Hello. I am going to set up a local network with internet-access here at home, and I have some problems getting it all to work as intended - I was hoping someone here might have any good ideas and hints to give away. ;-) My internet-connectivity is through a dial-up ISDN-connection using an external ISDN-"modem" on the serial-port ttyS0 (using ppp0). I have been assigned an IP-range of 16 IP-addresses (should be a 28-bit subnet-mask = 255.255.255.240). Here is how I picture the network: internet (dynamic IP-address on my ISPs side - mine is static!) | | | ppp0 = 194.215.58.49/32 DMZ: | +----------+ +----------+ | |eth0 = 194.215.58.50/28 | | | Linux/FW |-------------+------------------| Win98 | | SuSE 6.3 | | 194.215.58.50/28| | +----------+ | +----------+ | | | +----------+ | 194.215.58.51/28| | +------------------|NT4 server| | | vmware | | +----------+ | | | +----------+ | 194.215.58.52/28| | +------------------| NT4 wks. | | vmware | +----------+ The firewall should keep the following services available for access from the DMZ: - smtp - dns - pop3 - imap4 - ftp - ssh - http ...and from the internet: - smtp - pop3 - imap4 - ftp - ssh The machines in the DMZ should be allowed full access out to the internet. (The NT-machines running under vmware are configured to use bridged networking). The computers in the DMZ are configured to use the firewall (194.215.58.50) as both DNS and default gateway. Now, I am not really sure if I should think of the Windows98/NT machines as part of a DMZ or as part of the internal network with regards to the configuration of the SuSEFirewall v2.1. I do not want to masquerade the Windows-machines, as I will want them to access the internet with their own IP-addresses (partly because I am going to do some testing of different NT-based mailservers just for the fun of it and I want to be able to test from the Internet as well). I do not want NetBIOS broadcasts etc. (ports 137-139) from the DMZ to trigger a dialup-connection (but I _do_ want e.g. web-browsing from the DMZ to do so). Here is the setup from the firewall-config file (comments removed to save space): FW_DEV_WORLD="ppp0" FW_DEV_INT="" FW_DEV_DMZ="eth0" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_NETS="" FW_MASQ_DEV="$FW_DEV_WORLD" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" FW_SERVICES_EXTERNAL_TCP="smtp pop3 imap4 ftp ssh" FW_SERVICES_EXTERNAL_UDP="" FW_SERVICES_DMZ_TCP="smtp domain pop3 imap4 ftp ssh http" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_INTERNAL_TCP="smtp domain pop3 imap4 ftp ssh http" FW_SERVICES_INTERNAL_UDP="domain" FW_TRUSTED_NETS="" FW_SERVICES_TRUSTED_TCP="" FW_SERVICES_TRUSTED_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="yes" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="autofw cuseeme ftp irc mfw portfw quake raudio user vdolive" Now, when trying to for example do a DNS-lookup from one of the other computers, I get the following entry in the syslog (and the DNS-lookup fails): Apr 9 23:28:02 ratatosk kernel: Packet log: input DENY eth0 PROTO=6 194.215. 58.51:1035 194.215.58.50:53 L=44 S=0x10 I=38656 F=0x4000 T=128 SYN (#70) This happens both when testing from the vmware-machines and from the real PC with Win98 on it. The DNS-server is configured to listen to IP-addresses 127.0.0.1 and 194.215.58.50. I can ping both the firewall itself and the other computers from any of the computers in the DMZ, so I do have network-connectivity. Here is the output from the "route -n" command: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 130.67.199.0 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 194.215.58.48 0.0.0.0 255.255.255.240 U 0 0 0 eth0 192.168.108.0 0.0.0.0 255.255.255.0 U 0 0 0 vmnet1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 130.67.199.0 0.0.0.0 UG 0 0 0 ppp0 The "130.67.n.n" address is the IP-address of my ISP (which might change from every dialup-connection). ratatosk:~ # ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:08:C7:25:50:39 inet addr:194.215.58.50 Bcast:194.215.58.63 Mask:255.255.255.240 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1470 errors:0 dropped:0 overruns:0 frame:0 TX packets:1798 errors:0 dropped:0 overruns:0 carrier:0 collisions:6 txqueuelen:100 Interrupt:11 Base address:0xd800 ratatosk:~ # ifconfig ppp0 ppp0 Link encap:Point-to-Point Protocol inet addr:194.215.58.49 P-t-P:130.67.199.0 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:1212 errors:0 dropped:0 overruns:0 frame:0 TX packets:1165 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:10 ratatosk:~ # Now, I do not know what the problem could be. It is probably something very basic that I _should_ know, but I just cant think of what it can be (so I am hoping that someone else might see the problem here (and perhaps also see a possible fix)). ;-) Another thing - in the syslog I see many lines telling me the Windows-machines broadcast on ports 137-139 have been rejected. Is it possible to just drop these ports silently instead of filling up the logfiles? Regards -- Eivind Olsen <=> eivind@aminor.no <=> Hobby-BOFH -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/