[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] How to make SuSEfirewall2 accept packets passing bridge-interface

I think the routing is set up and with the option 
for keeping the routing up when SuSEFirewall2 is unloaded I think I can access 
the server in the LAN.
I thought of using bridging because it's more transparent.

What variables would I have to fiddle around with 
in /etc/sysconfig/SuSEFirewall2 when using another zone with "FW_ZONES"?

On Montag 21 November 2005 10:51, Ludwig Nussel wrote:
> David Huecking wrote:
> > Now I added a wireless-card for the router also acting as a wireless
> > access-point:
> > - ath0 is interface of wireless-card running in hostap-mode
> > Then I build a bridge-interface from eth0 and ath0 and gave it the former
> > IP of eth0.
> > - br0 bridge made of ath0 and eth0
> > Routing from the wired and wireless clients to the internet works like a
> > charm.
> > What does not work ist bridging from physical interface eth0 to ath0 so
> > that I can reach my server attached to the LAN-switch from my wireless
> > notebook. I get logging-entries like that:
> > SFW2-FWDint-DROP-DEFLT IN=br0 OUT=br0 PHYSIN=eth0 PHYSOUT=ath0
> > SRC= DST=
> >
> > Could anybody tell me what to write into /etc/sysconfig/SUSEFirewall2 or
> > in /etc/sysconfig/scripts/SuSEfirewall2-custom to accept packets crossing
> > my bridge.
> I don't have such a setup myself so I can't help you here. I
> wouldn't use bridging with the LAN though. With newer SuSEfirewall2
> you can define a new zone for the WLAN and then use normal routing
> for WLAN-Inet and WLAN-LAN. You can also abuse the DMZ rules for
> that purpose if you don't have a real DMZ.

Eat, sleep and go running,
David Hücking.

Encrypted eMail welcome! 
GnuPG/ PGP-Key: 0x57809216. Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here