[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] another 3-interface firewall problem (twoexternal, no DMZ)



Hi Again,

> 1) Is the routing ok ?
How can I check the routing ?
The SuSEfirewall-Script generates more rules than G.W. bushisms.

Print routing table:

route -n

General routing should look like this:

fb7-fg6:~ # route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
internal-ip    0.0.0.0         255.255.255.0   U     0      0        0 eth1
external-ip    0.0.0.0         255.255.255.0   U     0      0        0 eth0
dsl-ip    0.0.0.0         255.255.255.0   U     0      0        0 ppp0
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         default-gw-ip    0.0.0.0         UG    0      0        0
ppp0

default gw is the ip you get from dsl, that should be set correct within dsl
"dialup script" and resetted within dsl "dialout script"!

If not add a rule within yast/network/dsl.

Sometimes that routing stuff acts very strange -> maybe a reboot helps
sometimes to reset everything after a change.

> 2) Are there any firewall log entries ?
Nothing critical for the 'dead' Interface. But I have to retry with logging
everything.

With this you get the firewalloutput in one file to analyse it:

less /var/log/messages | grep DROP > Outputfile

> 3) Are you sure you don't masq your webserver's reply packets with the
wrong
> IP ? (I understand that you now have 2 external IPs)
I am completely unshure about everything!
I guess, everything should be clear by understanding the IP rules.
Is there a debugging tool for this ?          ->   /sbin/SuSEfirewall status
# gives debug output of iptables sets in SuSEfirewall

Try:

less /proc/sys/net/ipv4/ip_forward

If you see a "1" you have forwarding enabled.

Testing if network is running:

unload firewall
enable forwarding
ping IP of eth0, eth1, ppp0
traceroute www.freenet.de # here we go to external and see where the route
goes (e.g. here with freenet.de)!

If you get errors here there is no problem with the firewall.

The firewall should look:

FW_DEV_EXT="eth0 ppp0"
FW_DEV_INT="eth1"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"

configure the services and ports for your desire!

# bad security, but for testing ...
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_KERNEL_SECURITY="yes"
# for testing set to "yes" \/\/\/\/
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="yes"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_SOURCEQUENCH="no"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="yes"
FW_REJECT="no"
# for german t-dsl:
FW_HTB_TUNE_DEV="ppp0,250"
# not optimized:
FW_HTB_TUNE_DEV=""

Philippe


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here