https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c2 Alien A <alien.www@gmx.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|alien.www@gmx.com | --- Comment #2 from Alien A <alien.www@gmx.com> 2013-09-27 13:38:23 UTC --- First I was trying to do it with FW_SERVICES_ACCEPT_EXT Then I decided to make my own rules and place them in SuSEfirewall2-custom (in fw_custom_before_port_handling()). But often flooder was able to bypass it. My debug showed that it was accepted by default "--ctstate ESTABLISHED -j ACCEPT" rule. For now I found workaround to delete that rule and add my own with exception: iptables -D INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED ! --ctorigdstport 5060:5061 -j ACCEPT It works, but I think it would be nice to have option(s) in /etc/sysconfig/SuSEfirewall2 to change or disable that "--ctstate ESTABLISHED -j ACCEPT" By default, any "established" traffic get accepted without any further flood control. That can affect any service, not only ּSIP. I'll attach my whole SuSEfirewall2-custom file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.