From: Volkan Evrin (vevrin@yahoo.com)
Date: Sat 25 Dec 2004 - 22:00:21 EET
Merhaba
Sirketin yeni yerlesiminde Windows'tan bagimsiz bir
yapi kurdum. E-mail, Samba, Squid islerini genelde
hallettim, ama Firewall kurulumunu ve yonlendirme
isini cozemedim.
Yapi soyle:
Yerel ag: 192.168.0.0/24 - eth0
Sirketin Merkez Ofisi: 192.168.192.0/18 – eth1 *buraya
bir router ile tunel baglantisi ile (router tunnel
gre) bagliyiz.
Internet cikisi icin de isp'den alinmis bir tane
gercek IP'miz var. “eth2”
Yerel agdaki bir makina ile sirketin uzak ofisini ping
ile gorebiliyorum, ama baska bir sekilde ulasamiyorum.
Firewall kurulu makina'da *gercek ip olan sunucu*
internete cikabiyor, fakat yerel agdakiler cikamiyor.
Firewall kurulu makina SuSE 9.2. Uzerinde SuSEfirewall
ayarlari calistiriyorum.
/var/log/messages icinde aldigim hatalari google'da
falan taradim, ama bir turlu mantikli bir aciklama
bulamadim.
Dec 25 21:32:28 akya kernel: SFW2-FWDint-DROP-DEFLT
IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=isp_dns LEN=65
TOS=0x10 PREC=0x00 TTL=127 ID=59761 PROTO=UDP SPT=1048
DPT=53 LEN=45
Dec 25 21:34:33 akya kernel: martian source
192.168.0.9 from 192.168.0.201, on dev eth1
Dec 25 21:34:33 akya kernel: ll header:
ff:ff:ff:ff:ff:ff:00:50:0f:07:25:31:08:06
Dec 25 21:34:48 akya kernel: SFW2-FWDint-DROP-DEFLT
IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=isp_dns LEN=65
TOS=0x10 PREC=0x00 TTL=127 ID=59824 PROTO=UDP SPT=1048
DPT=53 LEN=45
Dec 25 21:34:56 akya kernel: martian source
192.168.0.255 from 192.168.0.6, on dev eth1
Dec 25 21:34:56 akya kernel: ll header:
ff:ff:ff:ff:ff:ff:00:00:39:31:f4:d9:08:00
Dec 25 21:35:08 akya kernel: SFW2-FWDint-DROP-DEFLT
IN=eth0 OUT=eth2 SRC=192.168.0.6 DST=isp_dns LEN=65
TOS=0x10 PREC=0x00 TTL=127 ID=59832 PROTO=UDP SPT=1048
DPT=53 LEN=45
SuSEfirewall ayarlarim da sunlar:
FW_QUICKMODE="no"
FW_DEV_EXT="eth2 eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/24,0/0,tcp,80
192.168.0.0/24,0/0,tcp,21"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP="25 53 80 110 3128 9001"
FW_SERVICES_INT_UDP="53"
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.0.0/24,tcp 192.168.0.0/24,udp
192.168.192.0/18,tcp 192.168.192.0/18,udp
<isp_ip_network>,tcp"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="no"
FW_FORWARD="192.168.0.0/24,192.168.192.0/18
192.168.192.0/18,192.168.0.0/24
192.168.0.201/32,192.168.0.0/24
192.168.0.201/32,192.168.200.4/32
192.168.0.0/24,192.168.0.201
<isp_ip_sunuci>,<isp_ip_gateway>
<isp_ip_gateway>,<isp_ip_sunucu>”
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_ANTISPOOF="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="int"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING="yes"
FW_IPSEC_TRUST="no"
Ethernet icin yazdigim yonlendirmeler de sunlar:
0.0.0.0 0.0.0.0 isp_ip_gateway (eth2 uzerinden)
192.168.192.0 255.255.192.0 192.169.0.201 (eth1
uzerinden)
SuSE yapisini bilen veya geenl yonlendirme/firewall
konusunda yardim edebileceklere simdiden tesekkur
ediyorum.
iyi calismalar
Volkan Evrin
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Linux-ag mailing list
Linux-ag@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-ag