Mailinglist Archive: opensuse (3506 mails)

< Previous Next >
Re: [SLE] Firewall zones (not fixed after all)
  • From: Darryl Gregorash <raven@xxxxxxxxxxxxx>
  • Date: Sat, 30 Sep 2006 09:21:59 +0000 (UTC)
  • Message-id: <451E3733.1060504@xxxxxxxxxxxxx>
On 29/09/06 17:32, Paul Abrahams wrote:
>On Friday 29 September 2006 5:23 pm, Darryl Gregorash wrote:
>
>
>>If it is possible, please set FW_TRUSTED_NETS to just 192.168.0.0/24,
>>restart the firewall, and then run:
>>
>>iptables-save
>>
>>The results of this should tell us what is going on.This should work
>>without having to specify a bunch of protocol/port options.
>>
>
>Here you are:
>
><snip>
>-A INPUT -i eth0 -j input_ext
><snip>
>-A input_ext -m pkttype --pkt-type broadcast -j DROP
>

OK, those are the first two rules in the input chains. After some icmp
stuff comes:

>-A input_ext -s 192.168.0.0/255.255.255.0 -m limit --limit 3/min -m state
> --state NEW -j LOG --log-prefix "SFW2-INext-ACC-TRUST " --log-tcp-options
> --log-ip-options
>-A input_ext -s 192.168.0.0/255.255.255.0 -m state --state
> NEW,RELATED,ESTABLISHED -j ACCEPT
Windows uses broadcasts extensively in its file sharing, so refusing all
broadcasts is the reason why a Windows client cannot see the shares (as
you mentioned in your next post). I believe if you set
FW_ALLOW_FW_BROADCAST_EXT="137" in /etc/sysconfig/SuSEfirewall2, things
should work again. Sorry I didn't catch this earlier, but I never even
thought to ask you if you were denying broadcasts -- I just assumed that
if you were using Samba, you must be allowing port 137 broadcasts.
Please see the firewall config file for a discussion of how this
variable works.

>Hope this helps. Did you want me to try a Samba access from some other
>machine?
>
>Paul
>
>


< Previous Next >
Follow Ups