February 2001 - openSUSE Security - openSUSE Mailing Lists

RE: [suse-security] Re: InterScan eManager Content Management Notification!
by Raffy 26 Feb '01

26 Feb '01

> (Q: is it possible to configure Amavis to send info about the virus > detected to the recipient person? Currently it only tells that a > "virus have been found" and includes original mail's headers but it > doesn't tell which virus was found; this last info is sent only to the > postmaster or virusalert's mail address you have defined but not to > the recipient or sender address). You probably can. Check the file scanmails (/usr/sbin/scanmails) In the section: ################### send a mail back to sender ###################### the email which is going to the sender is defined. Now you say that the postmaster gets the information. Just copy that part of his email into the above mentioned part and it should work. Or did I misunderstand you? Raffy

3 3

Spoofed mail. What to do ?
by omicron 26 Feb '01

26 Feb '01

hi i recently got a mail which i *suspect* must have been spoofed (i think, from my classmates) but i can't say it beyond doubt. The info i garnered from the mail, including my email address itself (incase u have noticed,i got an MX recently), the contents of it are rather suspicious. But unfortunately the headers are quite ordinary, and it came from a webmail account, so i cant get any ident, finger , nothing on it. Is there any way , i can legitimately check whether the email was spoofed or not ? regards omicron -- ****** An optimist sees light at the end of every tunnel. A pessimist fears it might be of an incoming train. omicron(a)omicron.dyndns.org omicron.symonds.net C O G I T O E R G O S U M ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3 2

Blocked Mail (in reply to Roman Drahtmuellers mail)
by Leithner Wolfgang 26 Feb '01

26 Feb '01

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list! I'm awfully sorry for this to happen, but obviously my VirusWall loathes not to run on a real OS. Quite frankly I can't imagine how this happened. I know Roman would NEVER use something *@"§ as a VBS script. Again, I'm very sorry, but that's one thing I guess I have to live with :( cu Wolfgang Leithner GROHE GmbH Leiter EDV KS/A Beichlg. 6 EMail: wolfgang.leithner(a)grohe.at A-1100 Wien Mobil:+43-(0)676-499 12 38 Tel.: +43-(0)1-680 60-18 Fax: +43-(0)1-689 87 47 __________________________________________________________ _ ASCII Ribbon | / \ against | >> Möge der Tux mit Dir sein! << \_/ HTML | >> May the Tux be with You! << / \ in postings | __________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOppSowzasNYM4aYGEQKo7wCfaLYJrSosqmDuKJqbMGWmPSfzrV8AniTF hbexGU3WkCYpNtsvRZdy+9FY =I7Ls -----END PGP SIGNATURE-----

2 1

Blocked Mail (in reply to Roman Drahtmuellers mail)
by Leithner Wolfgang 26 Feb '01

26 Feb '01

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dear list! I'm awfully sorry for this to happen, but obviously my VirusWall loathes not to run on a real OS. Quite frankly I can't imagine how this happened. I know Roman would NEVER use something *@"§ as a VBS script. Again, I'm very sorry, but that's one thing I guess I have to live with :( cu Wolfgang Leithner GROHE GmbH Leiter EDV KS/A Beichlg. 6 EMail: wolfgang.leithner(a)grohe.at A-1100 Wien Mobil:+43-(0)676-499 12 38 Tel.: +43-(0)1-680 60-18 Fax: +43-(0)1-689 87 47 __________________________________________________________ _ ASCII Ribbon | / \ against | >> Möge der Tux mit Dir sein! << \_/ HTML | >> May the Tux be with You! << / \ in postings | __________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBOppSowzasNYM4aYGEQKo7wCfaLYJrSosqmDuKJqbMGWmPSfzrV8AniTF hbexGU3WkCYpNtsvRZdy+9FY =I7Ls -----END PGP SIGNATURE-----

1 0

Re: [suse-security] openssh
by Nix 26 Feb '01

26 Feb '01

At 05:28 PM 25/02/2001, you wrote: >hi > i'm using openssh , and i want to know how i can login to a remote >computer from mine ( which has a dialup connection -- dynamic ip, but with a >dyndns.org hostname) without being asked for a password. i used ssh-keygen to >generate both dsa & rsa keys and i put the pub keys in the remote computer's >~/.ssh/authorized_keys2 & ~/.ssh/authorized_keys, but it still is asking for >a password. What have i done wrong ? Also, make sure the the authorized_keys file has the permissions 700 or ssh will ignore it... Cheers --- Nix - nix(a)susesecurity.com http://www.susesecurity.com

