My Firewall2-custom.rc.config will not load. What am I doing wrong?
Any Dumb User Friendly Answers are appreciated
 
###Firewall2-custom.rc.config###

# Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved.

#

# Authors: Marc Heuse <marc@suse.de>,

# Volker Kuhlmann <kuhlmav@elec.canterbury.ac.nz>

#

# /etc/rc.config.d/firewall-custom.rc.config

#

# ------------------------------------------------------------------------

#

# This is file is for SuSEfirewall >= v4.0 and is an example for using

# the hooks which are supplied since v4.0 to load customized ipchains rules.

#

# THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY !

# IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall TO SEE HOW HOOKS WORK !

#

# ------------------------------------------------------------------------

fw_custom_before_antispoofing() {

# these rules will be loaded before any anti spoofing rules will be

# loaded. Effectively the only filter lists already effective are

# 1) allow any traffic via the loopback interface, 2) allow DHCP stuff,

# 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"]

# You can use this hook to prevent logging of uninteresting broadcast

# packets or to allow certain packet through the anti-spoofing mechanism.

#example: allow incoming multicast packets for any routing protocol

#ipchains -I input -j ACCEPT -d 224.0.0.0/24

true

}

fw_custom_before_port_handling() { # could also be named "after_antispoofing()"

# these rules will be loaded after the anti-spoofing and icmp handling

# but before any IP protocol or TCP/UDP port allow/protection rules

# will be set.

# You can use this hook to allow/deny certain IP protocols or TCP/UDP

# ports before the SuSEfirewall generated rules are hit.

#example: always filter backorifice/netbus trojan connect requests and log them.

iptables -A INPUT -j DROP -p tcp --destination-port 31337

iptables -A INPUT -j DROP -p udp --destination-port 31337

iptables -A INPUT -j DROP -p tcp --destination-port 12345:12346

iptables -A INPUT -j DROP -p udp --destination-port 12345:12346

# Syn-flood protection:

iptables -N syn-flood

iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood

iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN

iptables -A syn-flood -j DROP

## Make sure NEW tcp connections are SYN packets

iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

## Fragments

iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: "

iptables -A INPUT -i eth0 -f -j DROP

## What if I get spoofed

# Refuse packets claiming to be from a Class A private network.

iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP

# Refuse packets claiming to be from a Class B private network.

iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

# Refuse packets claiming to be from a Class C private network.

iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP

# Refuse Class D multicast addresses. Multicast is illegal as a source address.

iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP

# Refuse Class E reserved IP addresses.

iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP

# Furtive port scanner:

iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT

# Ping of death:

iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

# Refuse those that think that they are local, me as well

iptables -A INPUT -i eth0 -d 127.0.0.1/8 -j DROP

# All you can eat Local traffic

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

## AUTH server

# Reject ident probes witha tcp reset

iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset

true

}

fw_custom_before_masq() { # could also be named "after_port_handling()"

# these rules will be loaded after the IP protocol and TCP/UDP port

# handling, but before any IP forwarding (routing), masquerading

# will be done.

# NOTE: reverse masquerading is before directly after

# fw_custom_before_port_handling !!!!

# You can use this hook to ... hmmm ... I'm sure you'll find a use for

# this ...

true

}

fw_custom_before_denyall() { # could also be named "after_forwardmasq()"

# these are the rules to be loaded after IP forwarding and masquerading

# but before the logging and deny all section is set by SuSEfirewall.

# You can use this hook to prevent the logging of annoying packets.

#example: prevent logging of talk requests from anywhere

iptables -A INPUT -j DROP -p udp --destination-port 517:518

true

}