Need Help needed with SuSE Firewall msg

Hi all I need some help with the message below:

[424487.934789] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1 SRC=192.XXX.XXX.XXX DST=172.XXX.XXX.XXX LEN=83 TOS=0x00 PREC=0x00 TTL=127 ID=1164 PROTO=UDP SPT=1146 DPT=161 LEN=63

The firewall should accept message from network 192.XXX.XXX.XXX and send it to it to network 172.XXX.XXX.XXX
if I try the same thing from network 10.XXX.XXX.XXX it work… but it seem the 192 network can ping the 172 network or even use SNMP protocol but telnet does not go through I wonder if this is what the firewall log is indicating.

Thanks for any help.

On Wed, 13 Jul 2011 17:36:02 +0000, ephlodur wrote:

> Hi all I need some help with the message below:
>> [424487.934789] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1
>> SRC=192.XXX.XXX.XXX DST=172.XXX.XXX.XXX LEN=83 TOS=0x00 PREC=0x00
>> TTL=127 ID=1164 PROTO=UDP SPT=1146 DPT=161 LEN=63
>
> The firewall should accept message from network 192.XXX.XXX.XXX and send
> it to it to network 172.XXX.XXX.XXX if I try the same thing from network
> 10.XXX.XXX.XXX it work… but it seem the 192 network can ping the 172
> network or even use SNMP protocol but telnet does not go through I
> wonder if this is what the firewall log is indicating.
>
>
> Thanks for any help.

It sounds like the system is set up as a router, yes?

And with two IP addresses bound to the eth1 interface?

When you try to do the telnet/ping/SNMP traffic, are you doing it from
this system or from other systems on your network?

If on other systems on your network, does the routing table look OK? (It
should if ping works in both directions)

This particular log message doesn’t indicate the port, but it doesn’t
seem to be the telnet command, as telnet uses TCP, and this is a message
relating to a UDP transmission.

Have you verified that you can issue the telnet command on the same subnet
as the target machine? That’s where I’d start - remove the router from
the picture and make sure telnet is working, if it is, then start working
out from that subnet.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks for your reply…

this is my setup my SuSE box is use as a gateway/router it will accept and forward packet that are sent to another sub-network.

the main network will be A (172.X)— B(192.Network) ----- is my suse Box
B have two network card eth0 and eth1. eth0 will be connected to the outside and eth1 will be connected to the local network… there 2 different sub-network connecting to eth1 let say network 10.X and network 120.X these two different network have 2 interfaces each one pointing to the 192.X and the other pointing to their appliance.

when telent do not work I get this message from the firewall log:

^[AJul 13 15:54:50 suse-gateway-p kernel: [444140.196006] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1 SRC=192.X.X.X DST=10.X.X.X LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=5660 DF PROTO=TCP SPT=1330 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A201FB9CE0000000001030300)

On 2011-07-13 19:36, ephlodur wrote:
>
> Hi all I need some help with the message below:
>> [424487.934789] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1
>> SRC=192.XXX.XXX.XXX DST=172.XXX.XXX.XXX LEN=83 TOS=0x00 PREC=0x00
>> TTL=127 ID=1164 PROTO=UDP SPT=1146 DPT=161 LEN=63

I think it is an “accepted forward”

> The firewall should accept message from network 192.XXX.XXX.XXX and
> send it to it to network 172.XXX.XXX.XXX
> if I try the same thing from network 10.XXX.XXX.XXX it work… but it
> seem the 192 network can ping the 172 network or even use SNMP protocol
> but telnet does not go through I wonder if this is what the firewall log
> is indicating.

Not telnet, destination port is 161, snmp.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-07-13 20:52, Jim Henderson wrote:

>>> [424487.934789] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1
>>> SRC=192.XXX.XXX.XXX DST=172.XXX.XXX.XXX LEN=83 TOS=0x00 PREC=0x00
>>> TTL=127 ID=1164 PROTO=UDP SPT=1146 DPT=161 LEN=63

> This particular log message doesn’t indicate the port, but it doesn’t
> seem to be the telnet command, as telnet uses TCP, and this is a message
> relating to a UDP transmission.

No?

