[Bug 857036] New: external firewall rules seem infunctional
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c0 Summary: external firewall rules seem infunctional Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: i686 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: estellnb@elstel.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux i686; rv:25.0) Gecko/20100101 Firefox/25.0 After configuring enp0s3 as external zone I had a look at my iptables; they start like the following: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere Isn`t that fully infunctional if it accepts anything from anywhere just as first rule? Also it should be worth to consider ensuring some protection level by default and not to use any interface as DMZ by default as there are running a couple of services by default: postfix, avahi-daemon, cups and init on ::631. Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c Xiyuan Liu <xyliu@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |xyliu@suse.com AssignedTo|bnc-team-screening@forge.pr |varkoly@suse.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c Peter Varkoly <varkoly@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|varkoly@suse.com |meissner@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |estellnb@elstel.org --- Comment #1 from Marcus Meissner <meissner@suse.com> 2014-01-07 15:49:46 UTC --- looks like the firewall is not enabled. systemctl status SuSEfirewall2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c2 Elmar Stellnberger <estellnb@elstel.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|estellnb@elstel.org | --- Comment #2 from Elmar Stellnberger <estellnb@elstel.org> 2014-01-09 11:15:57 UTC --- # systemctl status SuSEfirewall2 SuSEfirewall2.service - SuSEfirewall2 phase 2 Loaded: loaded (/usr/lib/systemd/system/SuSEfirewall2.service; enabled) Active: active (exited) since Do 2014-01-09 12:01:52 CET; 14min ago Process: 1409 ExecStart=/usr/sbin/SuSEfirewall2 boot_setup (code=exited, status=0/SUCCESS) Main PID: 1409 (code=exited, status=0/SUCCESS) CGroup: /system.slice/SuSEfirewall2.service Jan 09 12:01:47 linux-ipv7 systemd[1]: Starting SuSEfirewall2 phase 2... Jan 09 12:01:47 linux-ipv7 SuSEfirewall2[1434]: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... Jan 09 12:01:52 linux-ipv7 SuSEfirewall2[1511]: Firewall rules successfully set Jan 09 12:01:52 linux-ipv7 systemd[1]: Started SuSEfirewall2 phase 2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c3 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |estellnb@elstel.org --- Comment #3 from Marcus Meissner <meissner@suse.com> 2014-01-09 13:52:37 UTC --- and SuSEfirewall2 status please also attach /etc/sysconfig/SuSEfirewall2 (prune private informtion if any) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c4 --- Comment #4 from Elmar Stellnberger <estellnb@elstel.org> 2014-01-09 14:24:17 UTC --- Created an attachment (id=573859) --> (http://bugzilla.novell.com/attachment.cgi?id=573859) /etc/sysconfig/SuSEfirewall2 AFAICR I didn`t do much more than to enable the firewall for the given interface. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c Elmar Stellnberger <estellnb@elstel.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|estellnb@elstel.org | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2014-01-09 14:29:25 UTC --- can you run SuSEfirewall2 status too? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c6 --- Comment #6 from Elmar Stellnberger <estellnb@elstel.org> 2014-01-09 15:11:38 UTC --- Created an attachment (id=573871) --> (http://bugzilla.novell.com/attachment.cgi?id=573871) SuSEfirewall2 status (output of) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c7 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME --- Comment #7 from Marcus Meissner <meissner@suse.com> 2014-01-09 15:23:15 UTC --- ok, looks all fine. ACCEPT all -- anywhere anywhere this line from comment 0 is only for "lo", the loopback device. SuSEfirewall status has it at: 30 1500 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 Looking through the packet counters, there is quite some stuff DROPed in the input_ext chain at the end, so i think the firewall is live and filtering. => Use "iptables -L -v" instead of just -L to see also the interfaces. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=857036 https://bugzilla.novell.com/show_bug.cgi?id=857036#c8 --- Comment #8 from Elmar Stellnberger <estellnb@elstel.org> 2014-01-09 15:27:06 UTC --- ok; thx for the info and for investigating the issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com