Hi all, Getting messages like: linux kernel: SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=192.33.4.12 DST=212.xxx.xxx.xxx LEN=289 TOS=0x00 PREC=0x00 TTL=232 ID=48708 DF PROTO=UDP SPT=53 DPT=1024 LEN=269 System is SuSE7.3, SuSEfirewall2, running with eth0 internal, and ippp0 for the Internet. Running named with standard config (caching only), dhcpd, samba. Winclients logon OK, though it takes long time (server is dialing out). In firewall config I set FW_STOP_KEEP_ROUTING_STATE="yes", i put highports open, using dynip patch, but above messages only seam to dissapear when I restart firewall with line open. As soon as line is down, and up again, things go wrong (other IP address from ISP). I also set lcp-restart 2 in options.ippp0. I don't know where to look now, anybody could give a hint??
Hi Leen, On 2002.03.17 21:51 Leen de Braal wrote:
Hi all, Getting messages like: linux kernel: SuSE-FW-UNALLOWED-TARGETIN=ippp0 OUT= MAC= SRC=192.33.4.12 DST=212.xxx.xxx.xxx LEN=289 TOS=0x00 PREC=0x00 TTL=232 ID=48708 DF PROTO=UDP SPT=53 DPT=1024 LEN=269
This means that a UDP packet arrived on interface ippp0, from host 192.33.4.12:53 (c.root-servers.net) for host 212.xxx.xxx.xxx:1024 This looks like a reply from a nameserver to your machine... maybe to an old ip-address?
System is SuSE7.3, SuSEfirewall2, running with eth0 internal, and ippp0 for the Internet. Running named with standard config (caching only), dhcpd, samba. Winclients logon OK, though it takes long time (server is dialing out). In firewall config I set FW_STOP_KEEP_ROUTING_STATE="yes", i put highports open, using dynip patch, but above messages only seam to dissapear when I
restart firewall with line open. As soon as line is down, and up again, things go wrong (other IP address from ISP). I also set lcp-restart 2 in options.ippp0. I don't know where to look now, anybody could give a hint??
Try restarting the firewall automagically then - have a close look at /etc/ppp/ip-up and find somewhere suitable to do a restart... HTH, Maf.
* Maf . King wrote on Sun, Mar 17, 2002 at 23:59 +0000:
restart firewall with line open. As soon as line is down, and up again, things go wrong (other IP address from ISP).
Try restarting the firewall automagically then - have a close look at /etc/ppp/ip-up and find somewhere suitable to do a restart...
I don't recommend that! Please don't use your external IP for filtering, even this works when you have just a single IP, but use the device name (ppp0) instead. I think such setups are much more straightforward and easier to understand. When restarting firewall, there are two possibilities: the system is too wide openeded during restart, this results in a race condition with a unprotected system, or it's to closed, this results in a race condition with wrongly dropped or rejected packets. So start the firewall as early as possible and don't change it automatically. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Hi Steffen, i want to point at another thing. It depends on the default target of every table/chain if the system is opened during restart. SuSEFirewall's default target's are dropped. Ciao ;-) Robert Rottscholl - DE Steffen Dettmer wrote:
* Maf . King wrote on Sun, Mar 17, 2002 at 23:59 +0000:
restart firewall with line open. As soon as line is down, and up again, things go wrong (other IP address from ISP).
Try restarting the firewall automagically then - have a close look at /etc/ppp/ip-up and find somewhere suitable to do a restart...
I don't recommend that! Please don't use your external IP for filtering, even this works when you have just a single IP, but use the device name (ppp0) instead. I think such setups are much more straightforward and easier to understand.
When restarting firewall, there are two possibilities: the system is too wide openeded during restart, this results in a race condition with a unprotected system, or it's to closed, this results in a race condition with wrongly dropped or rejected packets. So start the firewall as early as possible and don't change it automatically.
oki,
Steffen
* Robert Rottscholl wrote on Mon, Mar 18, 2002 at 12:26 +0100:
Steffen Dettmer wrote: [...firewall restart races...]
condition with a unprotected system, or it's to closed, this results in a race condition with wrongly dropped or rejected packets.
i want to point at another thing. It depends on the default target of every table/chain if the system is opened during restart.
Yes, of course you are correct, but I think it's the same thing I told?
SuSEFirewall's default target's are dropped.
So this would result in a unwanted packet drop. With UDP DNS packets, this can lead to longer "block", since many applications block when resolving, and it may happen that the second, non-firewalled packet gets lost on wire... Well, you know :) oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (4)
-
Leen de Braal -
Maf . King -
Robert Rottscholl -
Steffen Dettmer