Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Harald Wallus (wallus_at_netlike-gmbh.de)
Date: Mon Oct 14 2002 - 02:50:53 CDT
Am Sonntag, 13. Oktober 2002 14:24 schrieb Michael Boettjer:
> Hi there,
> i use SuSEfirewall2 on a SuSE 7.2-Gateway.
> The Firewall has 3 Interfaces - one in direction of the internet (official
> IP), one to the inner-LAN (192.168.20.x) and one to the DMZ (192.168.70.x).
> The Computer in the DMZ (Webserver) has an internal IP-Adress
> (192.168.70.y), so i have to port-masquerade.
> The inner-LAN-Clients can reach the Webserver because i'm using the
> "FW_FORWARD"-Parameter in SuSEfirewall-Config-File. One of the entries is
> All works fine.
> But now i want to add a second Server (Mail) to the DMZ. I added the
> appropriate entry to the FW-FORWARD-Parameter. I can ping the two Servers
> from the firewall succesful.
This means, you can the both IPs on 192.168.70.0
> But from an inner-LAN-Client i can only reach the Webserver, but not the
> Mailserver. Neither a ping works still a telnet to the SMTP-Port. The
> Firewall-Logs relative to DENYs or so what is empty.
If I understand it correct: You allow ping. So you can ping your Webserver
192.168.70.10, but not your mail-Server 192.168.70.1?.
> But why?
> When i add the Mailserver to the "FW_FORWARD_MASQ"-Parameter, i can reach
> the Box from the internet without problems.
If you can reach your mail server if it's MASQ, your will masq the IP and the
May be, your default router is wrong. It must be the IP of NIC of firewall
which belongs to DMZ.
Try a traceroute from your mail server into your internal network to prove
-- Dr. Harald Wallus netlike-gmbh Am Listholze 78, D-30177 Hannover Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 1-90 Email: wallusnetlike-gmbh.de Internet: http://netlike-gmbh.de
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-helpsuse.com Security-related bug reports go to securitysuse.de, not here