Re: [SLE] SuSEfirewall2 and BIND

From: John S. Wolter (johnswolter_at_wolterworks.com)
Date: 10/17/03

  • Next message: Marek Libra: "Re: [SLE] Extreme Newbie Question" 
    Date: Fri, 17 Oct 2003 09:17:58 -0400
To: SuSE LINUX-help <suse-linux-e@suse.com>

    Ditto, I have the same problem. I can't get ping yahoo.com to translate
    to a valid IP address. I get a 'network unreachable' error message.
     SSH can't connect as well and the DMZ'ed server can't be pinged from
    outside the border network. Using ping on the server I can ping the
    router and internal routers.

    Where is documentation for the firewall located by its installation?
     Given the manual and information, I can read them for myself.

    As a first step I would like to return the firewall 2 settings to the
    original settings in the 8.1 distribution. Next I would then like to
    try variations from that starting point. Does anyone have know how to
    easily return to the original setup? Note I have been doing updates to
    the 8.1 system each month.

    A comment about the mailing list. I noted that the reply-to address
    from the list is set to the senders. Would it not be a better idea to
    set it to be the list?

    Marek Libra wrote:

    >Hi All,
    >
    >I use Apache, SSHD, BIND 8 and SuSEfirewall on SuSE 8.1 Pro, one network
    >card.
    >
    >When firewall is down, nslookup translates all DNS queries well (forwarders are set correctly).
    >
    >When firewall starts, no query is translated (either from local database
    >nor from forwarded server).
    >
    >In /var/log/messages there's NO record about droping packets during
    >running nslookup.
    >
    >Please, how to set up BIND and SuSEfirewall to cooperate?
    >
    >Thank you very much.
    >
    >This is my /etc/sysconfig/SuSEfirewall2:
    >W_QUICKMODE="no"
    >FW_DEV_EXT="eth0"
    >FW_DEV_INT=""
    >FW_DEV_DMZ=""
    >FW_ROUTE="no"
    >FW_MASQUERADE="no"
    >FW_MASQ_DEV="$FW_DEV_EXT"
    >FW_MASQ_NETS="0/0"
    >FW_PROTECT_FROM_INTERNAL="no"
    >FW_AUTOPROTECT_SERVICES="yes"
    >FW_SERVICES_EXT_TCP="domain www https ssh"
    >FW_SERVICES_EXT_UDP="domain"
    >FW_SERVICES_EXT_IP=""
    >FW_SERVICES_DMZ_TCP=""
    >FW_SERVICES_DMZ_UDP=""
    >FW_SERVICES_DMZ_IP=""
    >FW_SERVICES_INT_TCP=""
    >FW_SERVICES_INT_UDP=""
    >FW_SERVICES_INT_IP=""
    >FW_SERVICES_QUICK_TCP=""
    >FW_SERVICES_QUICK_UDP=""
    >FW_SERVICES_QUICK_IP=""
    >FW_TRUSTED_NETS=""
    >FW_ALLOW_INCOMING_HIGHPORTS_TCP="domain"
    >FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
    >FW_SERVICE_AUTODETECT="yes"
    >FW_SERVICE_DNS="yes"
    >FW_SERVICE_DHCLIENT="no"
    >FW_SERVICE_DHCPD="no"
    >FW_SERVICE_SQUID="no"
    >FW_SERVICE_SAMBA="no"
    >FW_FORWARD=""
    >FW_FORWARD_MASQ=""
    >FW_REDIRECT=""
    >FW_LOG_DROP_CRIT="yes"
    >FW_LOG_DROP_ALL="yes"
    >FW_LOG_ACCEPT_CRIT="yes"
    >FW_LOG_ACCEPT_ALL="no"
    >FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
    >FW_KERNEL_SECURITY="yes"
    >FW_STOP_KEEP_ROUTING_STATE="no"
    >FW_ALLOW_PING_FW="yes"
    >FW_ALLOW_PING_DMZ="no"
    >FW_ALLOW_PING_EXT="no"
    >FW_ALLOW_FW_TRACEROUTE="yes"
    >FW_ALLOW_FW_SOURCEQUENCH="yes"
    >FW_ALLOW_FW_BROADCAST="no"
    >FW_IGNORE_FW_BROADCAST="yes"
    >FW_ALLOW_CLASS_ROUTING="no"
    >FW_CUSTOMRULES=""
    >FW_REJECT="no"
    >
    >_______________________________________________________________
    >Marek Libra Phone:+420 776 039 948 Email: xlibra@fi.muni.cz
    >Faculty of Informatics, Masaryk University Brno, Czech Republic
    >_______________________________________________________________
    >
    >
    > 

    -- 
------------ Wolter Works - Always Innovating -------------
- Industry and Commerce Internet Invention
- Internet Marketing Product Concepts & Implementation
mailto:johnswolter@wolterworks.com
John Wolter, President
1531 Jones Drive
Ann Arbor, MI 48105-1871 USA
1-734-665-1263
Copyright 2003 John S. Wolter
  
Neither this information block, the typed name of the sender,
nor anything else in this message is intended to constitute an
electronic signature unless a specific statement to the contrary
is included in this message.
    

-- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Marek Libra: "Re: [SLE] Extreme Newbie Question"

    Relevant Pages

    • Re: AD, DHCP or maybe DNS problem?
      ... if I use the firewall it doens't work. ... I already setup several RRAS servers and they work fine, ... but can't use the internet on) below are my pings ... Ping statistics for 127.0.0.1: ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD, DHCP or maybe DNS problem?
      ... RRAS firewall enabled I have the problem, If i remove the basic firewall when ... worked and my trace gets out to MSN, but internet still ... Ping statistics for 127.0.0.1: ... Approximate round trip times in milli-seconds: ...
      (microsoft.public.windows.server.active_directory)
    • Re: AD, DHCP or maybe DNS problem?
      ... the Basic Firewal (In the internal Interface or in the Public Interface)? ... RRAS firewall enabled I have the problem, If i remove the basic firewall ... but can't use the internet on) below are my pings ... Ping statistics for 127.0.0.1: ...
      (microsoft.public.windows.server.active_directory)
    • Re: Some networking does not work
      ... The machine worked fine for some time but suddenly internet stopped working. ... I can NOT ping myself with the actual ip Address 192.168.5.103 Error 65 ... No other firewall is installed At least not as I can see in the control panel ... Reboot and try accessing the network again. ...
      (microsoft.public.windowsxp.network_web)
    • Re: resolver problem
      ... but the system will never translate a ... I can ping addresses directly on the ... > internet, just not by name. ... > resolver to work, and how to debug the resolver? ...
      (comp.os.linux.networking)