Mailinglist Archive: opensuse-security (670 mails)

[David D'Hauwe <David.DHauwe@xxxxxxxxxxx>]

> > When I just issue SuSEfirewall2 stop, this takes a long time,
> > meanwhile I can still do dns lookups without any problem even when the
> > firewall has stopped.
> John Tricley wrote:
>
> So you need to look for an error somewhere. I suggest you run the script
> with a "sh -x" to see exactly what is causing the delay.
Thanks for the help, I found that the rmmod caused the delay because 
not all modules are loaded. For the moment I removed this from the 
script, it doesn't make any difference when shutting down the machine.

David

The output says the following modules are not loaded:

ipt_MASQUERADE
ipt_MARK
ipt_MIRROR
ipt_REDIRECT
ipt_limit
ipt_mac
ipt_mark
ipt_multiport
ipt_owner
ipt_tcpmss
ipt_tos
ipt_unclean
ip_queue
ip_queue

This is the 'stop' function

function reset_rules() {
   echo -n "SuSEfirewall2: clearing rules now ..."
   test "$FW_STOP_KEEP_ROUTING_STATE" = "yes" || (
       echo 0 > /proc/sys/net/ipv4/ip_forward
   ) > /dev/null 2>&1
   $IPTABLES -F INPUT
   $IPTABLES -F OUTPUT
   $IPTABLES -F FORWARD
   $IPTABLES -P INPUT ACCEPT
   $IPTABLES -P OUTPUT ACCEPT
   $IPTABLES -P FORWARD ACCEPT
   $IPTABLES -F
   $IPTABLES -X
   $IPTABLES -t nat -F
   $IPTABLES -t nat -X
   $IPTABLES -t mangle -F
   $IPTABLES -t mangle -X
   ( rmmod ipt_TCPMSS ipt_TOS ipt_MASQUERADE ipt_LOG ipt_state \
      ipt_MARK ipt_MIRROR ipt_REDIRECT ipt_limit ipt_mac ipt_mark \
      ipt_multiport ipt_owner ipt_tcpmss ipt_tos ipt_unclean ip_queue \
      ip_nat_ftp ip_conntrack_ftp ipt_REJECT iptable_mangle iptable_nat \
      iptable_filter ip_queue ip_conntrack iptable_filter ip_tables
   ) > /dev/null 2> /dev/null
   echo " done"
}



--
David D'Hauwe
Lange Boomgaardstraat 86
B-9000 Gent
David.DHauwe@xxxxxxxxxxx
+32(0)497/58.95.80