hallo,

ich möchte mir einen router bauen mit suse 8.1. hab dazu auch eine
allgemeine dokumentation im netz gefunde. leider wird da die konfiguration
von dämonen beschrieben die es (glaube ich) bei 8.1 nicht mehr gibt -> pppoed
dafür gibt es aber einen smpppd. wenn ich den starte kann ich ab immer
noch keinen ping ins netz schicken, obwohl ich meine t-dsl zugang über yast
konfiguriet habe. da ich ein ziemlicher linuxneuling bin weiß ich jetzt nicht
mehr weiter.

kann mir da jemand helfen?

moin moin

wenn der smpppd läuft gib mal ein cinternet --start ein und versuch dann nochmal einen ping

ok, das hat geklappt. dankeschön.
wenn ich jetzt ip forwarding mit

echo 1 > /proc/sys/net/ip4v/ip_forward

aktiviere, bin dann schon mit der routerkonfig
fertig?
hab in der doku den befehl:

iptables -t nat POSTROUTING -o ppp0 MASQUERADE

geshen. der funktioniert aber nicht. liegt das
an SuSE oder mach ich da noch was falsch?

hi

du brauchst für deine clients neben routing auch noch masqeurading ?

das erreichst du am leichtesten durch eine firewall. bei suse 8.1 ist die suse firewall2 dabei, kannst du auch mit yast einstellen.

oder du erstellst dir ein eigenes script.


ps: hier kannst du dir ebenfalls ein script erstellen lassen => http://www.harry.homelinux.org/modules.php?name=iptables_Generator


Gruß HangLoose

hallo,

ich habe die susefirewall installiert und bei der konfiguration den
punkt für's masquerading ausgewählt. bei den diensten hab ich
http und http mit dsl angekreuzt. habe den pc dann neu gebootet
und bei dem starten der dienste stand

disabeling ip_forwarding

danach funktionierte die initialiesierung der firewall auch nicht
mehr mit der fehlermeldung ppp0 nicht gefunden obwohl er den
dsl anschluss beim systemstart erkannt und mit done bestätigt hat.

bevor ich den pc neu gebootet habe (die firewall also aktiv war)
konnte ich keinen ping mehr ins netz schicken. wenn das schon
nicht geht dann kann ich doch bestimmt auch nicht von einem client
ins netz gehen oder?

kann mir da jemand helfen?

hi

am besten du postest mal das script. über yast hab ich das teil noch nie konfiguriert. an welcher karte hängt dsl?

das script findest du unter /etc/sysconfig/SuSEfirewall2


Gruß HL

hallo

hier das script /etc/sysconfig/SuSEfirewall2:

# 1.)
# Should the Firewall run in quickmode?
#
# "Quickmode" means that only the interfaces pointing to external networks
# are secured, and no other. all interfaces not in the list of FW_DEV_EXT
# are allowed full network access! Additionally, masquerading is
# automatically activated for FW_MASQ_DEV devices. and last but not least:
# all incoming connection via external interfaces are REJECTED.
# You will only need to configure 2.) and FW_MASQ_DEV in 6.)
# Optionally, you may add entries to section 9a.)
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_QUICKMODE="no"

#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="ppp0"

#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth1"

#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""

#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from
# /etc/sysconfig/network/options
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ROUTE="yes"

#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_MASQUERADE="yes"

#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"

#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
FW_MASQ_NETS="0/0"

#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="no"

#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="yes"

#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP="http https pop3 pop3s smtp telnet"

# Common: domain
FW_SERVICES_EXT_UDP=""
# Common: domain

# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""

#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""

# Common: domain
FW_SERVICES_DMZ_UDP=""

# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""

#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP=""

# Common: domain syslog
FW_SERVICES_INT_UDP=""

# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""