SPT=1146 DPT=161

:slight_smile:


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-07-13 22:06, ephlodur wrote:
> when telent do not work I get this message from the firewall log:
>
>> >
>> >
>> > ^[AJul 13 15:54:50 suse-gateway-p kernel: [444140.196006]
>> > SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1 SRC=192.X.X.X DST=10.X.X.X LEN=60
>> > TOS=0x10 PREC=0x00 TTL=63 ID=5660 DF PROTO=TCP SPT=1330 DPT=23
>> > WINDOW=5840 RES=0x00 SYN URGP=0 OPT
>> > (020405B40402080A201FB9CE0000000001030300)

It looks to me as it is accepted.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

The Telnet request is never completed and time out … from the 172.X network it is accepted there is no log in the firewall log… this is what I have observer so far…

in addition telnet also return with an error

Escape character is ‘^]’.
Connection closed by foreign host.

Thanks for you help.

On 2011-07-14 00:06, ephlodur wrote:
>
> The Telnet request is never completed and time out … from the 172.X
> network it is accepted there is no log in the firewall log… this is
> what I have observer so far…

As far as the firewall is concerned, the telnet connection is allowed
there. It can be rejected somewhere else, not routed, whatever.

That is what I can guess from the output printed, if I’m not mistaken.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Wed, 13 Jul 2011 23:08:06 +0000, Carlos E. R. wrote:

> On 2011-07-14 00:06, ephlodur wrote:
>>
>> The Telnet request is never completed and time out … from the 172.X
>> network it is accepted there is no log in the firewall log… this is
>> what I have observer so far…
>
> As far as the firewall is concerned, the telnet connection is allowed
> there. It can be rejected somewhere else, not routed, whatever.
>
> That is what I can guess from the output printed, if I’m not mistaken.

You’re not mistaken - the connection is being made, but the daemon is
rejecting it for some reason on the target system - and not because of a
firewall issue on the router or the target machine.

Jim

Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Wed, 13 Jul 2011 21:20:08 +0000, Carlos E. R. wrote:

> On 2011-07-13 20:52, Jim Henderson wrote:
>
>>>> [424487.934789] SFW2-FWDint-ACC-FORW IN=eth1 OUT=eth1
>>>> SRC=192.XXX.XXX.XXX DST=172.XXX.XXX.XXX LEN=83 TOS=0x00 PREC=0x00
>>>> TTL=127 ID=1164 PROTO=UDP SPT=1146 DPT=161 LEN=63
>
>
>> This particular log message doesn’t indicate the port, but it doesn’t
>> seem to be the telnet command, as telnet uses TCP, and this is a
>> message relating to a UDP transmission.
>
> No?
>
> SPT=1146 DPT=161
>
> :slight_smile:

Oh, duh, I missed that right after the protocol…But the proto is still
UDP and not TCP, but Telnet uses TCP, so this message doesn’t relate to a
telnet session.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks to all for you help…
I have to do a bit more debugging … sorry for putting the SNMP packet call in there…
SNMP work fine ping work fine … just telnet does not work for now … the call is going to a cisco router who turn it into a x25 packet call request … monitoring the cisco router I can see that the call is coming in and I see the end system responding to the request IP .

I’m not sure if the firewall is dropping telnet connection from that sub-network.

Thanks again.

Rudolphe

Telnet work not from all network…

from the outside network it also work…
but from the internal network it does not work from all station
all the time.

thanks for your help

On Thu, 14 Jul 2011 20:06:03 +0000, ephlodur wrote:

> Telnet work not from all network…
>
> from the outside network it also work… but from the internal network
> it does not work from all station all the time.
>
> thanks for your help

You might check hosts.allow or hosts.deny to see if somehow something got
set up to disallow it. Based on the info you’ve posted so far, the
problem is with the daemon rather than the firewall.

You should also be aware, of course, that telnet is not a secure way to
provide remote access to your system. If you’re using it for a login
shell, extracting a password from the data stream is trivially easy.

If a remote shell is what you’re doing, then you should look at using ssh
instead.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Thanks Jim for all your help
I will look at hosts.allow and hosts.deny…
as for the telnet part I do not have a choice these
end system have support only for telnet more like XOT…

This is an update from an old suse 9.0 … I have done an
iptables-save I will try a restore on the new system to completely
remove the firewall as an issue…

but you are correct it does not seem like a firewall issue

thanks again

On 2011-07-15 17:06, ephlodur wrote:
> as for the telnet part I do not have a choice these
> end system have support only for telnet more like XOT…

You will be hacked sooner or later.

You should then ssh to an intermediate machine, via internet. Once there,
open a telnet session to the internal machines. Do not ever use telnet
directly over internet.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)