[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Impenetrable firewall - SuSE 9.2



Greetings,
     I have a small home network of machines connected through the internal
ethernet port of my SuSE linux server (192.168.42.xxx). The external
ethernet port is connected to a LinkSys dsl modem (192.168.1.2 on the
server to 192.168.1.1 - the modem). I have a fixed IP and the domain name
asgard.org.nz to go with it - in the /etc/hosts file against the sever
machine name srv too. I set up the firewall so that the local net could
access the internet - but not vice versa. All has worked very well for
months. By the way the HOSTNAME file appears to contain srv.asgard.org.nz
correctly!

     Needing to publish a small web site now, I have set up apache 2.0.55
suitably configured - which works well on the local network. However,
despite the fact that the host (called server.asgard.org.nz on the modem
port) has the same name as the Apache ServerName and I appear to have the
correct firewall settings as far as my reading of the config file and the
examples tells me -

-------
# 1
FW_QUICKMODE="no"
#2
FW_DEV_EXT="eth-id-00:90:27:a7:d3:d2"
#3
FW_DEV_INT="eth-id-00:50:8b:62:08:e6"
#4
FW_DEV_DMZ=""
#5
FW_ROUTE="yes"
#6
FW_MASQUERADE="yes"
#6a
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
#7
FW_PROTECT_FROM_INTERNAL="no"
#8
FW_AUTOPROTECT_SERVICES="yes"
#9
FW_SERVICES_EXT_TCP="5801 5901 domain http https"
FW_SERVICES_EXT_UDP="domain  isakmp"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="http https 80"
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="ftp http https 80"
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP="esp"
FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status"
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
#9a
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
#10
FW_TRUSTED_NETS=""
#11
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
#13
FW_FORWARD=""
#14
FW_FORWARD_MASQ=""
#15
FW_REDIRECT=""
#16
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
#17
FW_KERNEL_SECURITY="yes"
#17a
FW_ANTISPOOF="no"
#18
FW_STOP_KEEP_ROUTING_STATE="no"
#19
FW_ALLOW_PING_FW="yes"
#19a
FW_ALLOW_PING_DMZ="no"
#19b
FW_ALLOW_PING_EXT="yes"

##
# END of /etc/sysconfig/SuSEfirewall2
##

# EXPERT OPTIONS - all others please don't change these!

#20
FW_ALLOW_FW_TRACEROUTE="yes"
#21
FW_ALLOW_FW_SOURCEQUENCH="yes"
#22
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
#23
FW_ALLOW_CLASS_ROUTING="no"
#25
FW_CUSTOMRULES=""
#26
FW_REJECT="no"
#27
FW_HTB_TUNE_DEV=""
#28
FW_IPv6=""
#28a
FW_IPv6_REJECT_OUTGOING="yes"
#29
FW_IPSEC_TRUST="int"
--------------------------------

     I cannot seem to get any local browser to access the web server with
the external (srv.asgard.org.nz) IP address. I have tried external port
scanners and they seem to see no open ports at all.

    Having spent two days getting nowhere - but learning a lot, I feel I
need to humbly ask for help. It's probably something obvious to you experts
- sorry, I don't see what might be wrong.

     Help, please!

                         Keith Hopper

-- 
Sky Development

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here