Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Firewall 2 blocking internal access to Web site
Im submitting this problem again since it still persists.

I have installed Suse 7.3 and setup SuseFirewall2. With one exception everything
works well.
I have a small network of three windows machines connected to a Suse 7.3 Linux
server that is connected to an adsl modem through a network card. I have one
public ip number for one card (eth0) thats connected to the adsl modem, and
for the internal network (eth1) I have the number 192.168.1.1.

Masquerading from inside to the outside works fine, but when I try to connect to
my external ip from inside I get blocked and the console on the server shows the
following message.

SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth1 OUT=
MAC=00:01:02:24:4d:23:00:60:08:c3:6e:a2:08:00 SRC=192.168.1.2
DST=194.236.28.27 LEN=48 TOS=0x08 PREC=0x00 TTL=64 ID=65293 PROTO=TCP
SPT=1148 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

I have a DNS on the server but I don't think that it is the problem.
If I try to connect to 194.236.28.27 directly I get blocked in the same manner.

When using www.softwave.se the message in the console says that its blocking 194.236.28.27
so the DNS works and supplies the number that then gets blocked.

I have uppgraded to the latest Firewall2 script but I noticed no differens.

The DNS works for all other numbers (I can get to all pages on the net except my own), and
if I in the browser type in http://192.168.1.1 it works whereas http://194.234.28.27 doesn't.
So how could it be the DNS ? I am no expert on this so I could be missing something.

What do I need to change in my configuration to allow me to get to my own IP number from
the inside ? Here is my current configuration.


FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.1.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="smtp pop3 imap ftp ftp-data www ssh domain"
FW_SERVICES_EXT_UDP="domain" # Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="smtp pop3 imap ftp ftp-data www ssh domain"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="192.168.1.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD="" # Beware to use this!
FW_FORWARD_MASQ="" # Beware to use this!
FW_REDIRECT="192.168.1.0/24,0/0,udp,53,53"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

Bo Jangeborg Softwave

Bo)


< Previous Next >
This Thread
  • No further messages