fabianmk wrote:

> I need help with Forward Service in Server Linux Enterprise SP3.

In your other post you say:
> Sever Internet / Firewall: eth0 external / internet interface (Static
> IP

You say this is your Internet interface but you are using a private IP
address which not valid for the Internet. May I assume your gateway to
the Internet is through another router? If this is so, then that router
is is likely providing a NAT function so you would not need to use
masquerading on this server. Besides, to me it doesn't make much sense
to use masquerading to substitute one private IP address for another.

> eth1 internal interface (Static IP
> Workstation: Gateway need use
> port 7000 NET Application connection server of provider telephony card
> Gateway need
> use port 3389 for Remote Control Server External

Ok, to simplify,
Port 3389 traffic must be directed to
Port 7000 traffic must be directed to

These packets must be forwarded from the external interface to their
respective hosts on your LAN.

I will comment on your firewall settings...

As Jens already mentioned, this does not seem to be a valid interface:
> FW_DEV_DMZ="usb0"

# Setting this option one alone doesn't do anything. Either activate
# masquerading with FW_MASQUERADE below if you want to masquerade
# your internal network to the internet, or configure FW_FORWARD to
# define what is allowed to be forwarded.
While this setting is correct, you need to make sure FW_FORWARD has the
correct settings.
> FW_ROUTE="yes"

This sets up masquerading but your Internet interface has a private IP
address. All outgoing packets will be assigned instead
of 192.168.0.n. I suspect you don't need this. All these settings
should be set to "".
> FW_MASQ_DEV="zone:ext"
> FW_MASQ_NETS="0/0"

FW_SERVICES_xxx_xxx specified which services you want to allow access
to ON THE FIREWALL. From what you have told us, you don't want to do
that except for possibly 3050. You already said traffic on ports 3389
and 7000 is to be directed to specific hosts on the LAN.
> FW_SERVICES_EXT_TCP="3050 3389 7000"

> FW_SERVICES_EXT_UDP="3389 7000"


Do you really want to allow access to these services on your server
> FW_CONFIGURATIONS_EXT="samba-client samba-server vnc-server
> xorg-x11-server"

Here you are saying to allow this traffic to enter your server from the
Ext interface (Internet) but these services aren't running on your
server so this is incorrect.
> FW_SERVICES_ACCEPT_EXT="0/0,tcp,3389,3389
> 0/0,udp,3389,3389
> 0/0,tcp,7000,7000
> 0/0,udp,7000,7000"


I'm not exactly sure what you are trying to do here. It looks as if you
are allowing EVERYTHING through the external interface to enter the
server. I suspect this should be changed.


FW_FORWARD determines WHAT gets forwarded. The syntax is the same as is
used for FW_FORWARD_MASQ. You are telling the firewall to forward
outgoing (only) traffic but only between two specific networks.

At the very least, this syntax is incorrect. It must be on one line or
else you have to use a line continuation character: "\"
> FW_FORWARD_MASQ="0/0,,tcp,7000
> 0/0,,udp,7000
> 0/0,,tcp,3389
> 0/0,,udp,3389"

0/0,,tcp,7000 \
0/0,,udp,7000 \
0/0,,tcp,3389 \
0/0,,udp,3389 \
Assuming you don't use masquerading and you want to allow ALL outgoing
traffic, FW_FORWARD should look something like this:
FW_FORWARD=" \,0/0 \
0/0,,tcp,7000 \
0/0,,udp,7000 \
0/0,,tcp,3389 \
0/0,,udp,3389 \

I have not verified your other firewall settings.

Please see /etc/sysconfig/SuSEfirewall2 for a description of what each
setting does.

Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...