Mailinglist Archive: opensuse (4570 mails)
| < Previous | Next > |
Re: [SLE] SuSE 10.0 masquerade changes?
- From: "Peter A. Taylor" <murmur@xxxxxxx>
- Date: Wed, 16 Nov 2005 17:12:38 +0000 (UTC)
- Message-id: <200511161111.40545.murmur@xxxxxxx>
On Tuesday 15 November 2005 19:36, Darryl Gregorash wrote:
>
> I'm even more confused:
> >Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
> >SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127
> > ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53
>
> This is a DNS lookup from "isis" that was just dropped, yet you say your
> wife is able to resolve hostnames.
"isis" runs Windows XP Home Edition. Perhaps it caches recently used domain
name data? It also has a modem, which she can't use when I'm online.
> Maybe someone else will spot something, but I cannot immediately see any
> problem. Perhaps posting the output of "iptables -L -n" will help (and
> you will have to run that as root).
Thanks. I did this under 8.2, 9.3, and 10.0. The full output from 10.0
follows, but first, here is the "diff" between 9.3 and 10.0:
"diff" between output from SuSE 9.3 and 10.0, online, "iptables -L -n" (9.3
is "<", 10.0 is ">"):
34,36c34
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
52,54c50
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
74c70
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
Under SuSE 8.2, I used the "personal" firewall, and things are so different
that I don't know where to begin in comparing them.
Output from SuSE 10.0, online, "iptables -L -n":
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_ext (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
state NEW
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT
'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-proto-unreachable
Thanks,
Peter Taylor
>
> I'm even more confused:
> >Nov 15 09:05:49 athena kernel: SFW2-FWDint-DROP-DEFLT IN=eth0 OUT=modem0
> >SRC=192.168.2.20 DST=64.243.71.82 LEN=73 TOS=0x00 PREC=0x00 TTL=127
> > ID=33119 PROTO=UDP SPT=1027 DPT=53 LEN=53
>
> This is a DNS lookup from "isis" that was just dropped, yet you say your
> wife is able to resolve hostnames.
"isis" runs Windows XP Home Edition. Perhaps it caches recently used domain
name data? It also has a modem, which she can't use when I'm online.
> Maybe someone else will spot something, but I cannot immediately see any
> problem. Perhaps posting the output of "iptables -L -n" will help (and
> you will have to run that as root).
Thanks. I did this under 8.2, 9.3, and 10.0. The full output from 10.0
follows, but first, here is the "diff" between 9.3 and 10.0:
"diff" between output from SuSE 9.3 and 10.0, online, "iptables -L -n" (9.3
is "<", 10.0 is ">"):
34,36c34
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
52,54c50
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
< ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
74c70
< LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
---
> LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg
3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-INext-DROP-DEFLT '
Under SuSE 8.2, I used the "personal" firewall, and things are so different
that I don't know where to begin in comparing them.
Output from SuSE 10.0, online, "iptables -L -n":
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x06/0x02 TCPMSS clamp to PMTU
forward_int all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR '
Chain forward_ext (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDext-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDext-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix
`SFW2-FWDint-DROP-DEFLT '
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-FWDint-DROP-DEFLT-INV
'
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_ext (1 references)
target prot opt source destination
DROP all -- 0.0.0.0/0 0.0.0.0/0 PKTTYPE =
broadcast
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 18
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED icmp type 5
reject_func tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
state NEW
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT
'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 state INVALID LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 reject-with
tcp-reset
REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-port-unreachable
REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with
icmp-proto-unreachable
Thanks,
Peter Taylor
| < Previous | Next > |