SuSEfirewall2: 2 subnets on same interface

This system (Dom0) has multiple interfaces:
eth0: external
br0: internal - subnet1 (private IP connects to DomU’s)
eth3: internal

  • subnet2 (private IP)
  • subnet3 (public IP)

SuSEfirewall2 configuration
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_NETS= private IP subnets
FW_TRUSTED_NETS= all MY subnets
FW_FORWARD= configured appropriately including subnet2 <–> subnet3

Networking was working pretty much as expected except there was no
communication between subnet2 and subnet3. I assumed this was because
they are on the same interface and routing is -between- interfaces.

/etc/sysconfig/SuSEfirewall2 states:[color=blue]

Type: string

Default:

33.)

Bridge interfaces without IP address

Traffic on bridge interfaces like the one used by xen appears to

enter and leave on the same interface. Add such interfaces here in

order to install special permitting rules for them.

Format: list of interface names separated by space

Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING

instead

Example:

FW_FORWARD_ALWAYS_INOUT_DEV=“xenbr0”

FW_FORWARD_ALWAYS_INOUT_DEV=""[/color]

Since FW_FORWARD_ALLOW_BRIDGING was already set to “yes”, I resolved
this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV=“eth3”. But
eth3 is not really a bridge and this option is depreciated. Is there
another way to make this work, other than by assigning each subnet to
its own interface, or is this configured correctly?


Kevin Boyle
If you find this post helpful, please click on the star below!

KBOYLE’s Profile: http://forums.novell.com/member.php?userid=19359
View this thread: http://forums.novell.com/showthread.php?t=448535

KBOYLE,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

  • Visit http://support.novell.com and search the knowledgebase and/or check all
    the other self support options and support programs available.
  • You could also try posting your message again. Make sure it is posted in the
    correct newsgroup. (http://forums.novell.com)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://forums.novell.com/

KBOYLE;2155496 Wrote:[color=blue]

This system (Dom0) has multiple interfaces:
eth0: external
br0: internal - subnet1 (private IP connects to DomU’s)
eth3: internal

  • subnet2 (private IP)
  • subnet3 (public IP)

SuSEfirewall2 configuration
FW_ROUTE=“yes”
FW_MASQUERADE=“yes”
FW_MASQ_NETS= private IP subnets
FW_TRUSTED_NETS= all MY subnets
FW_FORWARD= configured appropriately including subnet2 <–> subnet3

Networking was working pretty much as expected except there was no
communication between subnet2 and subnet3. I assumed this was because
they are on the same interface and routing is -between- interfaces.

/etc/sysconfig/SuSEfirewall2 states:

Since FW_FORWARD_ALLOW_BRIDGING was already set to “yes”, I resolved
this routing issue by setting FW_FORWARD_ALWAYS_INOUT_DEV=“eth3”. But
eth3 is not really a bridge and this option is depreciated. Is there
another way to make this work, other than by assigning each subnet to
its own interface, or is this configured correctly?[/color]

I haven’t done this before and also don’t know/think it’s a wise thing
to do (place the public and private IP on one interface).

In any case, for this to work I’d think you’d also need to enable
routing within the servers network configuration (as I don’t see you
mentioning that).

Again, not sure but also don’t think it’s a good idea what you are
trying to do on one interface.

-Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=448535

magic31;2157383 Wrote:[color=blue]

I haven’t done this before and also don’t know/think it’s a wise thing
to do (place the public and private IP on one interface).

In any case, for this to work I’d think you’d also need to enable
routing within the servers network configuration (as I don’t see you
mentioning that).

Again, not sure but also don’t think it’s a good idea what you are
trying to do on one interface.

-Willem[/color]
Hi Willem,

This server is the firewall -and- router (FW_ROUTE=“yes”). The firewall
rules determine what gets through to where.

I was more interested in learning whether routing -between subnets on
the same interface- could be enabled other than by using a depreciated
option. Other than that, it appears to be working as expected. The issue
would still be present had I used two private subnets.

I guess I’m just learning about the limitations of SuSEfirewall2. I
suspect I’ll have to start working with iptables to implement additional
capabilities.

Thanks!


Kevin Boyle
If you find this post helpful, please click on the star below!

KBOYLE’s Profile: http://forums.novell.com/member.php?userid=19359
View this thread: http://forums.novell.com/showthread.php?t=448535

KBOYLE;2157479 Wrote:[color=blue]

Hi Willem,

This server is the firewall -and- router (FW_ROUTE=“yes”). The firewall
rules determine what gets through to where.

I was more interested in learning whether routing -between subnets on
the same interface- could be enabled other than by using a depreciated
option. Other than that, it appears to be working as expected. The issue
would still be present had I used two private subnets.

I guess I’m just learning about the limitations of SuSEfirewall2. I
suspect I’ll have to start working with iptables to implement additional
capabilities.

Thanks![/color]

Hey Kevin,

The routing switch I mean is in the network configuration… and I
thought unrelated to the SuSEfirewall, and something within the Linux
network stack itself. Now you mention it, it’s something I need to take
a closer look at :slight_smile:

Thanks for the thanks… but it’s apparent you have a better clue what
you are doing here then I have. :stuck_out_tongue:

Cheers,
Willem


Novell Knowledge Partner (voluntary sysop)

It ain’t anything like Harry Potter… but you gotta love the magic IT
can bring to this world

magic31’s Profile: http://forums.novell.com/member.php?userid=2303
View this thread: http://forums.novell.com/showthread.php?t=448535