[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Statefull packet inspection in SuSEfirewall2



Ludwig Nussel wrote:
> pronco@xxxxxxxxxxxx wrote:
>> Is it there any way to configure stateful packet inspection rules in
>> SuSEfirewall2 for masquerade networks? When I configure a rule in
>> FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I
>> also have to configure a rule for responses.
>>
>> Example: Incoming traffic to my web server in a DMZ with private addresses
>>
>> FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80”
>>
>> I also need to set up the following rules in order to let responses out
>>
>> FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"
>>
>> This rule permits not only established sessions, but additionally it
>> allows my web server to establish connections to the outside world.
>>
>> Don’t know why the FW_FORWARD rules are stateful as I want, but
>> FW_MASQ_NETS ones don’t.
> 
> You found a bug.
> 
>> Any suggestion?
> 
> You may take SuSEfirewall2 from FACTORY as soon as I have submitted
> a package with the fix. It should work on 10.0 as well (feel free to
> file a bug if not). In the meantime you could use one of the hook
> functions to just insert the required rules.

Could this bug fix get into a SuSE 9.3 update ?
We use here many FW_FORWARD_MASQ rules and have to maintain lots of
resonse rules, allowing too much!

An update to SuSE 10.0 or 10.1 is not possible, since there are still no
drivers for this propietary hardware (won't buy FSComputers again!).

Thanks, Richard


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here