Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
[suse-security] WAS Help: Port Forwarding using SuSEfirewall2
  • From: Luke Loh <lloh@xxxxxxxxxx>
  • Date: Wed, 2 Jan 2002 13:29:46 +1100
  • Message-id: <C1088DE5732FD3119C4B0090274DC69EDC4BD4@xxxxxxxxxxx>
Problem solved with much thanks to Nadeem Hassan. Wasn't a port forwarding
problem - it's just that FW_MASQ_NETS needs to be set to allow the DNS
server in the DMZ to be able to talk to all port numbers or the firewall
will drop all return packets to the external queryer.

Luke

-----Original Message-----
From: nhasan@xxxxxxxxx [mailto:nhasan@xxxxxxxxx]
Sent: Wednesday, January 02, 2002 1:12 PM
To: Luke Loh
Subject: Re: [suse-security] Help: Port Forwarding using SuSEfirewall2


Good. I guess you wanna post the whole thread to the list too. Someone
else may need this in the future :)

Luke Loh wrote:
>
> Nadeem
>
> Thank you for your help:) Yes, the firewall was dropping the reply packets
-
> I had to explicitly set FW_MASQ_NETS to allow my DNS server to connect to
> high port numbers in order for the replies to go through:)
>
> Wish I'd thought of this first before assuming it was a pfw problem. Argh.
>
> Again, many thanks.
>
> Luke
>
> -----Original Message-----
> From: nhasan@xxxxxxxxx [mailto:nhasan@xxxxxxxxx]
> Sent: Wednesday, January 02, 2002 11:36 AM
> To: Luke Loh
> Subject: Re: [suse-security] Help: Port Forwarding using SuSEfirewall2
>
> Luke Loh wrote:
> >
> > Nadeem
> >
> > Thanks for replying. Yes, I'm using the external IP address of my
firewall
> > as my DNS IP address. Doesn't seem to work. I assume then that this line
> is
> > correct?
> >
> > FW_FORWARD_MASQ="0/0,192.168.1.2,tcp,53 0/0,192.168.1.2,udp,53"
>
> That line looks correct to me.
>
> >
> > I don't get much in error logs, all I know is that when I try to do an
> > nslookup using my firewall's external IP address as my server (I use a
> > seperate dial-up to test external-to-internal connectivity) I get a
> timeout.
>
> Looks like a firewall issue. Your firewall seems to be dropping the
> reply packets. Try running tcpdump on both the EXT and DMZ interfaces
> to look at whats going through.
>
> Try in one session (for EXT):
>
> # tcpdump -i eth2 host your-dialup-ip
>
> and in onother session (for DMZ):
>
> # tcpdimp -i eth1 host your-dialup-ip
>
> and then try to run nslookup like before. You should now see what is going
> on :)
>
> >
> > What I did try was to telnet to port 53 to see if it would forward the
> > packet.
> >
> > From /var/log/firewall:
> >
> > Jan 2 10:29:48 zeus kernel: SuSE-FW-ACCEPT-REVERSE_MASQIN=eth2 OUT=eth1
> > SRC=211
> > .28.77.195 DST=192.168.1.2 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=1075 DF
> > PROTO=TC
> > P SPT=3467 DPT=53 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B401010402)
> >
> > Does this mean that portforwarding *has* worked and the problem might
lie
> > with my DNS server? Which is odd, because it works fine internally, and
> once
> > it's pfwed it's already a private ip address ...
> >
> > Thanks again.
> >
> > Luke
>
> --
> Nadeem Hasan
> nhasan@xxxxxxxxx
> http://www.nadmm.com/

--
Nadeem Hasan
nhasan@xxxxxxxxx
http://www.nadmm.com/

< Previous Next >
This Thread
  • No further messages