Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
SuSEfirewall2 vs. DHCP, take 2
  • From: Alan Hadsell <ahadsell@xxxxxxxxxxxx>
  • Date: Wed, 19 Jun 2002 08:08:36 -0700
  • Message-id: <usn3jxq4r.fsf@xxxxxxxxxxxx>
Hi. I'm really ashamed to be asking this question. Read on, and
you'll see why.

I previously had a problem with my firewall, which uses SuSEfirewall2,
not working with DHCP. Erwin Lam helped me straighten that out, by
adding FW_SERVICES_EXT_UDP="bootpc" to the configuration. The
firewall was working perfectly.

Well, I had the firewall running on an old computer that wasn't good
for much else. Last night it died, and I don't have time to fix it
right now, so I went out and bought a new one. But I didn't have a
backup of its configuration (that's why I'm ashamed), so I had to
recreate it from scratch.

I included the FW_SERVICES_EXT_UDP="bootpc" this time, but it still
fails the same way it used to: It acquires the lease just fine when
the computer reboots, but once the firewall is up it can't renew the
lease.

The system is running SuSE 7.1 with all current patches, including
k_deflt-2.4.16-37.i386.rpm

I'm sure I just made some stupid mistake here, in my haste to get this
thing running. Can anybody spot it? Here's the firewall2
configuration (comments and blank lines omitted):

,----
| FW_DEV_EXT="eth1"
| FW_DEV_INT="eth0"
| FW_DEV_DMZ=""
| FW_ROUTE="yes"
| FW_MASQUERADE="yes"
| FW_MASQ_DEV="$FW_DEV_EXT"
| FW_MASQ_NETS="192.168.1.0/24"
| FW_PROTECT_FROM_INTERNAL="yes"
| FW_AUTOPROTECT_SERVICES="yes"
| FW_SERVICES_EXT_TCP=""
| FW_SERVICES_EXT_UDP="bootpc bootps domain" # Common: domain
| FW_SERVICES_EXT_IP="domain"
| FW_SERVICES_DMZ_TCP=""
| FW_SERVICES_DMZ_UDP=""
| FW_SERVICES_DMZ_IP=""
| FW_SERVICES_INT_TCP="ssh ntp"
| FW_SERVICES_INT_UDP="ntp domain"
| FW_SERVICES_INT_IP=""
| FW_TRUSTED_NETS=""
| FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
| FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
| FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
| FW_SERVICE_DNS="no"
| FW_SERVICE_DHCLIENT="yes"
| FW_SERVICE_DHCPD="no"
| FW_SERVICE_SQUID="no"
| FW_SERVICE_SAMBA="no"
| FW_FORWARD="" # Beware to use this!
| FW_FORWARD_MASQ="" # Beware to use this!
| FW_REDIRECT=""
| FW_LOG_DROP_CRIT="yes"
| FW_LOG_DROP_ALL="no"
| FW_LOG_ACCEPT_CRIT="yes"
| FW_LOG_ACCEPT_ALL="no"
| FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
| FW_KERNEL_SECURITY="yes" # Also tried this with "no", no difference
| FW_STOP_KEEP_ROUTING_STATE="no"
| FW_ALLOW_PING_FW="yes"
| FW_ALLOW_PING_DMZ="no"
| FW_ALLOW_PING_EXT="no"
| FW_ALLOW_FW_TRACEROUTE="yes"
| FW_ALLOW_FW_SOURCEQUENCH="yes"
| FW_ALLOW_FW_BROADCAST="no"
| FW_IGNORE_FW_BROADCAST="yes"
| FW_ALLOW_CLASS_ROUTING="no"
`----

Thanks for your help. I've been staring at this for hours and I can't
see the problem.

--
Alan Hadsell
If brute force doesn't work, you aren't using enough.


< Previous Next >
This Thread
  • No further messages