SuSEfirewall2 - first ALPHA - openSUSE Security

SuSEfirewall2 - first ALPHA

marc＠suse.de

1 Mar 2001 1 Mar '01

23:40

For the desperate: SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-) please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!! Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

Show replies by date

Joop Boonen

3 Mar 3 Mar

22:58

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Dear Marc, I hope it's ok that i sent this mail to the firewall mailing list. I see the following in /etc/init.d/setup status Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 The forward from the internet to my internal network is clearly dropped. I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part. I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure. I'm sorry for not be able to give you the answer right now. I will try later. Regards, Joop Boonen. I have attached the rc.firewall file and the status and the iptables -L file. Marc Heuse wrote:

...

For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

# Copyright (c) 2001 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse , 2001 # Please contact me directly if you find bugs. # # If you have problems getting this tool configures, please read this file # carefuly and take also a look into # -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES ! # # /etc/rc.config.d/firewall2.rc.config # # for use with /sbin/SuSEfirewall2 version 0.3 which is for 2.4 kernels! # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall you are # not secure per se! There is *not* such a thing you install and hence you # are safed from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks (internet) # You can do this by using software which has been designed with # security in mind (like postfix, apop3d, ssh), setting these up without # misconfiguration and praying, that they have got really no holes. # SuSEcompartment can help in most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can you trust # SuSE or any other software distributor?) # * Harden your server(s) with the harden_suse package/script # * Recompile your kernel with the openwall-linux kernel patch # (former secure-linux patch, from Solar Designer) www.openwall.com # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the internet # for an internal network, try to run proxy services for everything and # disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone transfers and # either don't allow access to it from the internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example. # # # All types have to set START_FW in /etc/rc.config to "yes" ;-) # # If you are a end-user who is NOT connected to two networks (read: you have # got a single user system and are using a dialup to the internet) you just # have to configure (all other settings are OK): 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the # internet and to an internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), # 14), 20) # # If you want to run a DMZ in either of the above three standard setups, you # just have to configure *additionally* 4), 9), 12), 13), 17), 19). # # If you know what you are doing, you may also change 8), 11), 15), 16) # and the expert options 19), 20), 21), 22) and 23) at the far end, but you # should NOT. # # If you use diald or ISDN autodialing, you might want to set 17). # # To get programs like traceroutes to your firewall to work is a bit tricky, # you have to set the following options to "yes" : 11 (UDP only), 18 and 19. # # Please note that if you use service names, that they exist in /etc/services. # There is no service "dns", it's called "domain"; email is called "smtp" etc. # # *Any* routing between interfaces except masquerading requires to set FW_ROUTE # to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING ! # # If you just want to do masquerading without filtering, ignore this script # and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn): # iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0 # echo 1 > /proc/sys/net/ipv4/ip_forward # and additionally the following lines to get at least a minimum of security: # iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0 # iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0 # ------------------------------------------------------------------------ # # 1.) # Should the Firewall be started? # # This setting is done in /etc/rc.config (START_FW="yes") # # 2.) # Which is the interface that points to the internet/untrusted networks? # # Enter all the network devices here which are untrusted. # # Choice: any number of devices, seperated by a space # e.g. "eth0", "ippp0 ippp1 eth0:1" # FW_DEV_EXT="eth0" # # 3.) # Which is the interface that points to the internal network? # # Enter all the network devices here which are trusted. # If you are not connected to a trusted network (e.g. you have just a # dialup) leave this empty. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_INT="eth1" # # 4.) # Which is the interface that points to the dmz or dialup network? # # Enter all the network devices here which point to the dmz/dialups. # A "dmz" is a special, seperated network, which is only connected to the # firewall, and should be reachable from the internet to provide services, # e.g. WWW, Mail, etc. and hence are at risk from attacks. # See /usr/share/doc/packages/SuSEfirewall/EXAMPLES for an example. # # Special note: You have to configure FW_FORWARD to define the services # which should be available to the internet and set FW_ROUTE to yes. # # Choice: leave empty or any number of devices, seperated by a space # e.g. "tr0", "eth0 eth1 eth1:1" or "" # FW_DEV_DMZ="" # # 5.) # Should routing between the internet, dmz and internal network be activated? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ # # You need only set this to yes, if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but this is not # a good idea). This option supersedes IP_FORWARD from /etc/rc.config! # # Setting this option one alone doesn't do anything. Either activate # massquerading with FW_MASQUERADE below if you want to masquerade your # internal network to the internet, or configure FW_FORWARD to define # what is allowed to be forwarded! # # Choice: "yes" or "no", defaults to "no" # FW_ROUTE="yes" # # 6.) # Do you want to masquerade internal networks to the outside? # REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE # # "Masquerading" means that all your internal machines which use services on # the internet seem to come from your firewall. # Please note that it is more secure to communicate via proxies to the # internet than masquerading. This option is required for FW_MASQ_NETS and # FW_FORWARD_MASQ. # # Choice: "yes" or "no", defaults to "no" # FW_MASQUERADE="yes" # # You must also define on which interface(s) to masquerade on. This is # normally your external device(s) to the internet. # Most users can leave the default below. # FW_MASQ_DEV="$FW_DEV_EXT" # # Which internal computers/networks are allowed to access the internet # directly (not via proxys on the firewall)? # Only these networks will be allowed access and will be masqueraded! # # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. # FW_MASQ_NETS="192.168.2.0/23" # # 7.) # Do you want to protect the firewall from the internal network? # REQUIRES: FW_DEV_INT # # If you set this to "yes", internal machines may only access services on # the machine you explicitly allow. They will be also affected from the # FW_AUTOPROTECT_SERVICES option. # If you set this to "no", any user can connect (and attack) any service on # the firewall. # # Choice: "yes" or "no", defaults to "yes" # FW_PROTECT_FROM_INTERNAL="no" # # 8.) # Do you want to autoprotect all running network services on the firewall? # # If set to "yes", all network access to services TCP and UDP on this machine # will be prevented (except to those which you explicitly allow, see below: # FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP}) # # Choice: "yes" or "no", defaults to "yes" # FW_AUTOPROTECT_SERVICES="yes" # # 9.) # Which services ON THE FIREWALL should be accessible from either the internet # (or other untrusted networks), the dmz or internal (trusted networks)? # (see no.13 & 14 if you want to route traffic through the firewall) XXX # # Enter all ports or known portnames