Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
Re: [suse-security] SuSEfirewall2 and Reverse Masq HELP !
  • From: Thomas Schweiger <El_Don@xxxxxxxxxxxxxxx>
  • Date: Mon, 15 Sep 2003 23:25:35 +0200 (CEST)
  • Message-id: <Pine.LNX.4.56.0309152303260.2111@xxxxxxxxxxxxx>
On Mon, 15 Sep 2003, Chris de Orla wrote:

> I want to reverse masquerade on port 25 from the internet to a DMZ address.

[...]

> If I make the reverse-masq to something on the internal network, it connects
> no problem, anything on the DMZ does not and no failures in syslog.
>
> What am I missing here ?
>
> I am running SuSE 7.3 and iptables 1.2.8
>
> Below is my firewall2.rc.config :
>
> FW_DEV_EXT="eth1"
> FW_DEV_INT="eth0"
> FW_DEV_DMZ="eth2"

eth2:
Is it a private net-address? (e. g. 192.168.0.1 = yyy.yyy.yyy.yyy)

> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
>
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="xxx.xx.x.x/24"

I asume xxx.xxx.xxx.xxx as your private LAN net-address? (e. g.
192.168.1.1)

You should include yyy.yyy.yyy.yyy/aa or at least the ports the DMZ should
reach in the internet.

> FW_PROTECT_FROM_INTERNAL="yes"
> FW_AUTOPROTECT_SERVICES="yes"
>
> FW_SERVICES_EXT_TCP="123 25"
^^^^
You don't need this, because the service (smtpd) is not running on the
firewall.

> FW_SERVICES_EXT_UDP="123"
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP="25"
^^^^
Here the same. You don't need this.

> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP="22 123 25 10000"
^^^^
And again.

> FW_SERVICES_INT_UDP="123"
> FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"
>
> FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
> FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
>
> FW_SERVICE_AUTODETECT="yes"
> FW_SERVICE_DNS="no"
> FW_SERVICE_DHCLIENT="no"
> FW_SERVICE_DHCPD="no"
> FW_SERVICE_SQUID="no"
> FW_SERVICE_SAMBA="no"
>
> FW_FORWARD=""

Here you have to put in the services which should be routed from LAN to
DMZ (in general packets from private network to private network or from
official IPs to official IPs which don't need NAT oder DNAT)

> FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"

This should be ok, if y.y.y.y is a private IP-address in the DMZ.


All the FW_*_*-parameters are just for this case, if the services are
running _ON_ the firewall.

>
> # #
> #-------------------------------------------------------------------------#
> # #
> # EXPERT OPTIONS - all others please don't change these! #
> # #
> #-------------------------------------------------------------------------#
> # #

[...]

Best regards,
Thomas Schweiger

< Previous Next >
References