Mailinglist Archive: opensuse-security (81 mails)

< Previous Next >
Statefull packet inspection in SuSEfirewall2
  • From: <pronco@xxxxxxxxxxxx>
  • Date: Fri, 17 Feb 2006 10:15:35 -0300
  • Message-id: <bnev4owB.1140182135.5619050.pronco@xxxxxxxxxxxxxxxxx>
Hi,

Is it there any way to configure stateful packet inspection rules in
SuSEfirewall2 for masquerade networks? When I configure a rule in
FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I
also have to configure a rule for responses.

Example: Incoming traffic to my web server in a DMZ with private addresses

FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80”

I also need to set up the following rules in order to let responses out

FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"

This rule permits not only established sessions, but additionally it
allows my web server to establish connections to the outside world.

Don’t know why the FW_FORWARD rules are stateful as I want, but
FW_MASQ_NETS ones don’t.

Any suggestion?
Is it possible to math the SYN, ACK and FIN TCP bits with SuSEfirewall2?


Thanks in advance.
Pablo Ronco

< Previous Next >
This Thread
Follow Ups