below, seperated by a space. # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP. # e.g. if a webserver on the firewall should be accessible from the internet: # FW_SERVICES_EXT_TCP="www" # e.g. if the firewall should receive syslog messages from the dmz: # FW_SERVICES_DMZ_UDP="syslog" # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols) # # Choice: leave empty or any number of ports, known portnames (from # /etc/services) and port ranges seperated by a space. Port ranges are # written like this: allow port 1 to 10 -> "1:10" # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514" # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2") # FW_SERVICES_EXT_TCP="ssh smtp http https ntp ftp 2064 3064" FW_SERVICES_EXT_UDP="domain ntp" FW_SERVICES_EXT_IP="" # FW_SERVICES_DMZ_TCP="" # Common: smtp domain FW_SERVICES_DMZ_UDP="" # Common: domain syslog FW_SERVICES_DMZ_IP="" # For VPN/Routing which END at the firewall!! # FW_SERVICES_INT_TCP="" # Common: ssh smtp domain FW_SERVICES_INT_UDP="" # Common: domain syslog FW_SERVICES_INT_IP="" # For VPN/Routing which END at the firewall!! # # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="" # # 11.) # How is access allowed to high (unpriviliged [above 1023]) ports? # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname) [note that this is easy to circumvent!], or just your # defined nameservers ("DNS"). # Note that if you want to use normal (active) ftp, you have to set the TCP # option to ftp-data. If you use passive ftp, you don't need that. # Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root # from a firewall using this script (well, you can if you include range # 600:1023 in FW_SERVICES_EXT_UDP ...). # # Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no" # if not set # FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" # # 12.) # Are you running some of the services below? # They need special attention - otherwise they won´t work! # # Set services you are running to "yes", all others to "no", defaults to "no" # FW_SERVICE_AUTODETECT="no" FW_SERVICE_DNS="no" # (or "domain") set to allow incoming queries. # also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes" FW_SERVICE_DHCLIENT="yes" # you have to set this to "yes" ! FW_SERVICE_DHCPD="no" FW_SERVICE_SAMBA="no" # or server. As a server, you still have to set # FW_SERVICES_{EXT,DMZ,INT}_TCP="139" # Everyone may send you udp 137/138 packets if set # to yes! (samba on the firewall is not a good idea!) # # 13.) # Which services accessed from the internet should be allowed to the # dmz (or internal network - if it is not masqueraded)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were assigned to # you by your ISP. This opens a direct link to your network, so only use # this option for access to your dmz!!!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forwarding rules, seperated each by a space. # A forwarding rule consists of 1) source IP/net and 2) destination IP # seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24" # Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp" # Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514" # FW_FORWARD="" # Beware to use this! # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # REQUIRES: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public IP addesses! # Hint: if FW_DEV_MASQ is set to the external interface you have to set # FW_FORWARD from internal to DMZ for the service as well to allow access # from internal! # # Please note that this should *not* be used for security reasons! You are # opening a hole to your precious internal network. If e.g. the webserver there # is compromised - your full internal network is compromised!! # # Choice: leave empty (good choice!) or use the following explained syntax # of forward masquerade rules, seperated each by a space. # A forward masquerade rule consists of 1) source IP/net, 2) destination IP # (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port, # seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80" # Optional is a port after the destination port, to redirect the request to # a different destination port on the destination IP, e.g. # "4.0.0.0/8,1.1.1.1,tcp,80,81" # FW_FORWARD_MASQ="" # Beware to use this! # # 15.) # Which accesses to services should be redirected to a localport on the # firewall machine? # # This can be used to force all internal users to surf via your squid proxy, # or transparently redirect incoming webtraffic to a secure webserver. # # Choice: leave empty or use the following explained syntax of redirecting # rules, seperated by a space. # A redirecting rule consists of 1) source IP/net, 2) destination IP/net, # 3) original destination port and 4) local port to redirect the traffic to, # seperated by a colon. e.g. "10.0.0.0/8,0/0,80,3128 0/0,172.20.1.1,80,8080" # FW_REDIRECT="" # # 16.) # Which logging level should be enforced? # You can define to log packets which were accepted or denied. # You can also the set log level, the critical stuff or everything. # Note that logging *_ALL is only for debugging purpose ... # # Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes", # FW_LOG_*_ALL defaults to "no" # FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" # # only change/activate this if you know what you are doing! #FW_LOG=""--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, mc_forwarding, mc_forwarding, # rp_filter, routing flush) # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", defaults to "yes" # FW_KERNEL_SECURITY="yes" # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # If you are using diald, or automatic dialing via ISDN, if packets need # to be sent to the internet, you need to turn this on. The script will then # not turn off routing and masquerading when stopped. # You *might* also need this if you have got a DMZ. # Please note that this is *insecure*! If you unload the rules, but are still # connected, you might your internal network open to attacks! # The better solution is to remove "/sbin/SuSEfirewall stop" or # "/sbin/init.d/firewall stop" from the ip-down script! # # # Choices "yes" or "no", defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no" # # 19.) # Allow (or don't) ICMP echo pings on either the firewall or the dmz from # the internet? The internet option is for allowing the DMZ and the internal # network to ping the internet. # REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET # # Choice: "yes" or "no", defaults to "no" if not set # FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" ## # END of rc.firewall ## # # #-------------------------------------------------------------------------# # # # EXPERT OPTIONS - all others please don't change these! # # # #-------------------------------------------------------------------------# # # # # 20.) # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall. # This is used for traceroutes to your firewall (or traceroute like tools). # # Please note that the unix traceroute only works if you say "yes" to # FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say # additionally "yes" to FW_ALLOW_PING_FW # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_TRACEROUTE="yes" # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Choice: "yes" or "no", defaults to "yes" # FW_ALLOW_FW_SOURCEQUENCH="yes" # # 22.) # Allow IP Broadcasts? # # If set to yes, the firewall will not filter broadcasts by default. # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast # option is used. # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_FW_BROADCAST="no" # # 23.) # Allow same class routing per default? # REQUIRES: FW_ROUTE # # Do you want to allow routing between interfaces of the same class # (e.g. between all internet interfaces, or all internal network interfaces) # be default (so without the need setting up FW_FORWARD definitions)? # # Choice: "yes" or "no", defaults to "no" # FW_ALLOW_CLASS_ROUTING="no" # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall-custom.rc.config # #FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config" Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT udp -- anywhere 255.255.255.255 state ESTABLISHED udp spt:bootps dpt:bootpc LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING' LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING' DROP all -- loopback/8 anywhere