[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Statefull packet inspection in SuSEfirewall2



pronco@xxxxxxxxxxxx wrote:
> Is it there any way to configure stateful packet inspection rules in
> SuSEfirewall2 for masquerade networks? When I configure a rule in
> FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I
> also have to configure a rule for responses.
> 
> Example: Incoming traffic to my web server in a DMZ with private addresses
> 
> FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80?
> 
> I also need to set up the following rules in order to let responses out
> 
> FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
> 
> This rule permits not only established sessions, but additionally it
> allows my web server to establish connections to the outside world.
> 
> Don?t know why the FW_FORWARD rules are stateful as I want, but
> FW_MASQ_NETS ones don?t.

You found a bug.

> Any suggestion?

You may take SuSEfirewall2 from FACTORY as soon as I have submitted
a package with the fix. It should work on 10.0 as well (feel free to
file a bug if not). In the meantime you could use one of the hook
functions to just insert the required rules.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\   SUSE LINUX Products GmbH, Development
 V_/_  http://www.suse.de/

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here