Xmanager Forum

Firewall with masquerading

Last post: Monday, August 9, 2004 3:38 PM by Support, 11 reply

 
Saturday, July 31, 2004 3:41 AM - Chethan

Firewall with masquerading

 
Hi:
I have configured the Linux machine as told in the documentation. I have even set up the Firewall as told.
I use SuSE 9. The firewall settings looks like this

FW_QUICKMODE="no"
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
#FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="http ftp telnet ssh login exec shell 1723 7100 6000:6010 512 513 514 23 22"
FW_SERVICES_EXT_UDP="177"
FW_SERVICES_EXT_IP="47"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""

FW_ALLOW_INCOMING_HIGHPORTS_TCP="1723"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"

FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"no
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""

I create a VPN connection to the Linux Box using PPTP.
After creating the VPN. It would not connect to the machine with Firewall up. If I get the Firewall down I am able to connect to the server using Xmanager but not with Firewall. Is there any other settings I need to configure in the firewall to get this working. Any help regarding this will be appreciated.

with best regards
Chethan Channappa
Saturday, July 31, 2004 4:02 AM - Chethan

Re: Firewall with masquerading

 
In addition to this. If you could also help me with this. I want to connect to a server which is behind the firewall which I have mentioned in the first mail. Is there anyway I can forward the Xmanager traffic to go through to the server inside this firewall. Any help regarding this will be great.
with best regards
Chethan Channappa

PS: I know I have to do something with FW_FORWARD or FW_FORWARD_MASQ.
Sunday, August 1, 2004 12:15 AM - Kaeri

Re: Re: Firewall with masquerading

 
You may get some hints from FAQ in this homepage, especially FAQ #4.

Kaeri
Monday, August 2, 2004 7:25 AM - Chethan

Re: Re: Re: Firewall with masquerading

 
I tried that and it did not work.
Monday, August 2, 2004 7:27 AM - Chethan

Re: Re: Re: Firewall with masquerading

 
but here in my situation i m inside a NATed Firewall.
Monday, August 2, 2004 4:29 PM - Support

Re: Re: Re: Re: Firewall with masquerading

 
In the firewall settings, change the following:

FW_ALLOW_FW_BROADCAST="yes"

Then, restart the firewall.

Hope this helps you.

----
Technical Support
Tuesday, August 3, 2004 2:04 AM - Chethan

Re: Re: Re: Re: Re: Firewall with masquerading

 
HI:
Thank you. I changed the setting but it did not work.
Chethan Channappa
Tuesday, August 3, 2004 3:58 PM - Support

Re: Firewall with masquerading

 
Can you see the Suse 9.0 box on Xbrowser? If you can, UDP 177 is configured correctly and only TCP ports 6000 ~ 6010 should be considered to forward correctly.

Xmanager listens TCP ports 6000 ~ 6010, and the connection from Suse 9.0 to Xmanager should be allowed.

For more helps, please provide us with Xmanager log files at:

For Xmanager 1.3.9:
C:\Program Files\Xmanager1.3.9\Xmanager.log

For Xmanager 2.0:
C:\Documents and Settings\%USER%\Application Data\NetSarang\Xmanager\2\Log\*.log

And also provide the IP addresses of both eth0 and eth1.

----
Technical Support

Wednesday, August 4, 2004 2:40 AM - Chethan

Re: Re: Firewall with masquerading

 
Hi:
configuration looks like this.

Firewall1 (eth1 external interface 129.110.65.38)
(eth0 internal interface 192.168.0.1)
|
|
hardware firewall (with NAT)
| (external interface 192.168.0.10)
| (internal interface 192.168.2.10)
Server ( to be connected for Xmanager) 192.168.2.1

I create a VPN tunnel to firewall1 external interface. I have opened ports 6000-6010 on the firewall to let the traffic in.
I have configured hardware firewall to let the traffic for xmanager too for 6000-6010 and port 177 udp. So, it does auto forwarding to the server when it gets traffic on the external interface. Can you tell me how to forward the traffic at the firewall1 it would be great. I really appreciate for the responses i am getting from your side.

thanks a lot
Chethan

ps: i m attaching the log files. Also i was able to logon to Firewall1 through Xmanager2
Wednesday, August 4, 2004 4:31 AM - Support

Re: Re: Re: Firewall with masquerading

 
You should configure the hardware firewall as following:

Forward: UDP 177 of 192.168.0.10 ==> UDP 177 of 192.168.2.1
Forward: TCP 6002 of 192.168.2.10 ==> TCP 6002 of 192.168.0.151

Then, run the attached XDMCP session file.

Your network configuration is very complex because two private networks are linked via an NAT firwall.

----
Technical Support
Wednesday, August 4, 2004 6:58 AM - Chethan

Re: Re: Re: Re: Firewall with masquerading

 
Thanks a lot for the reply. I will try this configuration. I want to know wat was the attachment with the mail.
Monday, August 9, 2004 3:38 PM - Support

Re: Re: Re: Re: Re: Firewall with masquerading

 
The attached file is an Xbrowser session file that was exported from the Xbrowser window.

You can import the file by dragging it, and drop on the Xbrowser window. After importing the file, right-click on the session, and then click Properties to edit it.

----
Technical Support