Are you sure? Just tested it on my box: FW_MASQUERADE="yes" FW_MASQ_NETS="0/0" --> masquerading for all internal machines FW_MASQUERADE="yes" FW_MASQ_NETS="" --> no masquerading FW_MASQUERADE="yes" FW_MASQ_NETS="172.17.7.9/32" --> masquerading for that particular machine only Did you restart the firewall when testing? Markus Juan Luis Baptiste schrieb:
I sent this email like a ago and didn't get a response, resending it as now I see some activity on the list and this is still happening on OpenSUSE 12.3:
On Tue, Mar 19, 2013 at 11:09 PM, Juan Luis Baptiste
wrote: Hi,
I'm trying to enable masquerading on a server to allow some internal hosts to access the internet. From reading the included EXAMPLES file and the documentation of SuSEfirewall2 I have setup the following variables:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
But just setting FW_MASQUERADE="yes" will open up access to the internet to all of the internal network. For what I have read, this shouldn't be the correct behavior because then FW_MASQ_NETS wouldn't have much sense. For now, to be able to block access to the internet to the entire network I have to do it like this:
FW_MASQ_NETS="!0/0 192.168.10.0/24"
Then it works, access to all subnets is disallowed and then I allow the subnet I want. AFAIK this shouldn't be necessary, access to the internet shouldn't be allowed by default. I'm missing something ? this is on opensuse 12.1.
Cheers, -- JLB
-- JLB
-- Markus Abt Comet Computer GmbH Rückertstraße 5 80336 München GERMANY Fon +49 89 46224611 Fax +49 89 46224612 mailto:abt@comet.de http://www.comet.de VAT: DE128219532 HRB: 81386 München Geschäftsführung: Markus Granlund, Johan Ekener, Peter Bornschein, Uwe Heldmann ---------------------------------------- Comet is proud to be a Semcon company http://www.semcon.com/de ---------------------------------------- Die Profis für Technische Dokumentation Online - Print - Multimedia ---------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org