Bug 151795

Summary: FW_FORWARD_MASQ lack reverse rules
Product: [openSUSE] SUSE Linux 10.1 Reporter: Ludwig Nussel <lnussel>
Component: NetworkAssignee: Ludwig Nussel <lnussel>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: suse-beta
Version: Beta 1   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ludwig Nussel 2006-02-17 13:28:49 UTC 
Date: Fri, 17 Feb 2006 10:15:35 -0300
From: pronco@conae.gov.ar
To: suse-security@suse.com
Subject: [suse-security] Statefull packet inspection in SuSEfirewall2

Hi,

Is it there any way to configure stateful packet inspection rules in
SuSEfirewall2 for masquerade networks? When I configure a rule in
FW_MASQ_NETS in order to allow traffic from the outside to the DMZ, I
also have to configure a rule for responses.

Example: Incoming traffic to my web server in a DMZ with private addresses

FW_FORWARD_MASQ="0/0,192.168.1.5,tcp,80

I also need to set up the following rules in order to let responses out

FW_MASQ_NETS="192.168.1.5/32,0/0,tcp,1024:65535"

This rule permits not only established sessions, but additionally it
allows my web server to establish connections to the outside world.

Dont know why the FW_FORWARD rules are stateful as I want, but
FW_MASQ_NETS ones dont.

Any suggestion?
Is it possible to math the SYN, ACK and FIN TCP bits with SuSEfirewall2?


Thanks in advance.
Pablo Ronco

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@suse.com
Security-related bug reports go to security@suse.de, not here
Comment 1 Ludwig Nussel 2006-02-20 13:40:11 UTC 
fixed