Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
firewall2: routing between DMZ and INT
  • From: "Andreas Marbet" <andreas.marbet@xxxxxxxxxxx>
  • Date: Thu, 31 Jan 2002 18:41:03 +0100
  • Message-id: <E68E687297C82A40A146041E67D26B7E049FA8@xxxxxxxxxxxxxxxxxxxxxxx>
Hello all,

SuSE firewall2 on SuSE 7.3 with external, internal and DMZ-interface
EXT: statical (official) IP-Address (a.b.c.d)
DMZ: statical (official) IP-Address (w.x.y.z) with the appropriate
subnet attached to it
INT: 192.168.1.1 (masqueraded on DEV_EXT)


Almost everything is working:
routing between the subnets as far as allowed in FW_FORWARD and
FW_FORWARD_MASQ is working properly (almost too good)
masquerading is working as well as squid in transparent mode

now I have two problems with using the rules for the DMZ:
I'd like to allow the machines in the DMZ unrestricted access (for
beginning) to the internet (in front of EXT). For that reason I put the
following rules in FW_FORWARD:
"DMZ-net,0/0 0/0,DMZ-net" #DMZ-net is of course written as w.x.y.0/24
well, everything works now for the DMZ, but the DMZ can also reach the
internal hosts (192.168.1.0/24) directly and thats absolutely not what I
want. Does anybody know how I could prevent this?

the second problem is that I'd like to access the DMZ from the internal
network but without allowing the DMZ to connect to the internal LAN. How
can I tell the firewall to allow only connections from the DMZ to the
INT that have been initiated from internal? In the DMZ all internal
machines appear with their proper IPs (e.g. 192.168.1.50). Is this a
question of FW_MASQ_DEV?

probably the two problems are of the same kind and perhaps I could do
this in firewall2-custom.rc.config? But because I'm rather a beginner, I
don't want to do something very stupid that would open my firewall. If
anybody has any advice or experience on this topic, please let me know.

any help very welcome,

Andreas



slightly censored firewall2.rc.config:

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="ssh domain"
FW_SERVICES_EXT_UDP="domain"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="domain ssh 3128"
FW_SERVICES_DMZ_UDP="domain"
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh domain 3128"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="no"
FW_FORWARD="192.168.1.0/24,DMZ"
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.100.0/24,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

< Previous Next >
This Thread
  • No further messages