Mailinglist Archive: opensuse-security (409 mails)

< Previous Next >
SuSE-FW-NO_ACCESS_INT->FWEXT (last attempt)
  • From: j0nas <jonas@xxxxxxxxxx>
  • Date: Thu, 01 Aug 2002 11:29:43 +0200
  • Message-id: <5.1.1.6.2.20020801112817.00bfaba0@xxxxxxxxxxx>
I'm going to make one last attempt at getting some answers to my problem before I leave this list.
Hopefully someone can help me, or at least tell me what I want done is impossible so I don't have
to keep looking for a solution. Here's my problem:

I'm using SuSE 8.0 with SuSEfirewall2, and on my firewall I have ports for ssh,smtp,http and identd
open to the outside, and the same ports plus pop3+samba open for the internal network. I also have an
extra port (not 21) opened for my ftp service.

My problem is that I can access all resources from the inside using the internal ip-adress of the firewall,
ie I can view the web pages when calling http://192.168.0.1/ from any other machine on the internal network.
It also works when I try to access the web server from the outside (using the external ip), BUT when I try
to access the web server using the external ip (or the domain pointing to my firewall) nothing happens and
i get this logged in /var/log/firewall:
Jul 27 14:25:22 linux kernel: SuSE-FW-NO_ACCESS_INT->FWEXT IN=eth0 OUT= MAC=00:50:8b:03:d1:60:00:c0:26:59:d9:56:08:00 SRC=192.168.0.5 DST=213.66.148.171 LEN=64 TOS=0x08 PREC=0x00 TTL=128 ID=33688 DF PROTO=TCP SPT=3802 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B4010303000101080A000000000000000001010402)

Same goes for when I try to access any of the other services from the inside using the external ip. How can
I make this work?

Here is my /etc/sysconfig/SuSEfirewall2 setup:
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"

FW_MASQUERADE="yes"
FW_MASQ_DEV="eth1"
FW_MASQ_NETS="192.168.0.0/24"

FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="113 8000 http smtp ssh"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="113 139 445 8000 http pop3 pop3s smtp ssh"
FW_SERVICES_INT_UDP="137:138"
FW_SERVICES_INT_IP=""

FW_TRUSTED_NETS="192.168.0.0/24"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="8000"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"

FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="yes"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"

FW_FORWARD=""

FW_FORWARD_MASQ=""

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"

FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

Any help would be appreciated, thank you!

Jonas

< Previous Next >