Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
DMZ egress access problem
  • From: maarten van den Berg <maarten@xxxxxxx>
  • Date: Wed, 21 May 2003 19:09:04 +0200
  • Message-id: <200305211909.04281.maarten@xxxxxxx>

Hi,

I have a bit of a problem connecting from DMZ to the outside world.
I have a DMZ with real IP numbers (not masqueraded) and the corresponding
routing setup (which is working just fine). I allow port 80 and 22 to the
DMZ, which is working great too. But...
The problem is that from a DMZ host one cannot download patches; no DMZ ->
internet connection is allowed at all and I cannot find a (safe) solution.
These are my settings:

Outside net X.Y.Z.144/28
DMZ net X.Y.Z.160/28
LAN 192.168.1.0/24

My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161

These are the relevant sections of SuSEfirewall I have configured

FW_DEV_EXT="eth0"
FW_DEV_INT="eth1"
FW_DEV_DMZ="eth2"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="eth0 eth2"

FW_FORWARD="0/0,X.Y.Z.160/28,tcp,80 0/0,X.Y.Z.160/28,tcp,22
X.Y.Z.160/28,0/0"

That last rule should allow access to internet, right ? But it doesn't. With
a sniffer I see packets leaving the firewall and they come back to eth0
whereafter they disappear. So probably the rule that should allow it back (I
mean the smart <established,related> rule) doesn't apply or it has a bug.

If I add this bit it works,but then I open up the entire DMZ again (evil)

0/0,X.Y.Z.160/28

And since I cannot define SOURCE portnumbers in FW_FORWARD, only DEST
portnumbers, I see no workaround. Because obviously the destination ports are
random >1024 ports. The construct 0/0,tcp,80,X.Y.Z.160/28 is not allowed
according to the docs. Or is it...? (And besides, that is not very safe
since anyone could then spoof that source port number anyway)

I can probably solve it by patching some things around inside the real
firewallscript but that is not why I'm writing this... I wonder how you are
_supposed_ to solve this in the proper way. Are my rules wrong, or do you all
disregard the FW_FORWARD line entirely and do it all from one of the hooks in
the FW_CUSTOMRULES file ?
I searched these mailarchives but a solution is not easy to find. For one,
just looking for "DMZ" obviously gives thousands of hits and more importantly
everyone seems to use a masqueraded DMZ anyway (As do the SuSE examples) so
that does not really apply to my situation.

Any insights ?

Maarten


< Previous Next >
Follow Ups