On Friday, 17. August 2001 12:52, egger@mlcomputing.de wrote:
On Friday, 17. August 2001 09:20, egger@mlcomputing.de wrote:
On Thursday, 16. August 2001 17:41, maf@cybereye.co.uk wrote:
Hi Christoph
On 2001.08.16 15:35:07 +0100 Christoph Egger wrote:
On Thursday, 16. August 2001 14:26, egger@mlcomputing.de wrote:
Hi!
Problem description: --------------------------------------------------------------------------- ----
My _test_ - LAN looks like this:
192.168.2.0/24
| Host1 with 192.168.2.1
Gateway 1 (eth0) with 192.168.2.91 Gateway 1 (eth1)
Internet
Gateway 2 (eth1) with SuSE 7.2 firewall Gateway 2 (eth0) with 10.0.1.10
| Host2 with 10.0.1.21
10.0.1.0/24
Within Gateway 1 (eth1) and Gateway 2 (eth1) there is a IPsec tunnel created by FreeSWAN 1.91.
I can do a ping from 192.168.2.1 to 10.0.1.10, but not to 10.0.1.21 and vice versa. It seems that the gateway 2 swellows packets.
Further the routed is somehow blocked by the firewall: .... Kernel log: input DENY eth0 PROTO=17 10.0.1.0:520 10.0.1.255:520 L=52 S=0x00 I=0 F=0x4000 T=64 (#4) .... Kernel log: input DENY eth1 PROTO=17 62.180.107.61:520 62.180.107.63:520 S=0x00 I=0 F=0x4000 T=64 (#5) Shutting the firewall down, routed says: re-installing interface eth0 re-installing interface eth1 and pinging, DNS, SMB, etc. between the two subnets works perfect.
--------------------------------------------------------------------------- -------
What do you think, might be the problem?
I forgot to mention, that the SuSE firewall 7.2 definitely causes my problem.
FreeSWAN works fine for me as long as the firewall is down. But calling "/etc/init.d/SuSEfirewall_init start" and restarting FreeSWAN to not loose its firewall rules already causes my problem.
Sounds like you may be having some sort of masquerading problem. Have a look in yuor logs and see what packets the firewall drops.
Masquerading isn't activated at all.
Here more details: I am using the 2.4.4-4GB Suse standard kernel coming with SuSE 7.2 distribution.
The SuSE firewall sets some values in various files in /proc/sys/net/ipv4/
echo 1 > icmp_echo_ignore_broadcasts echo 1 > typ_syncookies echo 1 > ip_always_defrag echo 0 > conf/*/accept_redirects echo 0 > conf/*/accept_source_route echo 1 > icmp_ignore_bogus_error_responses echo 5 > icmp_echoreply_rate echo 5 > icmp_destunreach_rate echo 5 > icmp_paramprob_rate echo 6 > icmp_timeexceed_rate echo 20 > ipfrage_time echo 1 > igmp_max_memberships echo "1024 29999" > ip_local_port_range echo 1 > conf/*/log_martians echo 0 > conf/*/mc_forwarding echo 1 > conf/*/rp_filter (manually disabled by me to keep it "0") echo 0 > conf/*/bootp_relay echo 0 > conf/*/proxy_arp echo 0 > conf/*/secure_redirects echo 1 > route/flush
Is there something, which might cause my above described problem?
Hm... no answer to my problem yet. Seems that doesn't help. So here my SuSE 7.2 firewall (version 4.9) configuration in /etc/rc.config.d/firewall.rc.config FW_DEV_WORLD=eth1 FW_DEV_INT=eth0 FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" FW_SERVICES_EXTERNAL_TCP="" FW_SERVICES_EXTERNAL_UDP="500" FW_SERVICES_EXTERNAL_IP="udp 50" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INTERNAL_TCP="" FW_SERVICES_INTERNAL_UDP="500" FW_SERVICES_INTERNAL_IP="udp 50" FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" FW_SERVICES_TRUSTED_UDP="" FW_SERVICES_TRUSTED_IP="" FW_SERVICES_TRUSTED_ACL="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_FORWARD_IP="" FW_FORWARD_MASQ_TCP="" FW_FORWARD_MASQ_UDP="" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="yes" FW_ALLOW_PING_FW=yes FW_ALLOW_FW_TRACEROUTE=yes All other variables are set to the default values. I hope, that this is enough, that someone can help me. BTW: Setting FW_AUTOPROTECT_GLOBAL_SERVICES to "no" doesn't solve my problem. -- CU, Christoph