On Sun, Apr 22, 2001 at 10:31:13AM -0400, Rick Green wrote:
On Sun, 22 Apr 2001, Konstantin (Kastus) Shchuka wrote:
Another host is trying to connect to a service on your host. Your host is not running that service, so it's attempting to tell the requestor politely to go away. ICMP 3 is the way to do this. However, your ipchains ruleset is preventing the outgoing ICMP 3 message from being sent, and it's writing this message to the log to let you know.
I'm using SuSEfirewall, it generates rule automatically. There is only one place which deals with icmp, it's FW_KERNEL_SECURITY="yes". Is it correct? A few months ago, I posed this same question on the suse-security list, and marc told me to simply set FW_ALLOW_FW_TRACEROUTE="yes", and SuSEfirewall would handle it.
OK, I managed to fine-tune the rules. First thing, I uncommented the line FW_CUSTOMRULES="/etc/rc.config.d/firewall-custom.rc.config" in /etc/rc.config.d/firewall.rc.config Second, I added the following two lines to the file /etc/rc.config.d/firewall-custom.rc.config in section fw_custom_before_antispoofing() : ipchains -I output -j ACCEPT -p icmp -d 198.144.192.2 3 --icmp-type 3 ipchains -I output -j ACCEPT -p icmp -d 198.144.192.4 3 --icmp-type 3 where 198.144.192.2 and 198.144.192.4 are my DNS servers. Thanks again to Rick for pointing me in the right direction. -Kastus
-- Rick Green
"I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"