Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
SuSEfirewall2 on 8.0 masq problem
  • From: Volker Kuhlmann <hidden@xxxxxxxxxxxxxxx>
  • Date: Wed, 4 Sep 2002 16:36:19 +1200
  • Message-id: <20020904043619.GA16176@xxxxxxxxxxxxxxx>
I am at my wits end with this problem. Server in dmz, internal net,
http, https, ssh, imap, etc on server accessible from the outside. The
internal net should have access to the same services on the server as
are available from the outside.

Problems: ntpdate -q outside does not work on server, dito on firewall.
reaching http://outside from server doesn't work. From outside, imap
and 7777 are not reachable on server, although http https are reachable
and imap and 7777 are configured identically. The internal net can't
reach the server (yes I use FW_FORWARD).

SuSE 8.0 with all updates current as of yesterday. I tried the same
setup on 2 different machines so it's not the hardware (unless realtek
8139 net cards go dead on some ports only, not likely).

FW_DEV_EXT="eth2"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.2.0/24 192.168.1.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="domain"
FW_SERVICES_EXT_UDP="domain ntp"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="domain ssh"
FW_SERVICES_DMZ_UDP="domain"
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="domain ssh"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD="
192.168.2.0/24,192.168.1.1,tcp,80
192.168.2.0/24,192.168.1.1,tcp,443
192.168.2.0/24,192.168.1.1,tcp,143
192.168.2.0/24,192.168.1.1,tcp,25
192.168.2.0/24,192.168.1.1,tcp,22
192.168.2.0/24,192.168.1.1,tcp,7777
192.168.2.0/24,192.168.1.1,udp,123
"
FW_FORWARD_MASQ="
0/0,192.168.1.1,tcp,80
0/0,192.168.1.1,tcp,443
0/0,192.168.1.1,tcp,143
0/0,192.168.1.1,tcp,25
0/0,192.168.1.1,tcp,22
0/0,192.168.1.1,tcp,7777
"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

On a SuSE 7.3 box with iptables, kernel, SuSEfirewall2 packages from
SuSE 8.0 an essentially identical setup works as expected (there's no
DNS server on that box).

Ideas are very much appreciated. Thanks in advance,

Volker

If you don't want to reply to the list change my email address to
list0570 at (sorry).

--
Volker Kuhlmann is possibly list0570 with the domain in header
http://volker.orcon.net.nz/ Please do not CC list postings to me.


< Previous Next >