Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
Re: [suse-security] firewall help..
  • From: maarten van den Berg <maarten@xxxxxxx>
  • Date: Tue, 2 Mar 2004 17:51:52 +0100
  • Message-id: <200403021751.52090.maarten@xxxxxxx>
On Tuesday 02 March 2004 17:05, Gilmore, Eric wrote:
> Can anyone give me a clue? The basics are:
> 1 machine: SuSE 8.2
> 3 nics
> 2 internal networks (examples):
> $INTLAN1:> 192.0.0.2 $INTLAN2:> 192.0.5.2

Does LAN1 trust LAN2 and vice versa ?

> 3 good ip's (examples):
> eth0> 128.0.0.1 eth0:1> 128.0.0.2 eth0:2> 128.0.0.3
>
> 2 spoofed ip's:
> $INTIF1> 192.0.5.2 $INTIF2> 192.0.48.3

If by spoofed you mean reserved,internal adresses: be aware that you're
outside the allowed range (192.168.0.0/16) (See RFC 1918)

> works:
> -connecting from the internet/external LAN to all machines via (ssh, FTP,
> HTTP)
> not:
> -connecting between $INTLAN1 & $INTLAN2

If full and mutual trust is expected / wanted:
set FW_ALLOW_CLASS_ROUTING="yes"
Hm... reading on I notice you don't use the Suse firewall filter. Why not ?

> -samba connections from anywhere

Explain. From ANYwhere implies "from internet". Surely you CAN not want that.
If you mean from LAN1 <-> LAN2 then either the above class routing will fix it
(when you use AD + properly configured DNS servers) or you may need to
specify the exact share by IPnumber (net use * \\192....\C
If both are not options you will need to find a way to relay the Netbios
broadcast(s) over the firewall. Dunno offhand how to do that (and wouldn't
want to either).

> -afp (apple) connections from anywhere

See samba, the services are fairly similar.

Maarten

--
Yes of course I'm sure it's the red cable. I guarante[^%!/+)F#0c|'NO CARRIER

< Previous Next >
Follow Ups
References