1 0

Fw: [suse-security] SuSE 7.1 - firewall
by mathias rockel 26 Feb '01

26 Feb '01

Hi! I was wonring too... I changed the time the firewall is starte by renaming the start-script in /etc/init.d/rc3.d to a number higher than the network start-script, it then did not show the error messages that no devices were found, but still at the end reported that SuSEfirewall_init and the other two failed to complete. interestingly, this seems to be caused only by the ippp0 device, because after I removed the network card from the pc (to test something else), it told me that all three scripts had failed two times each ! strange. mats ----- Original Message ----- From: "Ernst Koch" <ernst.koch(a)gmx.de> To: <> Sent: Monday, February 26, 2001 12:11 PM Subject: Re: [suse-security] SuSE 7.1 - firewall > >On the installation we have the following problem: > >the first time the firewall script runs the Network is not up so > >we only get an error message. > > > > > >Can someone tell me if this is normal or how I can fix this. > > I have got the same problem. How can I start the firewall *after* the > network (ippp0) was started? > > Regards > Ernst > > -- > Sent through GMX FreeMail - http://www.gmx.net > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: suse-security-unsubscribe(a)suse.com > For additional commands, e-mail: suse-security-help(a)suse.com >

1 0

Firewall and Problems with allowing UDP 17000:17050, allways reject by the last rule
by rene marhold 25 Feb '01

