Mailinglist Archive: opensuse-security (334 mails)

< Previous Next >
SuSEfirewall2 and Reverse Masq HELP !
  • From: "Chris de Orla" <cdeorla@xxxxxxxxx>
  • Date: Mon, 15 Sep 2003 16:42:21 -0400
  • Message-id: <00a801c37bc9$dc991a10$640118ac@xxxxxxxxxxxxxx>
I want to reverse masquerade on port 25 from the internet to a DMZ address.

The problem is when I reverse masquerade to the DMZ, it appears to connect
(SuSE-FW-ACCEPT-REVERSE-MASQ) but nothing happens (there is a postfix box
running on the DMZ).

If I make the reverse-masq to something on the internal network, it connects
no problem, anything on the DMZ does not and no failures in syslog.

What am I missing here ?

I am running SuSE 7.3 and iptables 1.2.8

Below is my firewall2.rc.config :

FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ="eth2"

FW_ROUTE="yes"
FW_MASQUERADE="yes"

FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="xxx.xx.x.x/24"

FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="123 25"
FW_SERVICES_EXT_UDP="123"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="25"
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="22 123 25 10000"
FW_SERVICES_INT_UDP="123"
FW_SERVICES_INT_IP=""FW_TRUSTED_NETS="xxx.xx.x.x/24"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"

FW_FORWARD=""

FW_FORWARD_MASQ="0/0,y.y.y.y,tcp,25"
FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="yes"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_PING_INT="yes"

# END of rc.firewall

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="yes"

#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking,
however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"

#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="yes"



< Previous Next >
Follow Ups