Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Firewall 2 blocking internal access to Web site
Its working :o)
Thanks a lot!!!

Bo)

----- Original Message -----
From: "list" <list@xxxxxxxxxxxxx>
To: "'Bo Jangeborg'" <bo@xxxxxxxxxxx>
Sent: Saturday, December 08, 2001 4:32 PM
Subject: RE: [suse-security] Firewall 2 blocking internal access to Web site


> It's supposed to do that by design. I had the same problem and that is
> what I was told. To be able to do what you want you need to allow the
> internal machines access via the firewall2-custom.rc.config script.
>
> First in firewall2.rc.config go to the last line and enable the below.
>
> #
> # 25.)
> # Do you want to load customary rules from a file?
> #
> # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
> # READ THE EXAMPLE CUSTOMARY FILE AT
> /etc/rc.config.d/firewall2-#custom.rc.config
> #
> FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
>
> Then go into firewall2-custom.rc.config and put in a line in the
> fw_custom_before_antispoofing section
>
> iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 194.236.28.27 -j ACCEPT
>
> Then it should work properly. Let me know if this works for you.
>
> Tall0n
> -----Original Message-----
> From: Bo Jangeborg [mailto:bo@xxxxxxxxxxx]
> Sent: Saturday, December 08, 2001 9:50 AM
> To: suse-security@xxxxxxxx
> Subject: [suse-security] Firewall 2 blocking internal access to Web site
>
> Im submitting this problem again since it still persists.
>
> I have installed Suse 7.3 and setup SuseFirewall2. With one exception
> everything
> works well.
> I have a small network of three windows machines connected to a Suse 7.3
> Linux
> server that is connected to an adsl modem through a network card. I
> have one
> public ip number for one card (eth0) thats connected to the adsl modem,
> and
> for the internal network (eth1) I have the number 192.168.1.1.
>
> Masquerading from inside to the outside works fine, but when I try to
> connect to
> my external ip from inside I get blocked and the console on the server
> shows the
> following message.
>
> SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth1 OUT=
> MAC=00:01:02:24:4d:23:00:60:08:c3:6e:a2:08:00 SRC=192.168.1.2
> DST=194.236.28.27 LEN=48 TOS=0x08 PREC=0x00 TTL=64 ID=65293 PROTO=TCP
> SPT=1148 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
>
> I have a DNS on the server but I don't think that it is the problem.
> If I try to connect to 194.236.28.27 directly I get blocked in the same
> manner.
>
> When using www.softwave.se the message in the console says that its
> blocking 194.236.28.27
> so the DNS works and supplies the number that then gets blocked.
>
> I have uppgraded to the latest Firewall2 script but I noticed no
> differens.
>
> The DNS works for all other numbers (I can get to all pages on the net
> except my own), and
> if I in the browser type in http://192.168.1.1 it works whereas
> http://194.234.28.27 doesn't.
> So how could it be the DNS ? I am no expert on this so I could be
> missing something.
>
> What do I need to change in my configuration to allow me to get to my
> own IP number from
> the inside ? Here is my current configuration.
>
>
> FW_DEV_EXT="eth0"
> FW_DEV_INT="eth1"
> FW_DEV_DMZ=""
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="192.168.1.0/24"
> FW_PROTECT_FROM_INTERNAL="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="smtp pop3 imap ftp ftp-data www ssh domain"
> FW_SERVICES_EXT_UDP="domain" # Common: domain
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP="smtp pop3 imap ftp ftp-data www ssh domain"
> FW_SERVICES_INT_UDP="domain"
> FW_SERVICES_INT_IP=""
> FW_TRUSTED_NETS="192.168.1.0/24"
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when
> starting
> FW_SERVICE_DNS="yes"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="yes"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="yes"
> FW_FORWARD="" # Beware to use this!
> FW_FORWARD_MASQ="" # Beware to use this!
> FW_REDIRECT="192.168.1.0/24,0/0,udp,53,53"
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option
> --log-prefix SuSE-FW"
> FW_KERNEL_SECURITY="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="yes"
> FW_ALLOW_PING_EXT="no"
> FW_ALLOW_FW_TRACEROUTE="yes"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="no"
> FW_IGNORE_FW_BROADCAST="yes"
> FW_ALLOW_CLASS_ROUTING="no"
>
> Bo Jangeborg Softwave
>
> Bo)
>
>


< Previous Next >
This Thread
  • No further messages