Results 1 to 10 of 10

Thread: Routing 7Firewall Problem

  1. #1

    Default Routing 7Firewall Problem

    Sorry for my bad english.

    1 Suse 11.1 with 2 Nics.
    Intern Services: DNS, Samba, DHCP , SSH, HTTP , FTP.
    Extern Services: FTP , Port Forwardet.

    Firewall is Configuratet with this Services.
    The Router has the Correct MAC Adress & Ip for Port Forwarding.
    Both Nics are in the same subnet, the Problem is, the NiC & Adress from Extern net answers for intern.
    For exampel the extern Nic is 192.168.1.253 an Firewalled for only use FTP. If i forward the SSH Port for Testing, the nic answers.
    The intern Nic is 192.168.1.2 ( & 192.168.1.3 virtual address for Apache ). The Router is 192.168.1.254

    If i use ist for Testing in two different Networks 192.168.2.x and 192.168.1.X it works properly.

    The crazy thing is, if i use for testing the intern NIC a /25 Subnet ( that cant acces the Router ) , the extern Nic Answers for intern allowed Services.

    That ist a small net for our House, i dont want to use a seccond Router. And i need access from intern & extern to this PC. And hackers can use a route over an open Port.

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,775

    Default Re: Routing 7Firewall Problem

    I do not know exactly how your setup is, but having two NICs in the same network sounds strange to me. It is like having a house with two frontdoors opening into the same street (albeith with a different housenumber). How do you determine what leaves the house through one door and what through the other?
    Henk van Velden

  3. #3

    Default Re: Routing 7Firewall Problem

    Thats the problem,
    i dont want to use a second router. Thats not a busines , thats a small intel atom with low cost energy to have a usefull sharepoint.


    The crazy thing ist that the intern Nic answer to the router, but it is in a /25 Subnet. The way is no properly configurathion, but i think that can work normaly for this spezial net.
    Maybe i config for the extern Nic going out rules only for FTP (& Http to have updates from Suse )?

  4. #4
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,775

    Default Re: Routing 7Firewall Problem

    I still do not get a picture before my eyes how your network is constructed. The problem is that talking is mostly confusing and vague (that is due to the subject, not to you). Could you try to make a picture about what networks are involved and which (sub)nets you are exactly using where. I knoowwit is not easy to do this, but you could give it a try.
    Henk van Velden

  5. #5

    Default Re: Routing 7Firewall Problem

    [IMG][/IMG]

    The SUSE PC makes the DHCP Service for the Net Range 192.168.1.11 - 192.168.1.99


    I think that the SUSE Firewall take the firewall rules for the net, not for Nic and do a kind of NLB over the Nics in the same net.
    Thats normal that a Server with a lot off traffic has more than one nic in the same net for different services, what do they to config that ?

  6. #6
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    29,775

    Default Re: Routing 7Firewall Problem

    The grey block upper left (the system where you are talking about?) and (as I understand the picture correct) the blue gateway both have connetions to:
    . the network 192.168.1.0/24 (that means all IP addresses from 192.168.1.1 - 192.168.1.254)
    . the network 192.168.1.0/25 (that means all IP addresses from 192.168.1.1 - 192.168.1.126)
    This can not function. When you split a network in subnets you can not have the original network still existing.

    When you want to split 192.168.1.0/24 in two subnets, those will be 192.168.1.0/25 and 192.168.1.128/25 (each for 126 hosts).

    Another possibility would be 192.168.1.0/25 and 192.168.1.128/26 and 192.168.1.192/26 (one for 126 addresses and two for 62 addresses).
    And so forth.

    You can never have overlapping addresses!

    These are basic laws of networking which you can not bend at your will.
    Henk van Velden

  7. #7

    Default Re: Routing 7Firewall Problem

    If the /25 Subnet have an Ip 192.168.1.2 it can comunicat to all adresses in that subnetadressrange witch have minimum the thame mask , but you cant Route addresses from another netmask. For exampel an client with 192.168.1.2/24 can communicate with a Client with 192.168.1.3/16 or 192.168.1.4/8 but the router cant route another netmask as he have.

    That is a Config to try out that no trafic Acess to the Router whats not allowed. And the Suse PC still answers for ssh to the Router if the Port ist forwardet at the extern Nic ( 192.168.1.253/24 ) has a Firewall Rule only Acces FTP .

    And i now thomething about subnetting ( Linux LPic 1 a & b, MS MCSE W2k3, Enterpriseadmin W2k8 ).

    Thats not the Question,
    the Question is what is to do that the Suse Firewall do what they have to do, Acces only FTP @ extern NIC and dont answer from another NIC whats not asked from the Client.

  8. #8
    Join Date
    Oct 2008
    Location
    Stuttgart - Germany
    Posts
    163

    Default Re: Routing 7Firewall Problem

    We need facts. Pls post the output of following commands:

    1) ifconfig
    2) route -n
    3) cat /etc/sysconfig/SuSEfirewall2 | grep -v "^#" | grep -v "^$"

    and let us know the IP address of your router.

  9. #9

    Default Re: Routing 7Firewall Problem

    I have fixed the Problem.

    I add with telnet and ifconfig @ Router a virtuall Interface with second net, that works.


    The problem what me makes thinking is that the firewall Rules are for the net, not for the nic, if two interfaces in different zones are in the thame net they both take both rules. And the kind of loadbalancing that the nics in one net do. I will test ist in a VM with two new & clear machines and seperate net with wireshark & nmap for study to have clearly informations for future projekts.

    Thanks and excuse my bad english .

  10. #10

    Default Re: Routing 7Firewall Problem

    If anybody is interrestet for information: sparion router (standart from provider ) , connect with telnet > ifconfig to get the configuration > they have an virtual interface to bridge wlan & lan = br0 > ifconfig br0:1 192.168.x.x if you need more, ifconfig br0:2 192.168.x.x for another net. Do not change and save anything with http configuration and do no restart, it is not persistent it delete your virtual interfaces an you have to configure again.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •