Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
susefirewall not forwarding
Hi,



To make a long story short, I'm moving from one firewall/web
server to another. I have my new server plugged in and all setup
masquerading for my internal network. I have port 80 forwarded from my new
firewall into my existing web server(separate box).



Everything is hunky dory from the outside, but from the inside I
can not access either the old server, or if I disable port forwarding, the
new server by throwing in their external address, i.e. my dyndns domain
name.



So basically what is happening is that the firewall is rejecting
requests on the external IPs from the internal network with this error:

Mar 9 21:03:32 grimlock kernel: SuSE-FW-ACCESS_DENIED_INT IN=eth1 OUT=
MAC=00:xx:xx:0f:xx:9b:00:07:95:ac:24:e4:08:00 SRC=192.168.0.15
DST=24.xxx.xxx.xxx LEN=48 TOS=0x08 PREC=0x00 TTL=128 ID=23221 DF PROTO=TCP
SPT=2131 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 OPT (020405B401010402)



What am I missing?





Here is a copy of my config file:



FW_QUICKMODE="no"

FW_DEV_EXT="eth0"

FW_DEV_INT="eth1"

FW_DEV_DMZ=""

FW_ROUTE="yes"

FW_MASQUERADE="yes"

FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="192.168.0.0/24"

FW_PROTECT_FROM_INTERNAL="no"

FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="http https imap imaps pop3 pop3s smtp ssh 80 ftp"

FW_SERVICES_EXT_UDP="500"

FW_SERVICES_EXT_IP="51 50"

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_INT_TCP="80"

FW_SERVICES_INT_UDP=""

FW_SERVICES_INT_IP=""

FW_SERVICES_QUICK_TCP=""

FW_SERVICES_QUICK_UDP=""

FW_SERVICES_QUICK_IP=""

FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="yes"

FW_SERVICE_DNS="yes"

FW_SERVICE_DHCLIENT="no"

FW_SERVICE_DHCPD="yes"

FW_SERVICE_SQUID="no"

FW_SERVICE_SAMBA="yes"

FW_FORWARD="0/0,0/0,80"

FW_FORWARD_MASQ="0/0,192.168.0.5,tcp,80"

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"

FW_LOG_DROP_ALL="no"

FW_LOG_ACCEPT_CRIT="yes"

FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-

FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"

FW_ALLOW_PING_DMZ="no"

FW_ALLOW_PING_EXT="no"

FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"

FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

FW_CUSTOMRULES=""

FW_REJECT="no"

FW_HTB_TUNE_DEV=""

grimlock:/etc/sysconfig # grep '^[A-Z]' SuSEfirewall2

FW_QUICKMODE="no"

FW_DEV_EXT="eth0"

FW_DEV_INT="eth1"

FW_DEV_DMZ=""

FW_ROUTE="yes"

FW_MASQUERADE="yes"

FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="192.168.0.0/24"

FW_PROTECT_FROM_INTERNAL="no"

FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="http https imap imaps pop3 pop3s smtp ssh 80 ftp"

FW_SERVICES_EXT_UDP="500"

FW_SERVICES_EXT_IP="51 50"

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_INT_TCP="80"

FW_SERVICES_INT_UDP=""

FW_SERVICES_INT_IP=""

FW_SERVICES_QUICK_TCP=""

FW_SERVICES_QUICK_UDP=""

FW_SERVICES_QUICK_IP=""

FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="yes"

FW_SERVICE_DNS="yes"

FW_SERVICE_DHCLIENT="no"

FW_SERVICE_DHCPD="yes"

FW_SERVICE_SQUID="no"

FW_SERVICE_SAMBA="yes"

FW_FORWARD="0/0,0/0,80"

FW_FORWARD_MASQ="0/0,192.168.0.5,tcp,80"

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"

FW_LOG_DROP_ALL="no"

FW_LOG_ACCEPT_CRIT="yes"

FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-

FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"

FW_ALLOW_PING_DMZ="no"

FW_ALLOW_PING_EXT="no"

FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"

FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

FW_CUSTOMRULES=""

FW_REJECT="no"

FW_HTB_TUNE_DEV=""

grimlock:/etc/sysconfig # grep '^[A-Z]' SuSEfirewall2

FW_QUICKMODE="no"

FW_DEV_EXT="eth0"

FW_DEV_INT="eth1"

FW_DEV_DMZ=""

FW_ROUTE="yes"

FW_MASQUERADE="yes"

FW_MASQ_DEV="$FW_DEV_EXT"

FW_MASQ_NETS="192.168.0.0/24"

FW_PROTECT_FROM_INTERNAL="no"

FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="http https imap imaps pop3 pop3s smtp ssh 80 ftp"

FW_SERVICES_EXT_UDP="500"

FW_SERVICES_EXT_IP="51 50"

FW_SERVICES_DMZ_TCP=""

FW_SERVICES_DMZ_UDP=""

FW_SERVICES_DMZ_IP=""

FW_SERVICES_INT_TCP="80"

FW_SERVICES_INT_UDP=""

FW_SERVICES_INT_IP=""

FW_SERVICES_QUICK_TCP=""

FW_SERVICES_QUICK_UDP=""

FW_SERVICES_QUICK_IP=""

FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"

FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="yes"

FW_SERVICE_DNS="yes"

FW_SERVICE_DHCLIENT="no"

FW_SERVICE_DHCPD="yes"

FW_SERVICE_SQUID="no"

FW_SERVICE_SAMBA="yes"

FW_FORWARD="0/0,0/0,80"

FW_FORWARD_MASQ="0/0,192.168.0.5,tcp,80"

FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"

FW_LOG_DROP_ALL="no"

FW_LOG_ACCEPT_CRIT="yes"

FW_LOG_ACCEPT_ALL="no"

FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"

FW_KERNEL_SECURITY="yes"

FW_STOP_KEEP_ROUTING_STATE="no"

FW_ALLOW_PING_FW="yes"

FW_ALLOW_PING_DMZ="no"

FW_ALLOW_PING_EXT="no"

FW_ALLOW_FW_TRACEROUTE="yes"

FW_ALLOW_FW_SOURCEQUENCH="yes"

FW_ALLOW_FW_BROADCAST="no"

FW_IGNORE_FW_BROADCAST="yes"

FW_ALLOW_CLASS_ROUTING="no"

FW_CUSTOMRULES=""

FW_REJECT="no"

FW_HTB_TUNE_DEV=""

< Previous Next >