Тема: SuSEfirewall2
Показать сообщение отдельно
Старый 02.09.2007, 03:05   #2
prezha
Неактивный пользователь
 
Пол:Мужской
Регистрация: 16.02.2007
Сообщений: 2
Репутация: 0
По умолчанию Ответ: SuSEfirewall2

i'm not sure what you want to achieve here, but there are some points you should correct - see my comments below...
Цитата:
Сообщение от mingazal Посмотреть сообщение
Не делается проброс к внутренней машине, помогите разобраться
suse10.2 eth0 192.168.x.x. eth1 213.172.x.x

FW_DEV_INT="eth2" => FW_DEV_INT="eth-id-_mac_address_of_your_eth0__like__eth-id-00:05:5d:dd:fd:10"
FW_DEV_EXT="eth0" => FW_DEV_EXT="eth-id-_mac_address_of_your_eth1__like__eth-id-00:05:5d:dd:fd:20"

# This option overrides IP_FORWARD from
# /etc/sysconfig/network/options

FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"

FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_INT="yes"
FW_ALLOW_PING_EXT="no"

FW_SERVICES_INT_TCP="4674"
FW_SERVICES_INT_UDP="53"
FW_SERVICES_EXT_TCP="4674"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_INT_IP=""

FW_MASQ_NETS="0/0"

FW_FORWARD_MASQ="0/0,192.168.x.144,tcp,4674,46741,213.172.x.x"
=> FW_FORWARD_MASQ="213.172.x.x,192.168.x.144,tcp,467 4,46741"
FW_SERVICES_REJECT_EXT="0/0,tcp,113"

FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"

FW_LOAD_MODULES="ip_conntrack_ftp ip_nat_ftp"
FW_PROTECT_FROM_INT="yes" => be *careful* with this:
Цитата:
# If you set this to "yes", internal machines may only access
# services on the firewall you explicitly allow. If you set this to
# "no", any internal user can connect (and attack) any service on
# the firewall.

FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_SERVICES_EXT_RPC=""
FW_SERVICES_EXT_IP=""
FW_FORWARD_MASQ="" => doubled: you already sat it above to "0/0,192.168.x.144,tcp,4674,46741,213.172.x.x"
FW_FORWARD_ALWAYS_INOUT_DEV=""
FW_ALLOW_FW_BROADCAST_EXT=""
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_IPSEC_TRUST="no"
FW_SERVICES_ACCEPT_EXT=""
FW_SERVICES_ACCEPT_INT=""
FW_SERVICES_ACCEPT_DMZ=""

if you wanted to forward port 4674 on your fw to port 46741 on int pc, change to this:
FW_SERVICES_EXT_TCP="4674"
FW_SERVICES_EXT_UDP="4674"
FW_FORWARD_MASQ="213.172.x.y,192.168.x.144,tcp,467 4,46741 213.172.x.y,192.168.x.144,udp,4674,46741"
and also, you might need this:
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

Последний раз редактировалось prezha; 02.09.2007 в 03:51..
prezha вне форума
 
Ответить с цитированием Вверх
 
Время генерации страницы 0.08404 секунды с 9 запросами