dial-up from provider. I'm running inetd in its standard configuration on router. Why that?! I just though there is some socket service that I need to have listening when connecting to the web server from outside, but I actually have no deep knowledge about networking and so I try around. I surely think
ping everything outside, I cannot ping this dyn IP nor my domain (translated to correct IP) from my internal, masqueraded network. The external IP of your router? Then it's probably dropped by the firewall. Sure it gets dropped. I can see SuSE-FW-NO_ACCESS_INT->FWEXT entry in my logfile for everything I send to the dynamic IP from internal network. As I could not find it documented anywhere in net, I can only think it is a feature of this FW filtering. Although no protection from internal network is turned on, the firewall is protected indeed against all the communication that accesses the IP dynamically set to ppp0 interface. I"m not sure if it is a measure for some kind of spoofed packets that get
Pinging from router works fine. "lo" device it usually open, yes. So there must be a rule that recognizes the communication to dynamically assigned IP, going from router, in fact as loopback and doesn't put any
Hi Steffen,
--- Steffen Dettmer
anti-spoofing acts on source, not on destination addresses. There is nothing like "spoofing destination addresses" :) Yes, but as I tried to explain already, it is apparently not allowed by design of SuSE FW2 for some undocumented security reasons. I'm not able to guess which.
You may use a TCP Relay, a Port Forwarder or a transparent proxy. I would suggest a Port Forwarder. Thanks, I will try to find something usable. Still, I think there has to be a possibility to do it with iptables of 2.4 kernel, not using ipchains at all, but the great majority of info in the web describes ipchains or uses sofisticated user-friendlier tools to cover up the complexity of iptables. I just hoped the SuSE80 built-in FW2 is everything I need for my configuration. I don't feel like writing packet filtering of my own from the scratch to suit my needs, I want to rely on the work already done by SuSE developers. Am I wrong with this assumption?
Add logging and see what get dropped and adjust the rules. As said, I see the logging, but I don't want to deactivate SuSE FW2 if I am not sure there is no easy workaround possible using just its configuration. If I write some rules of my own, flushing or rewriting what's in /sbin/SuSEfirewall, I could as well build it from start. I strongly believe my aimed configuration is nothing unusual and there must be someone outside there who already went through this crap. 5
Maybe the firewall drops this still. Trying to access the Apache using public IP from provider launched at router alone behaves as there would be no masqueraded port forwarding at all. As I don't start the Apache on router, the response from browser is it cannoct connect to this host - the port 80 is not open. No entry from FW2 is logged. Repeating, from internal network, packages get dropped by FW2 and timeout occurs. I would say, the FW2 works in parts as it was designed, but promises given in its configuration comments are not fullfilled. I cannot override the defense against accessing the ppp0 through its IP address from internal network using FW_TRUSTED_NETS and I cannot do port forwarding to internal network using reverse masquerading with FW_FORWARD_MASQ. To me, it seems like masquerading and protection of home network for small users is working very user-friendly in professional SuSE distribution available almost at supermarkets, but any features going outside this scope are simply ignored. I would say, I've spent too much time to ponder about it, instead I could better try to get Debian running, where the documentaion is readily available. But by tomorrow I have to have the configuration working. Just because of this dreaded router I've lost almost weeks. The whole infrastructure including mail server, secured FTP with access to user and public webspace and knowledge base, public sites and intranet applications utilizing PHP, Python in several open-source projects, advanced configuration of web server to business model also using unique connections to several J2EE applications, CVS server with automatical propagating of changes, mSQL, MySQL and PostgreSQL as backend, Web Services, LDAP and even tunnels for VPN (Samba, NFS, video-conferencing, cryptography in Mandrake, RedHat and W2K), everything secured out - that was all a piece of cake compared to get the access to it from Internet using dynamically assigned IP from my DSL ISP through SuSE80 Firewall2. Either I am too dumb to understand the SuSE concepts or I was cheated by features they seemingly provide. I can achieve wonderful things in my home network, but as soon as I want to make it public, everything breaks apart. I'm a programmer, not administrator and I don't want to study yet another sources to get in my eyes very primitive and usual networking scenario working. I planned one day to establish it with SuSE80, but now, after almost two weeks, I'm not a bit progressing. Excuse my babbling, but I am desperate.
Peter. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com