This has been an ongoing conversation on the SLE mailing list off and on.
This is an issue with the anti-spoofing rules with the firewall2 configuration
(a valid security implementation by the way)
First off. we need a view of what the following command provides:
grep -v ^# /etc/rc.config.d/firewall2.rc.config
Also, I would suggest adding:
At the end of firewall2.rc.config:
Section 25. )
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"
Then in firewall2-custom.rc.config:
In the fw_custom_before_antispoofing() section add:
iptables -A INPUT -i
I'm using SuSEfirewall2 doing network address translation.
I have defined:
FW_FORWARD_MASQ="0/0,192.168.2.12,tcp,80,80"
This allows external machines to hit a test web server I have running.
Now if I define a link on a web based page or forum that points back at my firewall's external address like this (assuming 1.2.3.4 is my firewall's external address):
From any other machine in the world outside my firewall, I can click that link and see foo.jpg. But from inside my firewall from another machine, no go. I can't use the external address. I have to change the reference to http://192.168.2.12/foo.jpg (ie, the internal address).
I'd like to know what I have to tweak in /etc/rc.config.d/firewall2.rc.config in order to allow other internal machines to use the external address to be masq-forwarded back in to the 192.168.2.12 machine?
Maybe it's not possible... But I'm hoping it is.
Sincerely, Argentium
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here