-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2008-03-11 at 08:52 +0100, Ludwig Nussel wrote:
Carlos E. R. wrote:
Maybe the trick is to define "FW_SERVICES_ACCEPT_EXT" and undefine any other "accept" rule. That is not documented if so!
FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP etc are processed first. So if those install rules that accept packets that are also matched by FW_SERVICES_ACCEPT_EXT the latter rules will never be hit.
I use FW_TRUSTED_NETS. Like this: FW_TRUSTED_NETS=" .... 192.168.1.11,tcp,ssh \ 192.168.1.33,tcp,ssh \ .... etc I think that you should document this in the comments of FW_SERVICES_ACCEPT_EXT in the /etc/sysconfig/SuSEfirewall2 file. There is no way we could know that, not being iptables experts. Specially as this is not the behaviour we got from using the custom rules file, which this new token replaces. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) iD8DBQFH1okktTMYHG2NR9URAv7vAJ4xiF0KINMTFwyB5IPSXfds6EAnwwCfVMwy BqKFEA95S9/s0xetQO7hHt0= =i9N4 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org