DROP all -- anywhere loopback/8 LOG all -- world-citizen.penguinpowered.com anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING' DROP all -- world-citizen.penguinpowered.com anywhere LOG all -- b73240.upc-b.chello.nl anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING' DROP all -- b73240.upc-b.chello.nl anywhere input_ext all -- anywhere b73240.upc-b.chello.nl input_int all -- anywhere world-citizen.penguinpowered.com LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-UNALLOWED-TARGET' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere forward_ext all -- anywhere anywhere forward_int all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-UNALLOWED-ROUTING' DROP all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning tcp-options ip-options prefix `SuSE-FW-TRACEROUTE-ATTEMPT' ACCEPT icmp -- anywhere anywhere icmp time-exceeded ACCEPT icmp -- anywhere anywhere icmp port-unreachable ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed ACCEPT icmp -- anywhere anywhere icmp network-prohibited ACCEPT icmp -- anywhere anywhere icmp host-prohibited ACCEPT icmp -- anywhere anywhere icmp communication-prohibited DROP icmp -- anywhere anywhere icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state NEW TOS match Minimize-Delay icmp echo-request ACCEPT icmp -- anywhere anywhere TOS match Minimize-Delay icmp echo-reply ACCEPT icmp -- anywhere anywhere TOS match Maximize-Reliability ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Minimize-Delay tcp spt:ssh ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Minimize-Delay tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Throughput tcp spt:ftp-data ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Throughput tcp spt:http ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Throughput tcp spt:http ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Throughput tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Minimize-Delay tcp spt:domain ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Minimize-Delay udp dpt:domain ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Reliability udp dpt:snmp ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED TOS match Maximize-Reliability udp dpt:snmptrap ACCEPT udp -- anywhere anywhere TOS match Maximize-Reliability udp dpt:syslog ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-OUTPUT-ERROR' Chain forward_dmz (0 references) target prot opt source destination LOG all -- b73192.upc-b.chello.nl/26 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- b73192.upc-b.chello.nl/26 anywhere LOG all -- 192.168.2.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/24 anywhere LOG all -- anywhere world-citizen.penguinpowered.comLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION' DROP all -- anywhere world-citizen.penguinpowered.com LOG all -- anywhere b73240.upc-b.chello.nlLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION' DROP all -- anywhere b73240.upc-b.chello.nl ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- 192.168.2.0/23 anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Chain forward_ext (1 references) target prot opt source destination LOG all -- 192.168.2.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/24 anywhere LOG all -- 192.168.2.0/23 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/23 anywhere LOG all -- anywhere world-citizen.penguinpowered.comLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION' DROP all -- anywhere world-citizen.penguinpowered.com ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- 192.168.2.0/23 anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Chain forward_int (1 references) target prot opt source destination LOG all -- b73192.upc-b.chello.nl/26 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- b73192.upc-b.chello.nl/26 anywhere LOG all -- anywhere b73240.upc-b.chello.nlLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION' DROP all -- anywhere b73240.upc-b.chello.nl ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT all -- 192.168.2.0/23 anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Chain input_dmz (0 references) target prot opt source destination LOG all -- b73192.upc-b.chello.nl/26 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- b73192.upc-b.chello.nl/26 anywhere LOG all -- 192.168.2.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/24 anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP' DROP icmp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-REJECT' REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:2064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:2064 flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:3064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:3064 flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN DROP udp -- anywhere anywhere udp dpt:fsp DROP udp -- anywhere anywhere udp dpt:smtp DROP udp -- anywhere anywhere udp dpt:http DROP udp -- anywhere anywhere udp dpt:nntp DROP udp -- anywhere anywhere udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:https DROP udp -- anywhere anywhere udp dpt:printer DROP udp -- anywhere anywhere udp dpt:2064 DROP udp -- anywhere anywhere udp dpt:3064 ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED udp dpts:1024:65535 LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Chain input_ext (1 references) target prot opt source destination LOG all -- 192.168.2.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/24 anywhere LOG all -- 192.168.2.0/23 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- 192.168.2.0/23 anywhere LOG icmp -- b73192.upc-b.chello.nl/26 anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-SOURCEQUENCH' ACCEPT icmp -- b73192.upc-b.chello.nl/26 anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP' DROP icmp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:smtp LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http LOG tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:https LOG tcp -- anywhere anywhere tcp dpt:ntp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ntp LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ftp LOG tcp -- anywhere anywhere tcp dpt:2064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:2064 LOG tcp -- anywhere anywhere tcp dpt:3064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:3064 LOG tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-REJECT' REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset LOG tcp -- anywhere anywhere tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:domain ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:fsp DROP udp -- anywhere anywhere udp dpt:smtp DROP udp -- anywhere anywhere udp dpt:http DROP udp -- anywhere anywhere udp dpt:nntp DROP udp -- anywhere anywhere udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:https DROP udp -- anywhere anywhere udp dpt:printer ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED udp dpts:1024:65535 ACCEPT udp -- anywhere anywhere state ESTABLISHED udp dpts:61000:65095 LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Chain input_int (1 references) target prot opt source destination LOG all -- b73192.upc-b.chello.nl/26 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF' DROP all -- b73192.upc-b.chello.nl/26 anywhere ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply LOG icmp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP' DROP icmp -- anywhere anywhere LOG tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-REJECT' REJECT tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN reject-with tcp-reset LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:2064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:2064 flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:3064 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:3064 flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:nntp flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:https flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP' DROP tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG tcp -- anywhere anywhere tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT' ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN DROP udp -- anywhere anywhere udp dpt:fsp DROP udp -- anywhere anywhere udp dpt:ssh DROP udp -- anywhere anywhere udp dpt:smtp DROP udp -- anywhere anywhere udp dpt:domain DROP udp -- anywhere anywhere udp dpt:domain DROP udp -- anywhere anywhere udp dpt:http DROP udp -- anywhere anywhere udp dpt:nntp DROP udp -- anywhere anywhere udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:ntp DROP udp -- anywhere anywhere udp dpt:https DROP udp -- anywhere anywhere udp dpt:printer DROP udp -- anywhere anywhere udp dpt:2064 DROP udp -- anywhere anywhere udp dpt:3064 ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED udp dpts:1024:65535 LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT' DROP all -- anywhere anywhere Checking the status of the Firewall: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 195 160K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT udp -- * * 0.0.0.0/0 255.255.255.255 state ESTABLISHED udp spt:67 dpt:68 0 0 LOG all -- * * 127.0.0.0/8 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING' 0 0 LOG all -- * * 0.0.0.0/0 127.0.0.0/8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING' 0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 0 0 LOG all -- * * 192.168.2.