PDA

View Full Version : Multi NIC Firewall Problem



tgm_its
06-Mar-2013, 13:14
Hi,

info about the server:
eth0: 10.2.24.22/24 gw 10.2.24.1 internal Zone in Firewall
eth1: 193.x.x.100/24 gw 193.x.x.254 external Zone in Firewall with ssh, http, https allowed
default route: 10.2.24.1

Everything works fine, until the firewall is started. Then only connections to eth0 are possible.
If i change the default route to 193.x.x.254 only connections to eth1 (ping, ssh, http, https) are possible, but eth0 is completly down.

I have to disable the firewall and reboot the whole server to get both NICs to work again.
Even if i change eth1 to internal Zone it does not work.

I had the same problem without the firewall. This was solved by:
net.ipv4.conf.all.rp_filter = 0
in /etc/sysctl.conf

KBOYLE
06-Mar-2013, 20:33
tgm its wrote:

>
> Hi,
>
> info about the server:
> eth0: 10.2.24.22/24 gw 10.2.24.1 internal Zone in Firewall
> eth1: 193.x.x.100/24 gw 193.x.x.254 external Zone in Firewall with
> ssh, http, https allowed
> default route: 10.2.24.1

Refer to: /etc/sysconfig/SuSEfirewall2

The firewall not only blocks certain traffic it also /permits/ certain
traffic. Without the firewall running, you should be able to access
services on the server from either the public or private network.
However, if you want to pass traffic from the private network /through/
the server to the public network you have to do two things:

1. Enable IP forwarding
2. Specify /what/ traffic is to be forwarded

Both of these functions are enabled by the firewall so the firewall has
to be running for all this to work properly.

You can enable IP forwarding using YaST Network Settings.
You can configure your firewall settings using YaST Firewall.

You can also edit /etc/sysconfig/SuSEfirewall2 directly. Make a backup
first. All the configuration settings are nicely documented in the file
and looking at the file may provide a better picture of what is
happening.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

tgm_its
11-Mar-2013, 09:47
Hi,

that's not the problem i described.
I don't want to forward anything. I don't want to use the Server as router, etc.

The Problem is if i enable the firewall, one port is not responding to anything (if default gw is 10.2.24.1 the external IF is not responding, if the default gw is 193.x.x254 the internal IF is not responding) even if i configure both interfaces as internal zone.

Even more strange is, that i have to reboot the server if i disable the firewall, to get both IFs to work again.

tgm_its
11-Mar-2013, 10:10
tgm its wrote:
[color=blue]
You can also edit /etc/sysconfig/SuSEfirewall2 directly. Make a backup
first. All the configuration settings are nicely documented in the file
and looking at the file may provide a better picture of what is
happening.

I changed the following from yes to no:

# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="no"

now it seems to work.
Does somebody know if this option is very critical for security? (for sure it's better than no firewall at all)