[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[suse-security] haveing spuriouse problems with routing I think some are my
isp but I am a newbie and hoped you might help here is the symptom
May 19 07:19:39 redroute1 kernel: SuSE-FW-ILLEGAL-ROUTING IN=ipsec0 OUT=eth0
SRC=192.168.10.150 DST=192.168.0.47 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=147
DF PROTO=ICMP TYPE=8 CODE=0 ID=46600 SEQ=512
May 19 07:19:40 redroute1 kernel: SuSE-FW-ILLEGAL-ROUTING IN=ipsec0 OUT=eth0
SRC=192.168.10.150 DST=192.168.0.47 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=148
DF PROTO=ICMP TYPE=8 CODE=0 ID=46600 SEQ=768
It seems sometimes I can ping and sometimes I can not. Most problems seem
to take place on a connection after I try to connect to a drive on the right
side of the connection from the left here is other information
up-client:)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
iptables -I FORWARD 1 -o ipsec0 -s 192.168.10.0/24 -d
192.169.0.0/24 -j ACCEPT
iptables -I FORWARD 1 -i ipsec0 -s 192.168.0.0/24 -d
192.168.10.0/24 -j ACCEPT
;;
down-client:)
# connection to my client subnet going down
# If you are doing a custom version, firewall commands go here.
iptables -D FORWARD -o ipsec0 -s 192.168.10.0/24 -d 192.168.0.0/24
-j ACCEPT
iptables -D FORWARD -i ipsec0 -s 192.168.0.0/24 -d 192.168.10.0/24
-j ACCEPT
config setup
# THIS SETTING MUST BE CORRECT or almost nothing will work;
#%defaultroute is okay for most simple cases.
interfaces=%defaultroute
# Debug-logging controls: "none" for (almost) none, "all" for lots.
klipsdebug=all
plutodebug=none
# Use auto= parameters in conn descriptions to control startup
actions.
plutoload=%search
plutostart=%search
# Close down old connection when new one using same ID shows up.
uniqueids=yes
#Enable NAT-Traversal
#nat_traversal=yes
conn %default
authby=rsasig
keyingtries=1
ikelifetime=240m
keylife=20m
compress=yes
disablearrivalcheck=no
leftrsasigkey=%cert
rightrsasigkey=%cert
conn dowagiac-redoak
left=12.47.77.50
leftsubnet=192.168.0.0/24
leftcert=redroute1cert.pem
right=%defaultroute
rightsubnet=192.168.10.0/24
rightcert=redroute10cert.pem
# To authorize this connection, but not actually start it, at
startup,
# uncomment this.
auto=add
pfs=yes
# Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights
reserved.
#
# Author: Marc Heuse <marc@xxxxxxx>, 2002
# Please contact me directly if you find bugs.
#
# If you have problems getting this tool configures, please read this file
# carefuly and take also a look into
# -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
# -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
# -> /usr/share/doc/packages/SuSEfirewall2/SuSEfirewall2.conf.EXAMPLE !
#
# /etc/sysconfig/SuSEfirewall2
#
# for use with /sbin/SuSEfirewall2 version 3.1 which is for 2.4 kernels!
#
# ------------------------------------------------------------------------
#
# PLEASE NOTE THE FOLLOWING:
#
# Just by configuring these settings and using the SuSEfirewall2 you are
# not secure per se! There is *not* such a thing you install and hence you
# are safed from all (security) hazards.
#
# To ensure your security, you need also:
#
# * Secure all services you are offering to untrusted networks (internet)
# You can do this by using software which has been designed with
# security in mind (like postfix, apop3d, ssh), setting these up without
# misconfiguration and praying, that they have got really no holes.
# SuSEcompartment can help in most circumstances to reduce the risk.
# * Do not run untrusted software. (philosophical question, can you trust
# SuSE or any other software distributor?)
# * Harden your server(s) with the harden_suse package/script
# * Recompile your kernel with the openwall-linux kernel patch
# (former secure-linux patch, from Solar Designer) www.openwall.com
# * Check the security of your server(s) regulary
# * If you are using this server as a firewall/bastion host to the
internet
# for an internal network, try to run proxy services for everything and
# disable routing on this machine.
# * If you run DNS on the firewall: disable untrusted zone transfers and
# either don't allow access to it from the internet or run it
split-brained.
#
# Good luck!
#
# Yours,
# SuSE Security Team
#
# ------------------------------------------------------------------------
#
# Configuration HELP:
#
# If you have got any problems configuring this file, take a look at
# /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
#
# All types have to set enable SuSEfirewall2 in the runlevel editor
#
# If you are a end-user who is NOT connected to two networks (read: you have
# got a single user system and are using a dialup to the internet) you just
# have to configure (all other settings are OK): 2) and maybe 9).
#
# If this server is a firewall, which should act like a proxy (no direct
# routing between both networks), or you are an end-user connected to the
# internet and to an internal network, you have to setup your proxys and
# reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
#
# If this server is a firewall, and should do routing/masquerading between
# the untrusted and the trusted network, you have to reconfigure (all other
# settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
# 14), 20)
#
# If you want to run a DMZ in either of the above three standard setups, you
# just have to configure *additionally* 4), 9), 12), 13), 17), 19).
#
# If you know what you are doing, you may also change 8), 11), 15), 16)
# and the expert options 19), 20), 21), 22) and 23) at the far end, but you
# should NOT.
#
# If you use diald or ISDN autodialing, you might want to set 17).
#
# To get programs like traceroutes to your firewall to work is a bit tricky,
# you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
#
# Please note that if you use service names, that they exist in
/etc/services.
# There is no service "dns", it's called "domain"; email is called "smtp"
etc.
#
# *Any* routing between interfaces except masquerading requires to set
FW_ROUTE
# to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
#
# If you just want to do masquerading without filtering, ignore this script
# and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
# iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
# echo 1 > /proc/sys/net/ipv4/ip_forward
# and additionally the following lines to get at least a minimum of
security:
# iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
# iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
# ------------------------------------------------------------------------
#
# 1.)
# Should the Firewall run in quickmode?
#
# "Quickmode" means that only the interfaces pointing to external networks
# are secured, and no other. all interfaces not in the list of FW_DEV_EXT
# are allowed full network access! Additionally, masquerading is
# automatically activated for FW_MASQ_DEV devices. and last but not least:
# all incoming connection via external interfaces are REJECTED.
# You will only need to configure 2.) and FW_MASQ_DEV in 6.)
# Optionally, you may add entries to section 9a.)
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0 ipsec0"
#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth0"
#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""
#
# 5.)
# Should routing between the internet, dmz and internal network be
activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ROUTE="yes"
#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="ppp0"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise
everything
# is allowed. A target network, protocol and service is appended by a comma
to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
FW_MASQ_NETS="192.168.0.0/24"
#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="no"
oice: "yes" or "no", if not set defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="53 rsync ssh"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_UPD="500"
FW_SERVICES_EXT_IP="50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.10.0/24 192.168.0.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="yes"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD="192.168.0.0/24,192.168.10.0/24 192.168.10.0/24,192.168.0.0/24"
#
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="no"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="YES"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="no"
#
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
FW_CUSTOMRULES=""
FW_REJECT="no"
Thank you for any help you can be.
--
Absolute Internet Services (http://www.aiserve.net)
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here