Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
Re: [suse-security] SuSE-FW-NO_ACCESS_INT->FWEXT (last attempt)
As to your first statements, this is a voluntary response list. People may not
respond for several reasons. I believe the answer to your problem is to
place the following in your custom config file for the firewall:

fw_custom_before_antispoofing() {
# these rules will be loaded before any anti spoofing rules will be
# loaded. Effectively the only filter lists already effective are
# 1) allow any traffic via the loopback interface, 2) allow DHCP stuff,
# 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to
"yes"]
# You can use this hook to prevent logging of uninteresting broadcast
# packets or to allow certain packet through the anti-spoofing
mechanism.

#example: allow incoming multicast packets for any routing protocol
#iptables -A INPUT -j ACCEPT -d 224.0.0.0/24
iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 999.999.999.999 -j ACCEPT
true
}

Note, 999.999.999.999 should be set to the IP adderss for your external
interface.

You will also need to add this line to the end of your firewall config file:

#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-
custom.rc.config
#
FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

This should do the job for you. This is an intentional security measure in the
firewall to prevent spoofing of your internal addresses to your external
interface.

Jim

By the way, the 'last attempt' comment may actually get you ignored by
some members of this list.


8/1/2002 4:29:43 AM, j0nas <jonas@xxxxxxxxxx> wrote:

>I'm going to make one last attempt at getting some answers to my problem
>before I leave this list.
>Hopefully someone can help me, or at least tell me what I want done is
>impossible so I don't have
>to keep looking for a solution. Here's my problem:
>
>I'm using SuSE 8.0 with SuSEfirewall2, and on my firewall I have ports for
>ssh,smtp,http and identd
>open to the outside, and the same ports plus pop3+samba open for the
>internal network. I also have an
>extra port (not 21) opened for my ftp service.
>
>My problem is that I can access all resources from the inside using the
>internal ip-adress of the firewall,
>ie I can view the web pages when calling http://192.168.0.1/ from any
other
>machine on the internal network.
>It also works when I try to access the web server from the outside (using
>the external ip), BUT when I try
>to access the web server using the external ip (or the domain pointing to
>my firewall) nothing happens and
>i get this logged in /var/log/firewall:
>Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT
IN=eth0 OUT=
>MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5
>DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID=
33688 DF PROTO=TCP
>SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
>(020405B4010303000101080A000000000000000001010402)
>
>Same goes for when I try to access any of the other services from the
>inside using the external ip. How can
>I make this work?
>
>Here is my /etc/sysconfig/SuSEfirewall2 setup:
>FW_DEV_EXT="eth1"
>FW_DEV_INT="eth0"
>FW_DEV_DMZ=""
>FW_ROUTE="yes"
>
>FW_MASQUERADE="yes"
>FW_MASQ_DEV="eth1"
>FW_MASQ_NETS="192.168.0.0/24"
>
>FW_PROTECT_FROM_INTERNAL="yes"
>FW_AUTOPROTECT_SERVICES="yes"
>
>FW_SERVICES_EXT_TCP="113 8000 http smtp ssh"
>FW_SERVICES_EXT_UDP=""
>FW_SERVICES_EXT_IP=""
>FW_SERVICES_DMZ_TCP=""
>FW_SERVICES_DMZ_UDP=""
>FW_SERVICES_DMZ_IP=""
>FW_SERVICES_INT_TCP="113 139 445 8000 http pop3 pop3s smtp
ssh"
>FW_SERVICES_INT_UDP="137:138"
>FW_SERVICES_INT_IP=""
>
>FW_TRUSTED_NETS="192.168.0.0/24"
>
>FW_ALLOW_INCOMING_HIGHPORTS_TCP="8000"
>FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
>
>FW_SERVICE_AUTODETECT="yes"
>FW_SERVICE_DNS="no"
>FW_SERVICE_DHCLIENT="yes"
>FW_SERVICE_DHCPD="no"
>FW_SERVICE_SQUID="no"
>FW_SERVICE_SAMBA="no"
>
>FW_FORWARD=""
>
>FW_FORWARD_MASQ=""
>
>FW_REDIRECT=""
>
>FW_LOG_DROP_CRIT="yes"
>FW_LOG_DROP_ALL="no"
>FW_LOG_ACCEPT_CRIT="yes"
>FW_LOG_ACCEPT_ALL="no"
>FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
>SuSE-FW"
>
>FW_KERNEL_SECURITY="yes"
>
>FW_STOP_KEEP_ROUTING_STATE="no"
>
>FW_ALLOW_PING_FW="yes"
>FW_ALLOW_PING_DMZ="no"
>FW_ALLOW_PING_EXT="no"
>
>FW_ALLOW_FW_TRACEROUTE="yes"
>
>FW_ALLOW_FW_SOURCEQUENCH="yes"
>
>FW_ALLOW_FW_BROADCAST="no"
>FW_IGNORE_FW_BROADCAST="yes"
>
>FW_ALLOW_CLASS_ROUTING="no"
>
>Any help would be appreciated, thank you!
>
>Jonas
>
>
>--
>To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
>For additional commands, e-mail: suse-security-help@xxxxxxxx
>Security-related bug reports go to security@xxxxxxx, not here
>
>




< Previous Next >
References