# 9a.)
# External services in QUICKMODE.
# This is only used for QUICKMODE (see 1.)!
# (The settings here are similar to section 9.)
# Which services ON THE FIREWALL should be accessible from either the
# internet (or other untrusted networks), i.e. the external interface(s)
# $FW_DEV_EXT
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_QUICK_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_QUICK_UDP.
# e.g. if a secure shell daemon on the firewall should be accessible from
# the internet:
# FW_SERVICES_QUICK_TCP="ssh"
# e.g. if the firewall should receive isakmp (IPsec) internet:
# FW_SERVICES_QUICK_UDP="isakmp"
# For IP protocols (like IPsec) you need to set
# FW_SERVICES_QUICK_IP="50"
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# QUICKMODE: TCP services open to external networks (InterNet)
# (Common: ssh smtp)
FW_SERVICES_QUICK_TCP=""

# QUICKMODE: UDP services open to external networks (InterNet)
# (Common: isakmp)
FW_SERVICES_QUICK_UDP=""

# QUICKMODE: IP protocols unconditionally open to external networks (InterNet)
# (For VPN firewall that is VPN gateway: 50)
FW_SERVICES_QUICK_IP=""

#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
# Please note that a trusted host/net is *not* allowed to ping the firewall
# until you set it to allow also icmp!
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
# Please note that with v2.1 "yes" is not mandatory for active FTP from
# the firewall anymore.
#
# Choice: "yes", "no", "DNS", portnumber or known portname,
# if not set defaults to "no"
#
# Common: "ftp-data", better is "yes" to be sure that everything else works :-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"

# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"

#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no",
# if not set defaults to "no"
# If you want to offer the below services to your DMZ as well,
# (and not just internally), set the switches below to "dmz",
# if you even want to offer to the world as well, set to "ext"
# instead of "yes" (NOT RECOMMENDED FOR SECURITY REASONS!)
#
FW_SERVICE_AUTODETECT="yes"
# Autodetect the services below when starting

# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="no"

# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"

# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"

# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"

# set to "yes" if this server is running a samba server. You still have to
# open the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"

#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD=""
# Beware to use this!

#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) the IP to which
# the requests will be forwarded to (in the dmz/intern net), 3) a protocol
# (tcp/udp only!) and 4) destination port, seperated by a comma (","), e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80"
#
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
# Optional is an target IP address on which should the masquerading be decided.
# You have to set the optional port option to use this.
#
# Example:
# 200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202
# The class C network 200.200.200.0/24 trying to access 202.202.202.202 port
# 80 will be forwarded to the internal server 10.0.0.10 on port 81.
# Example:
# 200.200.200.0/24,10.0.0.10,tcp,80
# The class C network 200.200.200.0/24 trying to access anything which goes
# through this firewall ill be forwarded to the internal server 10.0.0.10 on
# port 80
#
FW_FORWARD_MASQ=""
# Beware to use this!

#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
# Please note that as 2) destination, you may add '!' in front of the IP/net
# to specify everything EXCEPT this IP/net.
#
FW_REDIRECT=""

#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", if not set FW_LOG_*_CRIT defaults to "yes", and
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"

#
FW_LOG_DROP_ALL="no"

#
FW_LOG_ACCEPT_CRIT="yes"

#
FW_LOG_ACCEPT_ALL="no"

#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", if not set defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_EXT
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"

#
FW_ALLOW_PING_DMZ="no"

#
FW_ALLOW_PING_EXT="no"

##
# END of /etc/sysconfig/SuSEfirewall2
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="yes"

#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", if not set defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ALLOW_FW_BROADCAST="no"

#
FW_IGNORE_FW_BROADCAST="yes"

#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"

#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/SuSEfirewall2-custom
#
#FW_CUSTOMRULES="/etc/sysconfig/SuSEfirewall2-custom"
FW_CUSTOMRULES=""

#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
FW_REJECT="no"

die netzwerkkarte am dsl ist eth0.

hi

folgendes ändere mal

FW_SERVICES_EXT_TCP="http https pop3 pop3s smtp telnet" => FW_SERVICES_EXT_TCP=""

hier trägst du nur dienste ein, die auf dem firewall rechner laufen und die vom internet aus erreichbar sein sollen. also kann die erstmal leer bleiben. telnet muß da auf jedenfall wieder raus.

