Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
[suse-security] DMZ egress access problem
From: maarten van den Berg (maartenvbvb.nl)
Date: Wed May 21 2003 - 12:09:04 CDT
I have a bit of a problem connecting from DMZ to the outside world.
I have a DMZ with real IP numbers (not masqueraded) and the corresponding
routing setup (which is working just fine). I allow port 80 and 22 to the
DMZ, which is working great too. But...
The problem is that from a DMZ host one cannot download patches; no DMZ ->
internet connection is allowed at all and I cannot find a (safe) solution.
These are my settings:
Outside net X.Y.Z.144/28
DMZ net X.Y.Z.160/28
My outside I/F is X.Y.Z.146. DMZ I/F is X.Y.Z.161
These are the relevant sections of SuSEfirewall I have configured
That last rule should allow access to internet, right ? But it doesn't. With
a sniffer I see packets leaving the firewall and they come back to eth0
whereafter they disappear. So probably the rule that should allow it back (I
mean the smart <established,related> rule) doesn't apply or it has a bug.
If I add this bit it works,but then I open up the entire DMZ again (evil)
And since I cannot define SOURCE portnumbers in FW_FORWARD, only DEST
portnumbers, I see no workaround. Because obviously the destination ports are
random >1024 ports. The construct 0/0,tcp,80,X.Y.Z.160/28 is not allowed
according to the docs. Or is it...? (And besides, that is not very safe
since anyone could then spoof that source port number anyway)
I can probably solve it by patching some things around inside the real
firewallscript but that is not why I'm writing this... I wonder how you are
_supposed_ to solve this in the proper way. Are my rules wrong, or do you all
disregard the FW_FORWARD line entirely and do it all from one of the hooks in
the FW_CUSTOMRULES file ?
I searched these mailarchives but a solution is not easy to find. For one,
just looking for "DMZ" obviously gives thousands of hits and more importantly
everyone seems to use a masqueraded DMZ anyway (As do the SuSE examples) so
that does not really apply to my situation.
Any insights ?
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here