AFAIK the private Network Addresses are proteced at the external Interface.
That's why you cannot get any connection from the "external".
These addresses where blocked because they can be faked.
mfg
Joachim Winter
|---------+---------------------------->
| | "Knut Erik |
| | Hauslo" |
| |
------------------------------------------------------------------------------------------------------------------------------| | | | An:
| | Kopie: | | Thema: [suse-security] Problems with a simple Firewall2 config | ------------------------------------------------------------------------------------------------------------------------------|
Hi all, This should be rather easy going, but I am experiencing problems. My network looks as follows: +-- External Net 192.168.1.0/24 --> (Eth1) SuSE 8.1 Firewall2 (Eth0) <--- Internal Net 172.19.0.0/16 On my Internal Net there's a web-server, which machines on the extern net may access. Using my Sniffer i can see packets going into the internal net, but I receive nothing back, because the initiating machine sends packets with destination port 80 TCP and sources port > 1024 TCP which I have not explicitely opend. The other way around is working fine (accessing HTTP and FTP resources on the external network). The configuration file: FW_DEV_EXT="eth1" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="172.19.0.0/16,0/0,tcp,20 172.19.0.0/16,0/0,tcp,21 172.19.0.0/16,0/0,tcp,80" FW_FORWARD_MASQ="0/0,172.19.6.10,tcp,80" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_PROTECT_FROM_INTERNAL="no" FW_LOG_DROP_CRIT="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_ALLOW_PING_FW="yes" FW_IGNORE_FW_BROADCAST="yes" What am I doing wrong? Any hints are deeply appreciated. Cheers, Knut Erik -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here