FW_ALLOW_PING_EXT="no" hier trägst du yes ein => FW_ALLOW_PING_EXT="yes"

dann kannst du vom lan aus auch pingen.

neustart der firewall nicht vergessen

SuSEfirewall2 stop
SuSEfirewall2 start


Gruß HL

hab die änderungen durchgeführt. kann die firewall danach aber nicht starten.
fehler der ausgegeben wird:

iptables v1,2,7a: /host/network 'ppp0' not found

wenn ich aber ifconfig einegbe sehe ich den ppp0!?
könnte es jetzt auch noch an den iptables liegen?
in der dokumentation steht des es eine datei
/sbin/iptables geben muss. diese gibt es bei mir nicht
habe das iptablespaket aber installiert.

hi

wenn du die firewall startest, muß deine internetverbindung stehen, da es sonst noch kein ppp0 gibt, imho ;)


außerdem gab es bei der suse 8.1 mit der firewall öfter mal probleme. hast du mal ein online-update gemacht?

Gruß HL

hallo,

ich habe das selbe problem wie

gravity.

ich habe auch alles so durch gespielt, wie du das gesagt hast.
hatte auch das problem, dass ppp0 nicht gefunden werden konnte.
aber nach dem update hat es geklappt.

doch es funktioniert immer noch nicht, jedenfalls noch nicht richtig, denn:

wenn ich die z.b. heise.de eintippe kann er den server nicht finden, tippe
ich jedoch die ip von heise ein (193.99.144.71) funkt. es. also schätze
ich mal, dass es ein dnsproblem ist.

kannst du mir sagen, wie ich dies lösen kann?

mfg

robin

hi

hast du die nameserver deines providers eingetragen? das mußt du auf dem router und den clients machen.

entweder direkt in der /etc/resolv.conf oder mittels yast => netzwerkkarten.


Gruß HangLoose

oh man! :ugly:

vielen, vielen dank!

hatte am client keinen dnsserver eingetragen.


robin

;)

Original geschrieben von HangLoose
hi

wenn du die firewall startest, muß deine internetverbindung stehen, da es sonst noch kein ppp0 gibt, imho ;)
Nö - das ist iptables völlig wurscht, ob eine Internetverbindung existiert oder das Device bereits existiert, für das Regeln aufgesetzt werden. Die Regeln können zu jedem Zeitpunkt aktiviert werden.
Ist schon genial, das iptables-Zeugs, gell? :D

PS: Unter Kernel < 2.4.x mit ipchains oder gaaaaanz früher mit ipfwadm war das noch nicht möglich ;)

Harry

hi,

man glaubt es nicht, aber das ist mein erster eintrag im forum über den linuxrouter...
die firewall läuft zwar noch nicht so 100% perfekt, aber das schaff schon noch irgendwie

special thx to: hanglose

hi

@gravity


special thx to: hanglose


auf das 2. o muß ich bestehen ;)

@harry


Ist schon genial, das iptables-Zeugs, gell? :D

jo, wenn man es denn versteht :D. ich hätte das imho fett machen sollen oder noch besser => mich aus sachen raushalten, von denen ich keine ahnung hab :D


Gruß HangLoose ;)

hab doch nochmal ne allerletzte frage:

gibts da irgendwo ein logfile in dem die urls geloggt werden die ich besucht habe?

hi

die urls findest du in deinem browsercache.

das logfile deiner firewall findest du unter /var/log/messages


Gruß HL

@Harry
@HangLoose

Hallo Leute!
Ich habe ähnliche Probleme mit SuSefirewall2 im 8.1 gehabt.
Nach dem Update und Tipps, was SuSE bittet funktioniert Firewall eigentlich anständig.
Wo ich keinen Rat mehr weis, und das ist auf daue lästig und teuer (benutze ISDN) warum muss Verbindung ins Internet bestehen damit SuSefirewall2 sich startet.
Mit SuSE 7.3 und SuSEfirewall2 funktionierte alles super!
Für jeden Tipp bin ich dankbar.