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING' 0 0 DROP all -- * * 192.168.2.1 0.0.0.0/0 0 0 LOG all -- * * 212.83.73.240 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING' 0 0 DROP all -- * * 212.83.73.240 0.0.0.0/0 707 167K input_ext all -- eth0 * 0.0.0.0/0 212.83.73.240 8948 575K input_int all -- eth1 * 0.0.0.0/0 192.168.2.1 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-UNALLOWED-TARGET' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth1 eth1 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- eth0 eth0 0.0.0.0/0 0.0.0.0/0 107 6248 forward_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0 144 11256 forward_int all -- eth1 * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-UNALLOWED-ROUTING' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 195 160K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 LOG flags 6 level 4 prefix `SuSE-FW-TRACEROUTE-ATTEMPT' 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11 2 241 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 9 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 10 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 13 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW TOS match 0x10 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 TOS match 0x10 icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 TOS match 0x04 6989 2443K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x10 tcp spt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x10 tcp dpt:22 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x08 tcp spt:20 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x08 tcp spt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x08 tcp spt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x08 tcp dpt:80 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x10 tcp spt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x10 udp dpt:53 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x04 udp dpt:161 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED TOS match 0x04 udp dpt:162 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 TOS match 0x04 udp dpt:514 1189 488K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-OUTPUT-ERROR' Chain forward_dmz (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 212.83.73.192/26 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 212.83.73.192/26 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 0 0 LOG all -- * * 0.0.0.0/0 212.83.73.240 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 212.83.73.240 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain forward_int (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 212.83.73.192/26 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 212.83.73.192/26 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 212.83.73.240 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 212.83.73.240 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 144 11256 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_dmz (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 212.83.73.192/26 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 212.83.73.192/26 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-REJECT' 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 reject-with tcp-reset 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2064 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3064 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x0216/0x022 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x0216/0x022 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:119 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2064 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3064 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED udp dpts:1024:65535 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG icmp -- * * 212.83.73.192/26 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT-SOURCEQUENCH' 0 0 ACCEPT icmp -- * * 212.83.73.192/26 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 2 168 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:22 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:25 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:80 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:123 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:123 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:21 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:2064 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:3064 1 44 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-REJECT' 1 44 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 reject-with tcp-reset 3 144 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 390 112K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x0216/0x022 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x0216/0x022 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:53 2 152 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpt:123 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:119 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 306 54533 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED udp dpts:1024:65535 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED udp dpts:61000:65095 6 324 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 6 324 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain input_int (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 212.83.73.192/26 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 212.83.73.192/26 0.0.0.0/0 8948 575K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP' 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-REJECT' 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x0216/0x022 reject-with tcp-reset 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:2064 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3064 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3064 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:119 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-DROP' 0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:515 flags:0x0216/0x022 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x0216/0x022 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED tcp dpts:1024:65535 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x0216/0x022 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x0216/0x022 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:21 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:22 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:25 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:119 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:515 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2064 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3064 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED udp dpts:1024:65535 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain PREROUTING (policy ACCEPT 215 packets, 15323 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 253 packets, 27052 bytes) pkts bytes target prot opt in out source destination 27 2028 MASQUERADE all -- * eth0 192.168.2.0/23 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 253 packets, 27052 bytes) pkts bytes target prot opt in out source destination

