Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 on 8.0 masq problem
Hi,

> I am at my wits end with this problem. Server in dmz, internal net,
> http, https, ssh, imap, etc on server accessible from the outside. The
> internal net should have access to the same services on the server as
> are available from the outside.

Maybe you get a problem here with the access to the DMZ server from the
internal network to the external IP address.
http://lists.suse.com/archive/suse-security/2002-May/0415.html

> Problems: ntpdate -q outside does not work on server, dito on firewall.
> reaching http://outside from server doesn't work. From outside, imap
> and 7777 are not reachable on server, although http https are reachable
> and imap and 7777 are configured identically. The internal net can't
> reach the server (yes I use FW_FORWARD).

No ping, nothing!? What about the logs on the firewall?

> FW_SERVICES_EXT_TCP="domain"
> FW_SERVICES_EXT_UDP="domain ntp"
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP="domain ssh"
> FW_SERVICES_DMZ_UDP="domain"
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP="domain ssh"
> FW_SERVICES_INT_UDP="domain"

You need access from the internet to your domain name server!?
You have a ntp server (like xntpd) on the firewall which must reachable from
the internet only?

> FW_SERVICES_INT_IP=""
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> FW_SERVICE_AUTODETECT="no"
> FW_SERVICE_DNS="yes"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
> FW_FORWARD="
> 192.168.2.0/24,192.168.1.1,tcp,80
> 192.168.2.0/24,192.168.1.1,tcp,443
> 192.168.2.0/24,192.168.1.1,tcp,143
> 192.168.2.0/24,192.168.1.1,tcp,25
> 192.168.2.0/24,192.168.1.1,tcp,22
> 192.168.2.0/24,192.168.1.1,tcp,7777
> 192.168.2.0/24,192.168.1.1,udp,123
> "
> FW_FORWARD_MASQ="
> 0/0,192.168.1.1,tcp,80
> 0/0,192.168.1.1,tcp,443
> 0/0,192.168.1.1,tcp,143
> 0/0,192.168.1.1,tcp,25
> 0/0,192.168.1.1,tcp,22
> 0/0,192.168.1.1,tcp,7777
> "

Uohhhh, that can't work well, I think, better is:

FW_FORWARD="\
192.168.2.0/24,192.168.1.1,tcp,80 \
192.168.2.0/24,192.168.1.1,tcp,443 \
192.168.2.0/24,192.168.1.1,tcp,143 \
192.168.2.0/24,192.168.1.1,tcp,25 \
192.168.2.0/24,192.168.1.1,tcp,22 \
192.168.2.0/24,192.168.1.1,tcp,7777 \
192.168.2.0/24,192.168.1.1,udp,123 \
"
FW_FORWARD_MASQ="\
0/0,192.168.1.1,tcp,80 \
0/0,192.168.1.1,tcp,443 \
0/0,192.168.1.1,tcp,143 \
0/0,192.168.1.1,tcp,25 \
0/0,192.168.1.1,tcp,22 \
0/0,192.168.1.1,tcp,7777 \
"

> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="yes"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
> FW_KERNEL_SECURITY="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="yes"
> FW_ALLOW_PING_EXT="yes"
> FW_ALLOW_FW_TRACEROUTE="yes"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="no"
> FW_IGNORE_FW_BROADCAST="yes"
> FW_ALLOW_CLASS_ROUTING="no"
>
> On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from
> SuSE 8.0 an essentially identical setup works as expected (there's no
> DNS server on that box).
>



< Previous Next >
Follow Ups
References