I looked at my firewall using iptables and wondered if I was being protected. It seems that the first statement accepts all protocols from anywhere to anywhere. So are most of the statements left in the INPUT chain meaningless? I have made 2 changes manually to the firewall. One to allow port 6881 traffic and to prevent 6881 resets by middlemen on a connection. When I delete the first line my browser stops working. I had been forced to use a untainted kernel and so apparmor does not load. Is that why this is behaving weirdly? Does apparmor with its kernel patches add another chain/table to the SuSEfirewall2? Doesn't "ACCEPT" stop processing of rules in a given chain? root:~> root:~>iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp dpt:6881 flags:RST/RST ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:111 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:111 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:20 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:20 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:21 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:21 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:2401 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:2401 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:80 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:80 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:6881 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:6881 reject_func tcp -- anywhere anywhere tcp dpt:113 state NEW LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere Chain reject_func (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable root:~> --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org