Joop Boonen

23:11

New subject: [suse-security] SuSEfirewall2 - first ALPHA

I'm sorry i forgot to mention what the problem is. When i want o set-up a masqueraded connection it doesn't work. But ping (icmp) does work. I get ping replies from servers in the internet. When i do a tcpdump and when i look in the logging than i see that the return traffic is dropped at eth0 (my external interface). Except for this problem i didn't experience any other problems. Regards, Joop Boonen. Joop Boonen wrote:

...

Dear Marc,

I hope it's ok that i sent this mail to the firewall mailing list.

I see the following in /etc/init.d/setup status

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

The forward from the internet to my internal network is clearly dropped.

I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part.

I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure.

I'm sorry for not be able to give you the answer right now. I will try later.

Regards,

Joop Boonen.

I have attached the rc.firewall file and the status and the iptables -L file.

Marc Heuse wrote:

...
For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: firewall2.rc.config firewall2.rc.config Type: Plain Text (text/plain) Encoding: quoted-printable

Name: iptabels2.txt iptabels2.txt Type: Plain Text (text/plain) Encoding: 7bit

Name: status.txt status.txt Type: Plain Text (text/plain) Encoding: 7bit

Part 1.5Type: Plain Text (text/plain)

marc＠suse.de

4 Mar 4 Mar

09:10

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Hi Joop, thanks for testing and reporting! I will try to fix this today or the next days and provide an update. Greets, Marc

...

I'm sorry i forgot to mention what the problem is.

When i want o set-up a masqueraded connection it doesn't work. But ping (icmp) does work. I get ping replies from servers in the internet.

When i do a tcpdump and when i look in the logging than i see that the return traffic is dropped at eth0 (my external interface).

Except for this problem i didn't experience any other problems.

Regards,

Joop Boonen.

Joop Boonen wrote:

...
Dear Marc,

I hope it's ok that i sent this mail to the firewall mailing list.

I see the following in /etc/init.d/setup status

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

The forward from the internet to my internal network is clearly dropped.

I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part.

I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure.

I'm sorry for not be able to give you the answer right now. I will try later.

Regards,

Joop Boonen.

I have attached the rc.firewall file and the status and the iptables -L file.

Marc Heuse wrote:

...
For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: firewall2.rc.config firewall2.rc.config Type: Plain Text (text/plain) Encoding: quoted-printable

Name: iptabels2.txt iptabels2.txt Type: Plain Text (text/plain) Encoding: 7bit

Name: status.txt status.txt Type: Plain Text (text/plain) Encoding: 7bit

Part 1.5Type: Plain Text (text/plain)

-- Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

Joop Boonen

10:48

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Dear Marc, I've fixed the problem. I've added the diff. I don't know if this is a good solution (security?), but it works. Regards, Joop Boonen. Marc Heuse wrote:

...

