[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Impenetrable firewall - SuSE 9.2
Hi Keith. I use 9.2 pro as well.
I had a similar problem with my Speedtouch 4 port ADSL
router. I don't use SuSE Firewall, so I cannot really
comment on your FW settings you have shown, but have written
my own bash script to program IPTables packet filtering
directly. I had to open port 80 in the script to the outside
On the Speedtouch router, I had to set up NAT, to forward
requests for port 80 directly to my ethernet card IP
address of 10.0.0.1:80. So any http requests for my website
actual get forwarded by the router to the eth0 interface
(local IP address 10.0.0.1) that Apache listens on for
connection attempts from the outside world.
To test that you have opened port 80 so it can be accessed
from the outside, you could go to http://www.grc.com, and
use the ShieldsUp security scanner. Click on the common
ports box, and this will then test your server and report
whether, amongst others, port 80 is open or not.
Once you are sure that port 80 is opened, you could have a
look at your router settings to set up NAT - Network Address
and Port Translation - usually available via a web browser
GUI, and an address like http://10.0.0.xxx.
In theory, theory and practice are the same;
in practice they are not.
On Thu, 13 Jul 2006, Keith Hopper wrote:
> To: suse-security@xxxxxxxx
> From: Keith Hopper <kh@xxxxxxxxxxxxx>
> Subject: [suse-security] Impenetrable firewall - SuSE 9.2
> I have a small home network of machines connected
> through the internal ethernet port of my SuSE linux server
> (192.168.42.xxx). The external ethernet port is connected
> to a LinkSys dsl modem (192.168.1.2 on the server to
> 192.168.1.1 - the modem). I have a fixed IP and the domain
> name asgard.org.nz to go with it - in the /etc/hosts file
> against the sever machine name srv too. I set up the
> firewall so that the local net could access the internet -
> but not vice versa. All has worked very well for months.
> By the way the HOSTNAME file appears to contain
> srv.asgard.org.nz correctly!
> Needing to publish a small web site now, I have set
> up apache 2.0.55 suitably configured - which works well on
> the local network. However, despite the fact that the host
> (called server.asgard.org.nz on the modem port) has the
> same name as the Apache ServerName and I appear to have
> the correct firewall settings as far as my reading of the
> config file and the examples tells me -
> # 1
> FW_SERVICES_EXT_TCP="5801 5901 domain http https"
> FW_SERVICES_EXT_UDP="domain isakmp"
> FW_SERVICES_DMZ_TCP="http https 80"
> FW_SERVICES_INT_TCP="ftp http https 80"
> FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status"
> # END of /etc/sysconfig/SuSEfirewall2
> # EXPERT OPTIONS - all others please don't change these!
> I cannot seem to get any local browser to access the web server with
> the external (srv.asgard.org.nz) IP address. I have tried external port
> scanners and they seem to see no open ports at all.
You cannot access your own IP address directly over the
internet from that same IP address - IP protocol doesn't
work like that.
If you want to access your own web server over the internet,
you will have to use a proxy browser, so it appears that the
request is coming from an external source, which it would
be. You access the proxy server, and the proxy server then
accesses your own server on your machine on your behalf,
then returns the website back to you on your machine. You
might like to try http://proxybrowsing.com/ to see if this
I use the above proxy for testing access to my own site.
(I have set up name based virtual hosting with Apache 2.2.0,
but I cannot get it to work, as all the proxy browsers I
have found only support HTTP/1.0 protocol, and name based
virtual hosting requires HTTP/1.1 for this to work.)
first you need to make sure that Apache is up and running,
and you can access it locally, from something like:
http://localhost/ or http://127.0.0.1
Once that is working OK, you need to set up your firewall so
that port 80 is open to the outside world.
Next check and make sure that NAPT is set-up in your router
correctly. Any connections to your static IP address need
to be forwarded by your router to the interface that Apache
is listening on.
> Having spent two days getting nowhere - but learning a lot, I feel I
> need to humbly ask for help. It's probably something obvious to you experts
> - sorry, I don't see what might be wrong.
> Help, please!
> Keith Hopper
> Sky Development
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here