https://bugzilla.novell.com/show_bug.cgi?id=272516 Summary: SuSEfirewall2 unexpected default FW_SERVICES_REJECT_EXT configuration Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security AssignedTo: security-team@suse.de ReportedBy: s.handgraaf@xs4all.nl QAContact: qa@suse.de SUSE has a state of the art firewall build around the purpose only to cooperate with outside traffic when needed by the user. Except on one point: the handling of ident traffic on port 113. By default the firewall is configured to ignore any need and just answer the outside traffic with a reject. Configuration /etc/sysconfig/SuSEfirewall2 : FW_SERVICES_REJECT_EXT="0/0,tcp,113" Imho a firewall should not be configured this conflicting way. A firewall is implemented for security. Security is based on protecting the users interests. My main point is a system should not be configured to answer requests to non existing services unless the user explicitly needs this by a confirmation. My suggestions are as follows: a) remove the rule to reject so all requests from outside are droped by default b) only configure the firewall to reject instead of drop traffic when the users confirms this; c) configure the firewall to drop by default but reject traffic when it can be expected this was triggered from inside when the users confirms it wants this behaviour, otherwise drop all traffic. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.