Hi Joop,

thanks for testing and reporting! I will try to fix this today or the next days and provide an update.

Greets, Marc

...
I'm sorry i forgot to mention what the problem is.

When i want o set-up a masqueraded connection it doesn't work. But ping (icmp) does work. I get ping replies from servers in the internet.

When i do a tcpdump and when i look in the logging than i see that the return traffic is dropped at eth0 (my external interface).

Except for this problem i didn't experience any other problems.

Regards,

Joop Boonen.

Joop Boonen wrote:

...
Dear Marc,

I hope it's ok that i sent this mail to the firewall mailing list.

I see the following in /etc/init.d/setup status

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

The forward from the internet to my internal network is clearly dropped.

I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part.

I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure.

I'm sorry for not be able to give you the answer right now. I will try later.

Regards,

Joop Boonen.

I have attached the rc.firewall file and the status and the iptables -L file.

Marc Heuse wrote:

...
For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: firewall2.rc.config firewall2.rc.config Type: Plain Text (text/plain) Encoding: quoted-printable

Name: iptabels2.txt iptabels2.txt Type: Plain Text (text/plain) Encoding: 7bit

Name: status.txt status.txt Type: Plain Text (text/plain) Encoding: 7bit

Part 1.5Type: Plain Text (text/plain)

--

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

--- /sbin/SuSEfirewall2-dist Sun Mar 4 10:38:41 2001 +++ /sbin/SuSEfirewall2 Sun Mar 4 11:28:07 2001 @@ -1111,6 +1111,8 @@ test -z "$PORT" || PORT="--dport $PORT" for DEV in $FW_MASQ_DEV; do for CHAIN in forward_ext forward_dmz forward_int; do + $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -d $NET1 $NET2 $PROTO $PORT -i $DEV + $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -d $NET1 $NET2 $PROTO $PORT -i $DEV $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -s $NET1 $NET2 $PROTO $PORT -o $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $NET1 $NET2 $PROTO $PORT -o $DEV done

Joop Boonen

11:05

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Dear Marc, I improved the script a bit. I only don't know about the dmz as i don't have a dmz (So i don't know if it works or worked). Regards, Joop Boonen. Joop Boonen wrote:

...

Dear Marc,

I've fixed the problem. I've added the diff.

I don't know if this is a good solution (security?), but it works.

Regards,

Joop Boonen.

Marc Heuse wrote:

...
Hi Joop,

thanks for testing and reporting! I will try to fix this today or the next days and provide an update.

Greets, Marc

...
I'm sorry i forgot to mention what the problem is.

When i want o set-up a masqueraded connection it doesn't work. But ping (icmp) does work. I get ping replies from servers in the internet.

When i do a tcpdump and when i look in the logging than i see that the return traffic is dropped at eth0 (my external interface).

Except for this problem i didn't experience any other problems.

Regards,

Joop Boonen.

Joop Boonen wrote:

...
Dear Marc,

I hope it's ok that i sent this mail to the firewall mailing list.

I see the following in /etc/init.d/setup status

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

The forward from the internet to my internal network is clearly dropped.

I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part.

I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure.

I'm sorry for not be able to give you the answer right now. I will try later.

Regards,

Joop Boonen.

I have attached the rc.firewall file and the status and the iptables -L file.

Marc Heuse wrote:

...
For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: firewall2.rc.config firewall2.rc.config Type: Plain Text (text/plain) Encoding: quoted-printable

Name: iptabels2.txt iptabels2.txt Type: Plain Text (text/plain) Encoding: 7bit

Name: status.txt status.txt Type: Plain Text (text/plain) Encoding: 7bit

Part 1.5Type: Plain Text (text/plain)

--

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: SuSEfirewall2.diff SuSEfirewall2.diff Type: Plain Text (text/plain) Encoding: 7bit

Part 1.3Type: Plain Text (text/plain)

--- /sbin/SuSEfirewall2-dist Sun Mar 4 10:38:41 2001 +++ /sbin/SuSEfirewall2 Sun Mar 4 11:56:46 2001 @@ -1110,10 +1110,14 @@ test -z "$PROTO" || PROTO="-p $PROTO" test -z "$PORT" || PORT="--dport $PORT" for DEV in $FW_MASQ_DEV; do - for CHAIN in forward_ext forward_dmz forward_int; do + for CHAIN in forward_ext forward_dmz; do + $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -d $NET1 $NET2 $PROTO $PORT -i $DEV + $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -d $NET1 $NET2 $PROTO $PORT -i $DEV + done + for CHAIN in forward_dmz forward_int; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -s $NET1 $NET2 $PROTO $PORT -o $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $NET1 $NET2 $PROTO $PORT -o $DEV - done + done test -z "$PROTO" && \ $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $NET1 $NET2 $PROTO $PORT -o $DEV test -z "$PROTO" || \

marc＠suse.de

6 Mar 6 Mar

19:54

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Hi Joop! thanks for the diffs! I'm pretty busy currently, I hope I'll have a revised version online until friday/weeking and fix your stuff and other things people reported. thanks you all! Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

Joop Boonen

4 Mar 4 Mar

11:08

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Dear Marc, I improved the script a bit. I only don't know about the dmz as i don't have a dmz (So i don't know if it works or worked). Regards, Joop Boonen. Joop Boonen wrote:

...

