Mailinglist Archive: opensuse-security (685 mails)

< Previous Next >
How to give access to my DMZ from internal (SuSEfirewall2)
Dear List,

I use SuSEfirewall to give access to the internet for few users in my
company.
Also there is a mailserver in a DMZ wich is accessable by all users from
internal and the internet.
Now I like to use SuSEfirewall2, but suddenly no one can reach the
mailserver from internal as they used to do. (everything else works fine)

I tried several "hooks" in SuSEfirewall-custom.rc with no success.
Is there a solution ? So I can use SuSEfirewall2 as I did with SuSEfirewall
?
(I think there must be a way to let the internal into the DMZ like they came
from external?)
Like a forwarding rule in firewall2-custom.rc.config??
It all did work with SuSeFirewall(1)

Any help or hint is welcom. (desparate)

This is my SuSEfirewall2.rc;

# eth0-addr:10.0.0.100 hooked to ADSL Modem: 10.0.0.138
# eth1-addr:10.3.65.6 internal network
# eth2-addr:192.168.50.1 =DMZ, Mailserver:192.168.50.10

DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="10.3.0.0/16,0/0,udp,53 \
10.3.65.102/32,0/0,tcp,80 10.3.65.104/32,0/0,tcp,80
10.3.65.105/32,0/0,tcp,80 \
10.3.65.160/32,0/0,tcp,80 10.3.65.162/32,0/0,tcp,80
10.3.71.100/32,0/0,tcp,80 \
10.3.68.107/32,0/0,tcp,80 192.168.50.10/32,0/0,udp,53
192.168.50.10/32,0/0,tcp,1:65535"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="21 23"
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS="10.0.0.138/32" #adsl modem
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ="0/0,192.168.50.10,tcp,25 \
0/0,19.168.50.10,tcp,80 0/0,192.168.50.10,tcp,143 \
0/0,192.168.50.10,tcp,21 0/0,192.168.50.10,tcp,110"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
# END of rc.firewall
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

Thank you,

Bert Oostergetel



< Previous Next >
This Thread
  • No further messages