[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2 not routing when both nics on same subnet



Hi Dave,

I'm not sure about your network setup: at which interface is the 
webserver connected ? Also, shouldn't you have different subnets on 
the different interfaces ?

> Internet
>    |
>    |
>   eth0 (1.1.1.1)
>    |
>    FireWall---eth1 (1.1.1.2)
>         |
>         |
>         Webserver (1.1.1.3)
>
--> I guess this should be someting like:
FW: eth0:	1.1.1.1/255.255.255.0
FW: eth1:	1.1.2.1/255.255.255.0
Webserver:	1.1.2.2/255.255.255.0

Then you have an external interface with IP 1.1.1.1 and an internal 
interface with IP 1.1.2.1 which is a separate subnet.
 
> FW_DEV_EXT="eth0"
> FW_DEV_DMZ="eth1"
> FW_ROUTE="yes"
> FW_MASQUERADE="no"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="ssh"
> FW_SERVICES_EXT_UDP="ssh"
>
--> SSH is only using TCP, so you can leave this empty

> FW_SERVICES_DMZ_TCP="ssh"
>
--> Here you would need "ssh, http"

> FW_SERVICES_DMZ_UDP="ssh"
>
--> SSH is only using TCP, so you can leave this empty

> FW_SERVICES_DMZ_IP=""
> FW_TRUSTED_NETS=""
> FW_FORWARD="0/0,1.1.1.3,tcp,80"
>
--> This should then read "0/0,1.1.2.2,tcp,80"

> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
>
--> Try to increase the logging level by setting the _ALL variables to 
"yes" for testing.


Please provide more information about your setup so we can better 
understand and help you.


Cheers,
Armin

-- 
Am Hasenberg 26         office: Institut für Atmosphärenphysik
D-18209 Bad Doberan             Schloss-Straße 6
Tel. ++49-(0)38203/42137        D-18225 Kühlungsborn / GERMANY
Email: schoech@xxxxxxxxxxxx     Tel. +49-(0)38293-68-102
WWW: http://armins.cjb.net/     Fax. +49-(0)38293-68-50

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here