Dear Marc,

I've fixed the problem. I've added the diff.

I don't know if this is a good solution (security?), but it works.

Regards,

Joop Boonen.

Marc Heuse wrote:

...
Hi Joop,

thanks for testing and reporting! I will try to fix this today or the next days and provide an update.

Greets, Marc

...
I'm sorry i forgot to mention what the problem is.

When i want o set-up a masqueraded connection it doesn't work. But ping (icmp) does work. I get ping replies from servers in the internet.

When i do a tcpdump and when i look in the logging than i see that the return traffic is dropped at eth0 (my external interface).

Except for this problem i didn't experience any other problems.

Regards,

Joop Boonen.

Joop Boonen wrote:

...
Dear Marc,

I hope it's ok that i sent this mail to the firewall mailing list.

I see the following in /etc/init.d/setup status

Chain forward_ext (1 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 192.168.2.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/24 0.0.0.0/0 0 0 LOG all -- * * 192.168.2.0/23 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF' 0 0 DROP all -- * * 192.168.2.0/23 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 192.168.2.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION' 0 0 DROP all -- * * 0.0.0.0/0 192.168.2.1 20 1120 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3 12 1008 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0 0 0 ACCEPT all -- * eth0 192.168.2.0/23 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 75 4120 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT' 75 4120 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

The forward from the internet to my internal network is clearly dropped.

I think there is something wrong with the line before the drop line. (direction, source destination witched). I didn't really have time to look into this. But i wanted to let you know that everything seems to work perfectly except this part.

I think if the line would be: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED It would already work, but it wouldn't be secure.

I'm sorry for not be able to give you the answer right now. I will try later.

Regards,

Joop Boonen.

I have attached the rc.firewall file and the status and the iptables -L file.

Marc Heuse wrote:

...
For the desperate:

SuSEfirewall2 v0.3 is available for testing from www.suse.de/~marc It installs without problem with a SuSEfirewall(1) installation, the only variable shared is the START_FW variable (well, with the result that both firewall will try to start when booting ;-)

please note: due my current network probs at home I could not make real tests. so everyone who can check features, and if possible send me a fix for something which is not working - that would be great!!

Q: What changed from SuSEfirewall(1) to SuSEfirewall2 A: Many things. Most important: it uses iptables (which is especially for 2.4 kernels) instead of ipchains. Visible changes: New commandline option "debug" which prints out the iptables commands, great to print the rules, and them modify them for you liking! Added the new options: FW_ALLOW_CLASS_ROUTING - allow routing between interfaces of the same class, e.g. two internal networks FW_ALLOW_FW_BROADCAST - allow broadcast packets to reach the firewall FW_ALLOW_PING_EXT - allow the internal/dmz to ping the internet FW_SERVICE_AUTODETECT - autodetect START_{NAMED,SMB,DHCPD} and DHCLIENT Renamed some variables, removed some, changed syntax (small changes) All forward,masquerading,trust definitions can now be very global or very fine-grained as you need it The logging looks different - hell this is iptables :-( It takes a bit longer to create the complex ruleset :-( Invisible changes: A packet has to traverse much less rules, so packet processing is faster Stateful packet checking is present now (thanks to the 2.4 kernel) More intelligent ICMP filtering and identd rejection

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: firewall2.rc.config firewall2.rc.config Type: Plain Text (text/plain) Encoding: quoted-printable

Name: iptabels2.txt iptabels2.txt Type: Plain Text (text/plain) Encoding: 7bit

Name: status.txt status.txt Type: Plain Text (text/plain) Encoding: 7bit

Part 1.5Type: Plain Text (text/plain)

--

Greets, Marc -- Marc Heuse, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: marc@suse.de Function: Security Research and Advisory PGP: "lynx -source http://www.suse.de/~marc/marc.pgp | pgp -fka" Key fingerprint = B5 07 B6 4E 9C EF 27 EE 16 D9 70 D4 87 B5 63 6C Private: http://www.suse.de/~marc SuSE: http://www.suse.de/security

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

------------------------------------------------------------------------ Name: SuSEfirewall2.diff SuSEfirewall2.diff Type: Plain Text (text/plain) Encoding: 7bit

Part 1.3Type: Plain Text (text/plain)

--- /sbin/SuSEfirewall2-dist Sun Mar 4 10:38:41 2001 +++ /sbin/SuSEfirewall2 Sun Mar 4 12:02:55 2001 @@ -1110,10 +1110,14 @@ test -z "$PROTO" || PROTO="-p $PROTO" test -z "$PORT" || PORT="--dport $PORT" for DEV in $FW_MASQ_DEV; do - for CHAIN in forward_ext forward_dmz forward_int; do + for CHAIN in forward_ext forward_dmz; do + $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -d $NET1 $NET2 $PROTO $PORT -i $DEV + $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -d $NET1 $NET2 $PROTO $PORT -i $DEV + done + for CHAIN in forward_dmz forward_int; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -s $NET1 $NET2 $PROTO $PORT -o $DEV $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -s $NET1 $NET2 $PROTO $PORT -o $DEV - done + done test -z "$PROTO" && \ $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $NET1 $NET2 $PROTO $PORT -o $DEV test -z "$PROTO" || \

Steffen Dettmer

5 Mar 5 Mar

10:32

New subject: [suse-security] SuSEfirewall2 - first ALPHA

* Joop Boonen wrote on Sun, Mar 04, 2001 at 12:08 +0100:

...

