NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2002-q3

From: Hans-Peter Jansen (hpj_at_urpla.net)
Date: Tue Sep 17 2002 - 15:11:06 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

why do I cannot ssh access my fw via dyndns from internal, but from outside?

SuSEfirewall2 v1.7

Sep 17 21:47:17 frwall kernel: SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth0 OUT= MAC=00:01:02:f5:e
5:fb:00:01:02:f5:e6:ad:08:00 SRC=xxx.yy.zz.123 DST=xxx.yyy.zzz.145 LEN=60 TOS=0x10 PREC=0x
00 TTL=64 ID=29832 DF PROTO=TCP SPT=41182 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0204
05B40402080A024F8D5F0000000001030300)
Sep 17 21:47:20 frwall kernel: SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth0 OUT= MAC=00:01:02:f5:e
5:fb:00:01:02:f5:e6:ad:08:00 SRC=xxx.yy.zz.123 DST=xxx.yyy.zzz.145 LEN=60 TOS=0x10 PREC=0x
00 TTL=64 ID=29833 DF PROTO=TCP SPT=41182 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0204
05B40402080A024F8E8B0000000001030300)
Sep 17 21:47:26 frwall kernel: SuSE-FW-ACCESS_DENIED_FOR_INTIN=eth0 OUT= MAC=00:01:02:f5:e
5:fb:00:01:02:f5:e6:ad:08:00 SRC=xxx.yy.zz.123 DST=xxx.yyy.zzz.145 LEN=60 TOS=0x10 PREC=0x
00 TTL=64 ID=29834 DF PROTO=TCP SPT=41182 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (0204
05B40402080A024F90E30000000001030300)

I think, my setup is ok:

FW_DEV_EXT="eth1 ppp0 ppp1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"

FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="xxx.yyy.zzz.0/24"

FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"

FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_UDP="domain" # Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh smtp domain www ntp nfs sunrpc 3128"
FW_SERVICES_INT_UDP="domain nfs sunrpc 111"
FW_SERVICES_INT_IP=""

FW_TRUSTED_NETS="xxx.yyy.zzz.0/24"

FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"

FW_FORWARD="" # Beware to use this!
FW_FORWARD_MASQ="" # Beware to use this!
FW_REDIRECT=""

FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"

FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"

2nd question: is openssh-2.9p2-39 from SuSE 7.3 vulnerable?

TIA,
Hans-Peter

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]