Mailinglist Archive: opensuse-security (359 mails)

< Previous Next >
Antwort: [suse-security] Problems with a simple Firewall2 config
  • From: Joachim.Winter@xxxxxxxxxxxxxx
  • Date: Tue, 15 Jul 2003 14:11:00 +0200
  • Message-id: <OF6C56438F.2FC8AF2D-ONC1256D64.0042C3A3@xxxxxxxxxxxxxx>

AFAIK the private Network Addresses are proteced at the external Interface.
That's why you cannot get any connection from the "external".
These addresses where blocked because they can be faked.

mfg
Joachim Winter



|---------+---------------------------->
| | "Knut Erik |
| | Hauslo" |
| | <KNUTH@xxxxxxxxxx|
| | om> |
| | |
| | 15.07.2003 13:12 |
| | |
|---------+---------------------------->
>------------------------------------------------------------------------------------------------------------------------------|
| |
| An: <suse-security@xxxxxxxx> |
| Kopie: |
| Thema: [suse-security] Problems with a simple Firewall2 config |
>------------------------------------------------------------------------------------------------------------------------------|




Hi all,

This should be rather easy going, but I am experiencing problems. My
network looks as follows:
+-- External Net 192.168.1.0/24 --> (Eth1) SuSE 8.1 Firewall2 (Eth0)
<--- Internal Net 172.19.0.0/16

On my Internal Net there's a web-server, which machines on the extern
net may access. Using my Sniffer i can see packets going into the
internal net, but I receive nothing back, because the initiating machine
sends packets with destination port 80 TCP and sources port > 1024 TCP
which I have not explicitely opend.

The other way around is working fine (accessing HTTP and FTP resources
on the external network).

The configuration file:
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21
172.19.0.0/16,0/0,tcp,80"
FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80"
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_PROTECT_FROM_INTERNAL="no"
FW_LOG_DROP_CRIT="yes"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"
FW_ALLOW_PING_FW="yes"
FW_IGNORE_FW_BROADCAST="yes"


What am I doing wrong?

Any hints are deeply appreciated.

Cheers,
Knut Erik

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here







< Previous Next >
This Thread
  • No further messages