I improved the script a bit.

I haven't read the entire script. I just want to make some general comments.

...

@@ -1110,10 +1110,14 @@ test -z "$PROTO" || PROTO="-p $PROTO"

I think this will not work if $PROTO contains more than one proto. Did you checked that? Otherwise you will build "-p tcp udp" or similar, and the ipchains/iptables command will fail (I guess at least...). If I see a line 1110 it's quite a large script! That requires a useful design, otherwise it would be difficult to understand. That could have some functions to add an abstract layer and so on.

...

test -z "$PORT" || PORT="--dport $PORT" for DEV in $FW_MASQ_DEV; do - for CHAIN in forward_ext forward_dmz forward_int; do

I thing a little comment would not bad here, it's something cryptic following; especially in security it's very nessecary to optimize not for speed nor size but for readability.

...

+ for CHAIN in forward_ext forward_dmz; do + $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}-ACCEPT-MASQ -d $NET1 $NET2 $PROTO $PORT -i $DEV

$LAA tells me i.e. nothing, but may it's explained before that patch. I don't understand how you check if this iptables command was successful or not. Of course it's very important to check that. Please notice, that a messages to console via echo ist NOT sufficient here. You will have to use at least syslog (logger), or sent a mail directly (which is not always the best), but you cannot assume that somebody reads console messages. The output of iptables (in case of error) gets lost, too. Maybe you should write that in some logfile. Linebreaks are missing (standard displays have a linewidth of 80 characters).

...

+ $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,RELATED -d $NET1 $NET2 $PROTO $PORT -i $DEV + done [...] test -z "$PROTO" && \ $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $NET1 $NET2 $PROTO $PORT -o $DEV test -z "$PROTO" || \

This is a "if-then-else" type thing? Then please write if-then-else, that's a lot more intuitive to understand. Did you checked the contents of the variables ($NET1, $PORT and so on)? What happens, if they include a "*"? The shell would expand that to the directory contents. Imagine, a user uses wildcard star for proto (and means all), and it gets expanded to root-directory files. Finally iptables fails when trying to block "etc" and "sbin", the user may or may not notice, and nothing gets blocked. For instance. At least you should quote the parameters: #install NAT rule for net1-->net2 "$IPTABLES" -A POSTROUTING \ --jump MASQUERADE \ --table nat \ --source "$NET1" "$NET2" \ "$PROTO" \ "$PORT" \ --out-interface "$DEV" #example error handler check_iptables $? Useing long options improved readability. Another hint: use not iptables directly, use a function. This function is declared in the script and acts as wrapper. The function evalutates results, checks for errors, keeps track of error messages. My firewall script has such a wrapper that counts rules and errors, and log a sum to syslog: Mar 5 10:12:58 dx S98firewall.std[1943]: Firewall set up successfully. Total number of rules: 97 Well, you flagged your script as ALPHA, so you might have changed the things already; I just wanted to give some comments. I would not call an own script that works with SuSE "SuSEFirewall", since this suggests me it's _from_ SuSE, not _for_ SuSE. But others may see this in a different way of course. I hope I'm not completly wrong ;) - Just some thoughts... Maybe the list could comment this. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.

Joop Boonen

17:46

New subject: [suse-security] SuSEfirewall2 - first ALPHA

Read all, This the whole script. Joop. Steffen Dettmer wrote:

...

* Joop Boonen wrote on Sun, Mar 04, 2001 at 12:08 +0100:

...
I improved the script a bit.

I haven't read the entire script. I just want to make some general comments.

...
@@ -1110,10 +1110,14 @@ test -z "$PROTO" || PROTO="-p $PROTO"

I think this will not work if $PROTO contains more than one proto. Did you checked that? Otherwise you will build "-p tcp udp" or similar, and the ipchains/iptables command will fail (I guess at least...).

If I see a line 1110 it's quite a large script! That requires a useful design, otherwise it would be difficult to understand. That could have some functions to add an abstract layer and so on.

...
test -z "$PORT" || PORT="--dport $PORT" for DEV in $FW_MASQ_DEV; do - for CHAIN in forward_ext forward_dmz forward_int; do

es trägt daher weder Unterschrift noch Siegel.

...

--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com

8458

Age (days ago)

8463

Last active (days ago)

List overview

Download

9 comments

3 participants

participants (3)

Joop Boonen
marc＠suse.de
Steffen Dettmer