Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: [suse-security] another 3-interface firewall problem (twoexternal, no DMZ)
From: Philippe Vogel (filiaapfreenet.de)
Date: Tue Jan 06 2004 - 15:23:29 CST
> 1) Is the routing ok ?
How can I check the routing ?
The SuSEfirewall-Script generates more rules than G.W. bushisms.
Print routing table:
General routing should look like this:
fb7-fg6:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use
internal-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth1
external-ip 0.0.0.0 255.255.255.0 U 0 0 0 eth0
dsl-ip 0.0.0.0 255.255.255.0 U 0 0 0 ppp0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 default-gw-ip 0.0.0.0 UG 0 0 0
default gw is the ip you get from dsl, that should be set correct within dsl
"dialup script" and resetted within dsl "dialout script"!
If not add a rule within yast/network/dsl.
Sometimes that routing stuff acts very strange -> maybe a reboot helps
sometimes to reset everything after a change.
> 2) Are there any firewall log entries ?
Nothing critical for the 'dead' Interface. But I have to retry with logging
With this you get the firewalloutput in one file to analyse it:
less /var/log/messages | grep DROP > Outputfile
> 3) Are you sure you don't masq your webserver's reply packets with the
> IP ? (I understand that you now have 2 external IPs)
I am completely unshure about everything!
I guess, everything should be clear by understanding the IP rules.
Is there a debugging tool for this ? -> /sbin/SuSEfirewall status
# gives debug output of iptables sets in SuSEfirewall
If you see a "1" you have forwarding enabled.
Testing if network is running:
ping IP of eth0, eth1, ppp0
traceroute www.freenet.de # here we go to external and see where the route
goes (e.g. here with freenet.de)!
If you get errors here there is no problem with the firewall.
The firewall should look:
configure the services and ports for your desire!
# bad security, but for testing ...
# for testing set to "yes" \/\/\/\/
# for german t-dsl:
# not optimized:
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here