[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Impenetrable firewall - SuSE 9.2



Hi Keith. I use 9.2 pro as well.

I had a similar problem with my Speedtouch 4 port ADSL 
router. I don't use SuSE Firewall, so I cannot really 
comment on your FW settings you have shown, but have written 
my own bash script to program IPTables packet filtering 
directly. I had to open port 80 in the script to the outside 
world.

On the Speedtouch router, I had to set up NAT, to forward 
requests for port 80 directly to my ethernet card IP 
address of 10.0.0.1:80. So any http requests for my website 
actual get forwarded by the router to the eth0 interface 
(local IP address 10.0.0.1) that Apache listens on for 
connection attempts from the outside world. 

To test that you have opened port 80 so it can be accessed 
from the outside, you could go to http://www.grc.com, and 
use the ShieldsUp security scanner. Click on the common 
ports box, and this will then test your server and report 
whether, amongst others, port 80 is open or not.

Once you are sure that port 80 is opened, you could have a 
look at your router settings to set up NAT - Network Address 
and Port Translation - usually available via a web browser 
GUI, and an address like http://10.0.0.xxx.

HTH

Keith Roberts

In theory, theory and practice are the same;
in practice they are not.

more below...

On Thu, 13 Jul 2006, Keith Hopper wrote:

> To: suse-security@xxxxxxxx
> From: Keith Hopper <kh@xxxxxxxxxxxxx>
> Subject: [suse-security] Impenetrable firewall - SuSE 9.2
> 
> Greetings,
>      I have a small home network of machines connected 
> through the internal ethernet port of my SuSE linux server 
> (192.168.42.xxx). The external ethernet port is connected 
> to a LinkSys dsl modem (192.168.1.2 on the server to 
> 192.168.1.1 - the modem). I have a fixed IP and the domain 
> name asgard.org.nz to go with it - in the /etc/hosts file 
> against the sever machine name srv too. I set up the 
> firewall so that the local net could access the internet - 
> but not vice versa. All has worked very well for months. 
> By the way the HOSTNAME file appears to contain 
> srv.asgard.org.nz correctly!
> 
>      Needing to publish a small web site now, I have set 
> up apache 2.0.55 suitably configured - which works well on 
> the local network. However, despite the fact that the host 
> (called server.asgard.org.nz on the modem port) has the 
> same name as the Apache ServerName and I appear to have 
> the correct firewall settings as far as my reading of the 
> config file and the examples tells me -
> 
> -------
> # 1
> FW_QUICKMODE="no"
> #2
> FW_DEV_EXT="eth-id-00:90:27:a7:d3:d2"
> #3
> FW_DEV_INT="eth-id-00:50:8b:62:08:e6"
> #4
> FW_DEV_DMZ=""
> #5
> FW_ROUTE="yes"
> #6
> FW_MASQUERADE="yes"
> #6a
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS="0/0"
> #7
> FW_PROTECT_FROM_INTERNAL="no"
> #8
> FW_AUTOPROTECT_SERVICES="yes"
> #9
> FW_SERVICES_EXT_TCP="5801 5901 domain http https"
> FW_SERVICES_EXT_UDP="domain  isakmp"
> FW_SERVICES_EXT_IP=""
> FW_SERVICES_EXT_RPC=""
> FW_SERVICES_DMZ_TCP="http https 80"
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_DMZ_RPC=""
> FW_SERVICES_INT_TCP="ftp http https 80"
> FW_SERVICES_INT_UDP=""
> FW_SERVICES_INT_IP="esp"
> FW_SERVICES_INT_RPC="mountd nfs nfs_acl ftp nlockmgr status"
> FW_SERVICES_DROP_EXT=""
> FW_SERVICES_REJECT_EXT="0/0,tcp,113"
> #9a
> FW_SERVICES_QUICK_TCP=""
> FW_SERVICES_QUICK_UDP=""
> FW_SERVICES_QUICK_IP=""
> #10
> FW_TRUSTED_NETS=""
> #11
> FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
> FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
> #13
> FW_FORWARD=""
> #14
> FW_FORWARD_MASQ=""
> #15
> FW_REDIRECT=""
> #16
> FW_LOG_DROP_CRIT="yes"
> FW_LOG_DROP_ALL="no"
> FW_LOG_ACCEPT_CRIT="yes"
> FW_LOG_ACCEPT_ALL="no"
> FW_LOG_LIMIT=""
> FW_LOG=""
> #17
> FW_KERNEL_SECURITY="yes"
> #17a
> FW_ANTISPOOF="no"
> #18
> FW_STOP_KEEP_ROUTING_STATE="no"
> #19
> FW_ALLOW_PING_FW="yes"
> #19a
> FW_ALLOW_PING_DMZ="no"
> #19b
> FW_ALLOW_PING_EXT="yes"
> 
> ##
> # END of /etc/sysconfig/SuSEfirewall2
> ##
> 
> # EXPERT OPTIONS - all others please don't change these!
> 
> #20
> FW_ALLOW_FW_TRACEROUTE="yes"
> #21
> FW_ALLOW_FW_SOURCEQUENCH="yes"
> #22
> FW_ALLOW_FW_BROADCAST="int"
> FW_IGNORE_FW_BROADCAST="no"
> #23
> FW_ALLOW_CLASS_ROUTING="no"
> #25
> FW_CUSTOMRULES=""
> #26
> FW_REJECT="no"
> #27
> FW_HTB_TUNE_DEV=""
> #28
> FW_IPv6=""
> #28a
> FW_IPv6_REJECT_OUTGOING="yes"
> #29
> FW_IPSEC_TRUST="int"
> --------------------------------
> 
>      I cannot seem to get any local browser to access the web server with
> the external (srv.asgard.org.nz) IP address. I have tried external port
> scanners and they seem to see no open ports at all.

You cannot access your own IP address directly over the 
internet from that same IP address - IP protocol doesn't 
work like that.

If you want to access your own web server over the internet, 
you will have to use a proxy browser, so it appears that the 
request is coming from an external source, which it would 
be. You access the proxy server, and the proxy server then 
accesses your own server on your machine on your behalf, 
then returns the website back to you on your machine. You 
might like to try http://proxybrowsing.com/ to see if this 
helps.

I use the above proxy for testing access to my own site.
(I have set up name based virtual hosting with Apache 2.2.0, 
but I cannot get it to work, as all the proxy browsers I 
have found only support HTTP/1.0 protocol, and name based 
virtual hosting requires HTTP/1.1 for this to work.)

first you need to make sure that Apache is up and running, 
and you can access it locally, from something like:
http://localhost/ or http://127.0.0.1

Once that is working OK, you need to set up your firewall so 
that port 80 is open to the outside world.

Next check and make sure that NAPT is set-up in your router 
correctly.  Any connections to your static IP address need 
to be forwarded by your router to the interface that Apache 
is listening on.

>     Having spent two days getting nowhere - but learning a lot, I feel I
> need to humbly ask for help. It's probably something obvious to you experts
> - sorry, I don't see what might be wrong.
> 
>      Help, please!
> 
>                          Keith Hopper
> 
> -- 
> Sky Development

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here