hi



Wo ich keinen Rat mehr weis, und das ist auf daue lästig und teuer (benutze ISDN) warum muss Verbindung ins Internet bestehen damit SuSefirewall2 sich startet.

also laut harry muß das bei iptables und damit auch bei der susefirewall2 nicht mehr sein. und ich glaube harry fast alles ;)

das problem bei dir könnte sein, das deine susefirewall eventuell mit dem ip-up script gestartet wird. du kannst die susefirewall aber auch mit dem runlevel editor in den entsprechenden runlevel einbinden, dann wird die fw schon beim booten gestartet.


Gruß HL

Das ist ja grade das Problem!
Beim start wird rumgemeckert das ippp0 nicht vorhanden ist.
Danach geht’s nichts mehr, firewall blockiert alles.
Ich muss firewall stoppen, Verbindung ins Internet aufbauen, firewall starten.
Ich habe schon Internet durchsuch, viele haben ähnliches Problem nur mit ISDN,
DSL scheint zugehen.

mfg

hi

ich weiß jetzt nicht mehr genau wie das bei suse war und schon gar nicht mit isdn. aber bei dsl war es ihmo so, das im script /etc/ppp/options/ip-up der start der firewall schon *eingebaut* ist.

also versuch mal die firewall aus deinem runlevel rauszunehmen und dann ne verbindung ins inet aufzubauen. normalerweise müßte die firewall, wenn die verb. steht, gestartet werden.


Gruß HL

Hi!
Darum geht’s gar nicht! Natürlich funktioniert die firewall im ip-up Script.
Ich versuche die ganze Zeit raus finden was die firewall an ippp0 bei Systemstart nicht in Ordnung findet und rummeckert.

mfg

moin

hast du schon mal ein online update gemacht?

Hallo alle zusammen!
Ich habe mir Zeit genommen um das Problem entlieh in griff zukriegen.
Ehrlich gesagt, aus der Sache werde ich einfach nicht schlau.
Nach Autoupdate(online) mit Yast2 nimmt die Sache mit der Firewall ne andere Wendung.
Beim hochfahren wird über ippp0 Interface nicht mehr beklagt, und alles scheint normal zu sein. Mit dem Rechner(Router-Server) komme ich nicht mehr ins i-net, alles ist durch die firewall blockiert. Dagegen funktionirt alles aus internem Netz(Workstation-Linux-Windows)
Ich poste meine SuSEfirewall2 config, hoffe hilft das…

FW_QUICKMODE="no"
FW_DEV_EXT="ippp0"
FW_DEV_INT="eth0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT”
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="no"
FW_SERVICES_EXT_TCP="21 22 25 79 53 110 ssh"
FW_SERVICES_EXT_UDP="22 25 110 53 123 161 33434:33524"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="ssh 21 22 53 137 138 139"
FW_SERVICES_INT_UDP="53 137 138 139"
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="no"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"

mfg Tshunsh

Halli Hallo ...

setz mal

FW_STOP_KEEP_ROUTING_STATE="no" --> FW_STOP_KEEP_ROUTING_STATE="yes" --- damit wird das IPPP0 Interface auch weiterhin erkannt ... vielleicht hilfts ja

gruß
Cisanius

Hi

Schon probiert -> kein Erfolg

mfg

hi

also deine firewall sieht gut aus, daran kann es nicht liegen. wie startest du die firewall? durch das ip-up script oder mittels runlevel?


Gruß HL

Hi!
Die Firewall wird im runlevel3 gestartet, nach Netzwerk Initialisierung.
mit ip-up script habe ich noch nicht probiert, aber manuell(ohne firewall beim booten)
Mit SuSEfirewall start und Stopp=>das klapt!

mfg Tshunsh