[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Can't access internet with SuSE FW2



Note, I haven't been doing these things with modems/ISDNs for
quite a while so I might be totally lost here...

> which miracel with the option "test" it works.. Now I have some more
> lines in var/lop/messages but I can't get some helpfull info from it.
> Is there an other place were I need to look or is the attach info more
> readable for the experts?

What "ifconfig -a" says when your connection (modem/ISDN) has
been opened? Check the information from ifconfig output against
the devices configured for the firewall script. Does the gateway
setting get right? Has it been configured to run the firewall scripts
after opening the line, or are they set up before that? Is the
IP address information from ifconfig output correct as compared
to the logs or settings in the firewall (see the real firewall rules
with iptables -L)?

Is the setting FW_DEV_EXT="ppp0" the device you have up
when connected - use ifconfig to check? I haven't done these
with modems/ISDNs for ages but it sounds a bit suspicious to
have "ppp0" in the device and yet "ippp1" in the log...

Have you tried with (lower level) protocols such as ICMP, to get
through the connection? Command "ping IP-address" is a good
choice for ICMP testing. This meaning that try to find out if any
IP traffic gets through. The options affecting this are:
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"

That would mean that pinging the firewall is ok, but its external
device is not allowed to be pinged. Traceroute (at least some
versions) use ICMP too so this probably lets you traceroute
outside network - but not to the point of your (just) external(?)

Are you connecting through the firewall or from the firewall?
So is there a network attached to the ethernet card and you
are using a host from there to try to get out through the firewall.
(Other rules may affect how you get out from the firewall, and
I think you shouldn't use it for accessing Internet). From the
internal hosts check that their network settings, firewalls etc
are correct.

The logs you have provided seem to indicate that:
> Jan 11 18:44:56 tamboti kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp1 OUT= MA
> C= SRC=193.158.141.116 DST=62.227.40.199 LEN=73 TOS=0x00 PREC=0x00 TTL=
> 57 ID=21402 PROTO=UDP SPT=53 DPT=1025 LEN=53

SPT=53, protocol/service is probably DNS (name service). If you can not
use DNS but other things work, you should get through the firewall by using
IP addresses (directly).

> Jan 11 18:44:56 tamboti kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp1 OUT= MA
> C= SRC=193.158.141.116 DST=62.227.40.199 LEN=113 TOS=0x00 PREC=0x00 TTL
> =57 ID=20899 PROTO=UDP SPT=53 DPT=1025 LEN=93

Again SPT=53, service is likely DNS and I would say that this means that
a DNS server is trying to reply to you. The option
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
probably affects just this? That should mean that replies to DNS
queries are allowed as UDP packets to high ports - such as the DPT=1025
above. I think you had this.

> Jan 11 18:44:56 tamboti kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp1 OUT= MA
> C= SRC=192.53.103.103 DST=62.227.40.199 LEN=76 TOS=0x00 PREC=0x00 TTL=5
> 5 ID=192 PROTO=UDP SPT=123 DPT=123 LEN=56
> Jan 11 18:44:56 tamboti kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp1 OUT= MA
> C= SRC=192.53.103.103 DST=62.227.40.199 LEN=76 TOS=0x00 PREC=0x00 TTL=5
> 5 ID=207 PROTO=UDP SPT=123 DPT=123 LEN=56

And 123 port is probably NTP (network time protocol). Here the firewall denies
connection to obtain time.

> Jan 11 18:44:56 tamboti kernel: SuSE-FW-ILLEGAL-TARGET IN=ippp1 OUT= MA
> C= SRC=192.53.103.103 DST=62.227.40.199 LEN=76 TOS=0x00 PREC=0x00 TTL=5

The ifconfig information might help here. I think it is quite OK to replace
the real addresses so that you do not reveal too much of the target IPs
to this (open) list.

timo


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here