https://bugzilla.novell.com/show_bug.cgi?id=839292 https://bugzilla.novell.com/show_bug.cgi?id=839292#c0 Summary: default behavior of iptables rules generator creates security hole Classification: openSUSE Product: openSUSE 12.3 Version: Final Platform: x86 OS/Version: openSUSE 12.3 Status: NEW Severity: Critical Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: alien.www@gmx.com QAContact: qa-bugs@suse.de Found By: --- Blocker: --- Created an attachment (id=556542) --> (http://bugzilla.novell.com/attachment.cgi?id=556542) real life flood User-Agent: Mozilla/5.0 (X11; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0 By default, /usr/sbin/SuSEfirewall2 script installs unconfigurable rule "-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT" (in function allow_basic_established ). I'm running SIP server and have connection rate limit in my FW setup, but I can't place anything before that default accepting rule or change it. This leads to situation, when SIP flood get accepted (and eats all of my bandwidth) since it considered "established" (has packets in both directions). See example log. Reproducible: Always Steps to Reproduce: 1. set up a SIP server 2. place any connection rate limit rules in SuseFirewall 3. register-flood your server from outside Actual Results: SIP flood pass through SuseFirewall Expected Results: SIP traffic should hit my rate limiting rule -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.