PDA

View Full Version : SuSEfirewall2: 2 subnets on same interface



KBOYLE
22-Nov-2011, 03:56
This system (Dom0) has multiple interfaces:
eth0: external
br0: internal - subnet1 (private IP connects to DomU's)
eth3: internal
- subnet2 (private IP)
- subnet3 (public IP)

SuSEfirewall2 configuration
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_NETS= private IP subnets
FW_TRUSTED_NETS= all MY subnets
FW_FORWARD= configured appropriately including subnet2 <--> subnet3

Networking was working pretty much as expected except there was no
communication between subnet2 and subnet3. I assumed this was because
they are on the same interface and routing is -between- interfaces.

/etc/sysconfig/SuSEfirewall2 states:
> ## Type: string
> ## Default:
> #
> # 33.)
> # Bridge interfaces without IP address
> #
> # Traffic on bridge interfaces like the one used by xen appears to
> # enter and leave on the same interface. Add such interfaces here in
> # order to install special permitting rules for them.
> #
> # Format: list of interface names separated by space
> #
> # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING
> instead
> #
> # Example:
> # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0"
> #
> FW_FORWARD_ALWAYS_INOUT_DEV=""

Since FW_FORWARD_ALLOW_BRIDGING was already set to "yes", I resolved
this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV="eth3". But
eth3 is not really a bridge and this option is depreciated. Is there
another way to make this work, other than by assigning each subnet to
its own interface, or is this configured correctly?


--
Kevin Boyle
If you find this post helpful, please click on the star below!
------------------------------------------------------------------------
KBOYLE's Profile: http://forums.novell.com/member.php?userid=19359
View this thread: http://forums.novell.com/showthread.php?t=448535

Automatic Reply
26-Nov-2011, 17:20
KBOYLE,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

magic31
30-Nov-2011, 14:36
KBOYLE;2155496 Wrote:
> This system (Dom0) has multiple interfaces:
> eth0: external
> br0: internal - subnet1 (private IP connects to DomU's)
> eth3: internal
> - subnet2 (private IP)
> - subnet3 (public IP)
>
> SuSEfirewall2 configuration
> FW_ROUTE="yes"
> FW_MASQUERADE="yes"
> FW_MASQ_NETS= private IP subnets
> FW_TRUSTED_NETS= all MY subnets
> FW_FORWARD= configured appropriately including subnet2 <--> subnet3
>
> Networking was working pretty much as expected except there was no
> communication between subnet2 and subnet3. I assumed this was because
> they are on the same interface and routing is -between- interfaces.
>
> /etc/sysconfig/SuSEfirewall2 states:
>
>
> Since FW_FORWARD_ALLOW_BRIDGING was already set to "yes", I resolved
> this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV="eth3". But
> eth3 is not really a bridge and this option is depreciated. Is there
> another way to make this work, other than by assigning each subnet to
> its own interface, or is this configured correctly?

I haven't done this before and also don't know/think it's a wise thing
to do (place the public and private IP on one interface).

In any case, for this to work I'd think you'd also need to enable
routing within the servers network configuration (as I don't see you
mentioning that).

Again, not sure but also don't think it's a good idea what you are
trying to do on one interface.

-Willem


--
Novell Knowledge Partner (voluntary sysop)

It ain't anything like Harry Potter.. but you gotta love the magic IT
can bring to this world
------------------------------------------------------------------------
magic31's Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=448535

KBOYLE
30-Nov-2011, 17:36
magic31;2157383 Wrote:
> I haven't done this before and also don't know/think it's a wise thing
> to do (place the public and private IP on one interface).
>
> In any case, for this to work I'd think you'd also need to enable
> routing within the servers network configuration (as I don't see you
> mentioning that).
>
> Again, not sure but also don't think it's a good idea what you are
> trying to do on one interface.
>
> -Willem
Hi Willem,

This server is the firewall -and- router (FW_ROUTE="yes"). The firewall
rules determine what gets through to where.

I was more interested in learning whether routing -between subnets on
the same interface- could be enabled other than by using a depreciated
option. Other than that, it appears to be working as expected. The issue
would still be present had I used two private subnets.

I guess I'm just learning about the limitations of SuSEfirewall2. I
suspect I'll have to start working with iptables to implement additional
capabilities.

Thanks!


--
Kevin Boyle
If you find this post helpful, please click on the star below!
------------------------------------------------------------------------
KBOYLE's Profile: http://forums.novell.com/member.php?userid=19359
View this thread: http://forums.novell.com/showthread.php?t=448535

magic31
30-Nov-2011, 19:16
KBOYLE;2157479 Wrote:
> Hi Willem,
>
> This server is the firewall -and- router (FW_ROUTE="yes"). The firewall
> rules determine what gets through to where.
>
> I was more interested in learning whether routing -between subnets on
> the same interface- could be enabled other than by using a depreciated
> option. Other than that, it appears to be working as expected. The issue
> would still be present had I used two private subnets.
>
> I guess I'm just learning about the limitations of SuSEfirewall2. I
> suspect I'll have to start working with iptables to implement additional
> capabilities.
>
> Thanks!


Hey Kevin,

The routing switch I mean is in the network configuration... and I
thought unrelated to the SuSEfirewall, and something within the Linux
network stack itself. Now you mention it, it's something I need to take
a closer look at :)

Thanks for the thanks... but it's apparent you have a better clue what
you are doing here then I have. :P

Cheers,
Willem


--
Novell Knowledge Partner (voluntary sysop)

It ain't anything like Harry Potter.. but you gotta love the magic IT
can bring to this world
------------------------------------------------------------------------
magic31's Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=448535