Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] SuSE 7.3 Firewall2 masquerading
  • From: Alex Levit <alex@xxxxxxxxxxx>
  • Date: Mon, 21 Jan 2002 08:14:37 -0800
  • Message-id: <200201211612.g0LGCFH25648@xxxxxxxxxxxxxxxxxxxxxxx>

You need to enable custom ruleset by uncommenting
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
at the very bottom of /etc/rc.config.d/SuSEfirewall2.rc.config

then add the following to your first ruleset fw_custom_before_antispoofing()

iptables -A INPUT -i eth1 -s localnet -d external IP -j ACCEPT

for example:
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d xxx.xxx.xxx.xxx -j ACCEPT


Restart firewall:
/etc/rc.d/SuSEfirewall2_final reload

and you're done.
Alex Levit

On Monday 21 January 2002 00:19, Boris Kimel wrote:
> Hello everybody,
>
> Here's a somewhat newbiesh question, but I've seen this topic discussed
> here. So, I've just moved from RedHat 7.0 to SuSE 7.3 (after an HD
> failure). This Linux box is used as a company firewall/masquerader, dns,
> www and mailserver. Under RedHat we've used ipchains with it's simplest
> setup just to masquerade the internal net on a per machine basis. And,
> issuing "ipchains -L" I used to get some 10 lines concerning exactly what I
> configured.
>
> With SuSE we tried to set up SuSEfirewall2, and we did it carefully. The
> problem is that the machines from the internal net cannot access www or
> mail server through its external interface - and the corresponding DENY is
> logged clearly. We did not set the firewall protection from the internal
> net, and it is accessible internally, but the traditional www.ourdomain.ru
> (or mail.ourdomain.ru) points to the external device, which worked fine
> with ipchains under RedHat. Now we're using ipchains under SuSE too, but
> this is surely wrong (just to mention the inability ro use ftp from
> inside).
>
> Should we try to reconfigure SuSEfirewall2? Listing of iptables' rules is
> so much complicated that I don't think I should read it. Or just throw away
> the firewall, issue some iptables' rules thru a script and forget it?
>
> Thanks in advance,
> Boris G. Kimel.

< Previous Next >
This Thread
References