It is the firewall....and it is supposed to be that way... Your internal machines should never have to out to the internet to come back in, what you need to do is set up the lmhosts files on your local computers with the web address and internal ip number you want to link it to. Or, if you are using DHCP you may set up an entry to tell it that www.yoursite.com is actually 10.0.0.2 instad of 44.55.66.77(external address) It is a security feature of the firewall. -----Original Message----- From: Michael Stern [mailto:mhstar@gmx.at] Sent: Friday, March 08, 2002 3:49 AM To: Suse-Security Subject: Re: [suse-security] SuSEfirewall2 and viewing your own internal web site. it may also be a TCPIP/NAT issue, not necessarily the firewall. regards, michael ----- Original Message ----- From: "James Bliss" <bliss@attbi.com> To: <suse-security@suse.com> Sent: Friday, March 08, 2002 5:36 AM Subject: Re: [suse-security] SuSEfirewall2 and viewing your own internal web site.
This has been an ongoing conversation on the SLE mailing list off and on. This is an issue with the anti-spoofing rules with the firewall2 configuration (a valid security implementation by the way)
First off. we need a view of what the following command provides: grep
-v ^# /etc/rc.config.d/firewall2.rc.config
Also, I would suggest adding: At the end of firewall2.rc.config: Section 25. )
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Then in firewall2-custom.rc.config: In the fw_custom_before_antispoofing() section add: iptables -A INPUT -i <external interface, such as eth0> -s <internal network range, such as 192.168.1.0/24> -d (external IP address> -j ACCEPT
This line should look like: iptaqbles -A INPUT -i eth0 -s 192.168.1.0/24 -d 1.1.1.1 -j ACCEPT 192.169.1.0 should be your internal address range with a 0 at the end.
1.1.1.1 should be the IP address of you external interface.
Then let us know what your resolution is. And we can proceed from there.
(Thanks Togan for the grep command, that is very useful).
Jim
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here