Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] problem with NAT / ip forwarding
  • From: Anders Johansson <andjoh@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Sat, 17 Aug 2002 14:09:49 +0200
  • Message-id: <200208171409.49823.andjoh@xxxxxxxxxxxxxxxxxxxxx>
On Saturday 17 August 2002 13.59, Roger Hayter wrote:
> What I can't understand is why the SuSE server can
> do it. I also would be very interested in an answer from an expert on
> this.

I'm not exactly an expert, but here goes

SuSEfirewall2 has a rule SuSE-FW-NO_ACCESS_INT->FWEXT, controlled by the
following in /sbin/SuSEfirewall2

###############################################################
# Anti Spoofing/Cirumvention protection - interface dependent #
###############################################################
for DEV in $FW_DEV_INT; do
for IP in $DEV_EXT; do
$IPTABLES -A INPUT -j LOG ${LOG}"-NO_ACCESS_INT->FWEXT " -i $DEV -d
$IP
$IPTABLES -A INPUT -i $DEV -d $IP -j "$DROP"
done
done

As far as I can see it's not controlled by any variable in /etc/sysconfig. If
you want to bypass it you'd either have to comment out the above, or -I INPUT
a rule that accepted the packets.

regards
Anders

--
'Deserves [death]. I daresay he does. Many that live deserve death. And some
that die deserve life. Can you give it to them? Then do not be too eager to
deal out death in judgement. For even the very wise cannot see all ends.'
--Tolkien, The Lord of the Rings

< Previous Next >
Follow Ups
References