Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 on 8.0 masq problem
Hi,

I know there is a problem with Realtek 8139 cards and the 2.4 kernel:
http://sdb.suse.de/en/sdb/html/mjb_rtl8139_24.html

I am by no means a firewall expert but maybe the problem is the card and
not the configuration.

Sorry I can't be of more help.
Q

On Wed, 2002-09-04 at 06:36, Volker Kuhlmann wrote:
> I am at my wits end with this problem. Server in dmz, internal net,
> http, https, ssh, imap, etc on server accessible from the outside. The
> internal net should have access to the same services on the server as
> are available from the outside.
>
> Problems: ntpdate -q outside does not work on server, dito on firewall.
> reaching http://outside from server doesn't work. From outside, imap
> and 7777 are not reachable on server, although http https are reachable
> and imap and 7777 are configured identically. The internal net can't
> reach the server (yes I use FW_FORWARD).
>
> SuSE 8.0 with all updates current as of yesterday. I tried the same
> setup on 2 different machines so it's not the hardware (unless realtek
> 8139 net cards go dead on some ports only, not likely).
>
> FW_DEV_EXT="eth2"
> FW_DEV_INT="eth0"
> FW_DEV_DMZ="eth1"
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="192.168.2.0/24 192.168.1.0/24"
> FW_PROTECT_FROM_INTERNAL="yes"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="domain"
> FW_SERVICES_EXT_UDP="domain ntp"
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP="domain ssh"
> FW_SERVICES_DMZ_UDP="domain"
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP="domain ssh"
> FW_SERVICES_INT_UDP="domain"
> FW_SERVICES_INT_IP=""
> FW_TRUSTED_NETS=""
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
> FW_SERVICE_AUTODETECT="no"
> FW_SERVICE_DNS="yes"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
> FW_FORWARD="
> 192.168.2.0/24,192.168.1.1,tcp,80
> 192.168.2.0/24,192.168.1.1,tcp,443
> 192.168.2.0/24,192.168.1.1,tcp,143
> 192.168.2.0/24,192.168.1.1,tcp,25
> 192.168.2.0/24,192.168.1.1,tcp,22
> 192.168.2.0/24,192.168.1.1,tcp,7777
> 192.168.2.0/24,192.168.1.1,udp,123
> "
> FW_FORWARD_MASQ="
> 0/0,192.168.1.1,tcp,80
> 0/0,192.168.1.1,tcp,443
> 0/0,192.168.1.1,tcp,143
> 0/0,192.168.1.1,tcp,25
> 0/0,192.168.1.1,tcp,22
> 0/0,192.168.1.1,tcp,7777
> "
> FW_REDIRECT=""
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="yes"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
> FW_KERNEL_SECURITY="no"
> FW_STOP_KEEP_ROUTING_STATE="no"
> FW_ALLOW_PING_FW="yes"
> FW_ALLOW_PING_DMZ="yes"
> FW_ALLOW_PING_EXT="yes"
> FW_ALLOW_FW_TRACEROUTE="yes"
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> FW_ALLOW_FW_BROADCAST="no"
> FW_IGNORE_FW_BROADCAST="yes"
> FW_ALLOW_CLASS_ROUTING="no"
>
> On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from
> SuSE 8.0 an essentially identical setup works as expected (there's no
> DNS server on that box).
>
> Ideas are very much appreciated. Thanks in advance,
>
> Volker
>
> If you don't want to reply to the list change my email address to
> list0570 at (sorry).
>
> --
> Volker Kuhlmann is possibly list0570 with the domain in header
> http://volker.orcon.net.nz/ Please do not CC list postings to me.
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
--
Quinton Delpeche
Internet Infrastructure
Team Leader

Tel : (011) 445 8100
Tel : (011) 445 8142 (Direct)
Fax : (011) 445 8101
Mob : (083) 445 0752

Knowledge Factory
A MEMBER OF THE PRIMEDIA GROUP

Visit our websites:
http://www.knowledgefactory.co.za/
http://www.tpz.co.za/
http://www.saptg.co.za/
< Previous Next >
Follow Ups
References