FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" 20.) FW_ALLOW_FW_TRACEROUTE="yes" 21.) FW_ALLOW_FW_SOURCEQUENCH="yes" 22.) FW_ALLOW_FW_BROADCAST="no" 23.) FW_ALLOW_CLASS_ROUTING="no"
Best Regards Alberto ...labp ----- Original Message ----- From: "Anders Johansson"
To: "linux" ; Sent: Thursday, June 14, 2001 7:27 PM Subject: Re: [suse-security] Fw: A bug with SuSEfirewall2 ? Or a feature ? On Friday 15 June 2001 00:09, linux wrote:
Hi,
I'm using SuSEfirewall2 1.0 in a SuSE 7.1 kernel 2.4.2, the machine is the firewall for a private lan using masquerading to reach the internet.
The problem is:
Internal machines can't connect to ports on the external address of the firewall. If I try these ports from outside, it works ok.
Example : firewall eth1 - external ip 1.2.3.4 eth0 - internal ip 172.16.0.1
if I try to get mail from 172.16.0.3 this is the log in /var/log/firewall: SuSE-FW-UNALLOWED-TARGETIN=eth0 OUT= MAC=00:80:ad:09:0b:38:00:48:54:62:d9:ed:08:00 SRC=172.16.0.3 DST=1.2.3.4 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=26274 DF PROTO=TCP SPT=1908 DPT=110 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402)
/etc/rc.config.d/firewall2.rc.config has this line : FW_SERVICES_EXT_TCP="ssh smtp pop3 domain www"
Do you have FW_SERVICES_INT_TCP set as well? This variable defines which services should be available on the firewall machine for hosts on the internal network
The masquerading works to any other host without a charm, except for the external ip of the firewall. Previously we were using
SuSefirewall on
a SuSE 6.4 and this thing worked. There are laptop users that try to get mail from inside or outside and this problem is very annoying.
Is SuSEfirewall2 doing this on purpose ?
Thanks, --
Regards Anders
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com