[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSEfirewall2, two links and routing between them



Hi Marcelo,

The only problem that I'm having is the describe into the first message,
because this I believe that my setup is correct ("I" believe ;)) )...
Well, I sent my configuration below:
"
FW_QUICKMODE="no"
FW_DEV_EXT="eth0 eth1" # I have two Internet links
FW_DEV_INT="eth2" # I have a DMZ and a LAN
FW_DEV_DMZ="eth3"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24 192.168.1.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="22 80"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="80 3128"
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.0.0/24 200.171.207.195"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ="0/0,192.168.1.2,tcp,5000 \
                0/0,192.168.1.2,tcp,1115"
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option
--log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
"

Regards,

Fabiano Felix


Em Sex, 2003-10-24 às 15:09, Unidad de Soporte Técnico del Instituto
Crandon escreveu: 
> some questions about that . . .
> 
> * did you enable routing between dmz, internal and external nets ?
> * did you allow the correct services in the dmz interface ?
> 
> anycase, if you want, send me your firewall conf file so that I can help you
> beter
> 
> Greetings
> Marcelo.
> -- Original Message -- 
> From: "Fabiano Felix" <felix@xxxxxxxxxxxxx>
> To: <suse-security@xxxxxxxx>
> Sent: Friday, October 24, 2003 1:44 PM
> Subject: [suse-security] SuSEfirewall2, two links and routing between them
> 
> 
> > Hi all,
> >
> > I'm having a problem using SuSEfirewall2. I have the following
> > environment:
> > - 01 Internet link with 2Mb (ADSL);
> > - 01 Internet link with 256Kb (F. Relay);
> > - 01 DMZ;
> > - 01 LAN.
> >
> > The ADSL connection is used to Internet access. The FR is used to
> > provide a Windows Media Server, and the WM Server is on the DMZ.
> > Accessing this service from Internet I don't have any problems, but when
> > I try to access it from LAN, I receive the following message:
> > "
> > SuSE-FW-ACCESS_DENIED_INT IN=eth2 OUT=
> > MAC=00:06:4f:06:78:59:00:50:da:64:58:e2:08:00 SRC=192.168.0.58 DST=200.
> > 300.400.500 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=18893 DF PROTO=TCP
> > SPT=2368 DPT=1115 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
> > (020405B401010402)
> > "
> > Searching into archives, I found that it is a (correct) firewall
> > protection, but I need to solve this. I was wondering that is possible
> > to correct this creating a custom rule. Can someone help me??
> >
> > Regards,
> >
> > Fabiano Felix
> >
> >
> > -- 
> > Check the headers for your unsubscription address
> > For additional commands, e-mail: suse-security-help@xxxxxxxx
> > Security-related bug reports go to security@xxxxxxx, not here


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here