25 Feb '01

Hi, i´ve there some problems by allowing UDP PACKETS outgoing an Firewall The Problem-Zones are bold masked to find them easyer (my friend wants to play halflife, but his firewall is allways blocking with following message: Packet log: output REJECT eth1 PROTO=17 212.186.xx.xx:62445 194.183.128.54:27019 L=37 S=0x00 I=5296 F=0x0000 T=127 (#29) #!/bin/sh echo "Starting firewalling... " # ---------------------------------------------------------------------------- # Some definitions for easy maintenance. # EDIT THESE TO SUIT YOUR SYSTEM AND ISP. EXTERNAL_INTERFACE="eth1" # Internet connected interface LOOPBACK_INTERFACE="lo" # or your local naming convention LOCAL_INTERFACE_1="eth0" # internal LAN interface IPADDR="212.186.xx.xx" # your IP address LOCALNET_1="10.10.10.0/24" # whatever private range you use EXTERN_1="212.17.XX:XX" # extern 1 # Simon ANYWHERE="any/0" # match any IP address NAMESERVER_1="any/0" # everyone must have at least one LOOPBACK="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address PRIVPORTS="0:1023" # well known, privileged port range UNPRIVPORTS="1024:65535" # unprivileged port range # ---------------------------------------------------------------------------- HALFLIFE="17000:17050" # HALFLIFE port range NFS_PORT="2049" # (TCP/UDP) NFS SOCKS_PORT="1080" # (TCP) Socks # X Windows port allocation begins at 6000 and increments to 6063 # for each additional server running. XWINDOW_PORTS="6000:6063" # (TCP) X windows # traceroute usually uses -S 32769:65535 -D 33434:33523 TRACEROUTE_SRC_PORTS="32769:65535" TRACEROUTE_DEST_PORTS="33434:33523" # The SSH client starts at 1023 and works down to 513 for each # additional simultaneous connection originating from a privileged port. # Clients can optionally be configured to use only unprivileged ports. SSH_LOCAL_PORTS="1022:65535" # port range for local clients SSH_REMOTE_PORTS="513:65535" # port range for remote clients # ---------------------------------------------------------------------------- # Default policy is DENY # Explicitly accept desired INCOMING & OUTGOING connections # Remove all existing rules belonging to this filter ipchains -F # Set the default policy of the filter to deny. ipchains -P input DENY ipchains -P output REJECT ipchains -P forward DENY # set masquerade timeout to 10 hours for tcp connections ipchains -M -S 36000 0 0 # ---------------------------------------------------------------------------- # Enable IP Forwarding, if it isn't already echo 1 > /proc/sys/net/ipv4/ip_forward # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Enable always defragging Protection echo 1 > /proc/sys/net/ipv4/ip_always_defrag # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Enable bad error message Protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Enable IP spoofing protection # turn on Source Address Verification for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f done # Disable ICMP Redirect Acceptance for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f done for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f done # Disable Source Routed Packets for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do echo 0 > $f done # Log Spoofed Packets, Source Routed Packets, Redirect Packets for f in /proc/sys/net/ipv4/conf/*/log_martians; do echo 1 > $f done # These modules are necessary to masquerade their respective services. /sbin/modprobe ip_masq_ftp # ---------------------------------------------------------------------------- # LOOPBACK # Unlimited traffic on the loopback interface. ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT # ---------------------------------------------------------------------------- # Unlimited traffic within the local network. # All internal machines have access to the fireall machine. ipchains -A input -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT ipchains -A output -i $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT # All internal access extern ip adresses ipchains -A input -i $EXTERNAL_INTERFACE -s $EXTERN_1 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -d $EXTERN_1 -j ACCEPT # ---------------------------------------------------------------------------- # Masquerade internal traffic. # All internal traffic is masqueraded externally. ipchains -A forward -i $EXTERNAL_INTERFACE -s $LOCALNET_1 -j MASQ # ---------------------------------------------------------------------------- # Network Ghouls # Deny access to jerks # -------------------- # /etc/rc.d/rc.firewall.blocked contains a list of # ipchains -A input -i $EXTERNAL_INTERFACE -s address -j DENY # rules to block from any access. # Refuse any connection from problem sites if [ -f /etc/rc.d/rc.firewall.blocked ]; then . /etc/rc.d/rc.firewall.blocked fi # ---------------------------------------------------------------------------- # SPOOFING & BAD ADDRESSES # Refuse spoofed packets. # Ignore blatantly illegal source addresses. # Protect yourself from sending to bad addresses. # Refuse incoming packets pretending to be from the external address. ipchains -A input -s $IPADDR -j DENY -l # Refuse incoming packets claiming to be from a Class A, B or C private network ipchains -A input -s $CLASS_A -j DENY ipchains -A input -s $CLASS_B -j DENY ipchains -A input -s $CLASS_C -j DENY # Refuse broadcast address SOURCE packets ipchains -A input -s $BROADCAST_DEST -j DENY -l ipchains -A input -d $BROADCAST_SRC -j DENY -l # Refuse Class D multicast addresses # Multicast is illegal as a source address. # Multicast uses UDP. ipchains -A input -s $CLASS_D_MULTICAST -j DENY # Refuse Class E reserved IP addresses ipchains -A input -s $CLASS_E_RESERVED_NET -j DENY -l # Refuse special addresses defined as reserved by the IANA. # Note: The remaining reserved addresses are not included. # Filtering them causes problems as reserved blocks are # being allocated more often now. # Note: this list includes the loopback, multicast, & reserved addresses. # 0.*.*.* - Can't be blocked for DHCP users. # 127.*.*.* - LoopBack # 169.254.*.* - Link Local Networks # 192.0.2.* - TEST-NET # 224-255.*.*.* - Classes D & E, plus unallocated. ipchains -A input -s 0.0.0.0/8 -j DENY -l ipchains -A input -s 127.0.0.0/8 -j DENY -l ipchains -A input -s 169.254.0.0/16 -j DENY -l ipchains -A input -s 192.0.2.0/24 -j DENY -l ipchains -A input -s 224.0.0.0/3 -j DENY -l # ---------------------------------------------------------------------------- # NOTE: # The symbolic names used in /etc/services for the port numbers vary by # supplier. Using them is less error prone and more meaningful, though. # ---------------------------------------------------------------------------- # TCP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. # NFS: establishing a TCP connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $NFS_PORT -j REJECT # Xwindows: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $XWINDOW_PORTS -j REJECT # SOCKS: establishing a connection ipchains -A input -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -p tcp --syn \ --destination-port $SOCKS_PORT -j REJECT # ---------------------------------------------------------------------------- # UDP UNPRIVILEGED PORTS # Avoid ports subject to protocol & system administration problems. ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --destination-port $NFS_PORT -j DENY -l # UDP INCOMING TRACEROUTE # traceroute usually uses -S 32769:65535 -D 33434:33523 ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ --source-port $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j DENY -l # ALLOWED CONNECTIONS # MIXED TRAFFIC (TCP/UDP) # ------------------------------------------------------------------ # DNS client (53) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $NAMESERVER_1 53 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $NAMESERVER_1 53 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HALFLIFE client (17000:17050) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $ANYWHERE $HALFLIFE -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $ANYWHERE $HALFLIFE \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $ANYWHERE $HALFLIFE -j ACCEPT # UDP TRAFFIC # TCP TRAFFIC # ------------------------------------------------------------------ # FTP client (21) # --------------- # outgoing request ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 21 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 21 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # PORT mode data channel ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port 20 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR $UNPRIVPORTS \ --destination-port 20 -j ACCEPT # PASSIVE mode data channel creation ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port $UNPRIVPORTS -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port $UNPRIVPORTS \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # SSH server (22) # --------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $SSH_REMOTE_PORTS \ -d $IPADDR 22 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 22 \ --destination-port $SSH_REMOTE_PORTS -j ACCEPT # SSH client (22) # --------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $SSH_LOCAL_PORTS \ --destination-port 22 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 22 \ -d $IPADDR $SSH_LOCAL_PORTS -j ACCEPT # ------------------------------------------------------------------ # SMTP server (25) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 25 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 25 \ --destination-port $UNPRIVPORTS -j ACCEPT # SMTP client (25) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ -d $SMTP_SERVER 25 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $SMTP_SERVER 25 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # WHOIS client (43) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 43 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 43 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP client (80) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 80 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 80 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTP server (80) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 80 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 80 \ --destination-port $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # POP server (110) # ---------------- ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ -s 212.17.77.232 $UNPRIVPORTS \ -d $IPADDR 110 -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! --syn \ -s $IPADDR 110 \ -d 212.17.77.232 $UNPRIVPORTS -j ACCEPT # POP client (110) # ---------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 110 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 110 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # AUTH server (113) # ----------------- # Reject, rather than deny, the incoming auth port. (NET-3-HOWTO) ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \ --source-port $UNPRIVPORTS \ -d $IPADDR 113 -j REJECT # AUTH client (113) # ----------------- ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 113 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 113 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ------------------------------------------------------------------ # HTTPS client (443) # ------------------ ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \ -s $IPADDR $UNPRIVPORTS \ --destination-port 443 -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! --syn \ --source-port 443 \ -d $IPADDR $UNPRIVPORTS -j ACCEPT # ---------------------------------------------------------------------------- # UDP accept only on selected ports # --------------------------------- # ------------------------------------------------------------------ # OUTGOING TRACEROUTE # ------------------- ipchains -A output -i $EXTERNAL_INTERFACE -p udp \ -s $IPADDR $TRACEROUTE_SRC_PORTS \ --destination-port $TRACEROUTE_DEST_PORTS -j ACCEPT -l # ---------------------------------------------------------------------------- # ICMP # To prevent denial of service attacks based on ICMP bombs, filter # incoming Redirect (5) and outgoing Destination Unreachable (3). # Note, however, disabling Destination Unreachable (3) is not # advisable, as it is used to negotiate packet fragment size. # For bi-directional ping. # Message Types: Echo_Reply (0), Echo_Request (8) # To prevent attacks, limit the src addresses to your ISP range. # # For outgoing traceroute. # Message Types: INCOMING Dest_Unreachable (3), Time_Exceeded (11) # default UDP base: 33434 to base+nhops-1 # # For incoming traceroute. # Message Types: OUTGOING Dest_Unreachable (3), Time_Exceeded (11) # To block this, deny OUTGOING 3 and 11 # 0: echo-reply (pong) # 3: destination-unreachable, port-unreachable, fragmentation-needed, etc. # 4: source-quench # 5: redirect # 8: echo-request (ping) # 11: time-exceeded # 12: parameter-problem ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type echo-reply \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type destination-unreachable \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type source-quench \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type time-exceeded \ -d $IPADDR -j ACCEPT ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type parameter-problem \ -d $IPADDR -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR fragmentation-needed -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR source-quench -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR echo-request -j ACCEPT ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \ -s $IPADDR parameter-problem -j ACCEPT # ---------------------------------------------------------------------------- # Enable logging for selected denied packets ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $PRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p udp \ -d $IPADDR $UNPRIVPORTS -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 5 -j DENY -l ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \ --icmp-type 13:255 -j DENY -l ipchains -A output -i $EXTERNAL_INTERFACE -j REJECT -l # ---------------------------------------------------------------------------- echo "done" exit 0

3 3

SuSE 7.1 - firewall
by Christian Hernmarck 25 Feb '01

25 Feb '01

Hi there A customer had bought the new SuSE Linux. I saw there were lots of changes... e.g. the fiewall script "SuSEfirewall". It runs three times. On the installation we have the following problem: the first time the firewall script runs the Network is not up so we only get an error message. Can someone tell me if this is normal or how I can fix this. Since I didn't get the subscription-update until now - I don't have anything here to make experiments or to read... Thanx for any hint. Christian

1 0

nessus & suse
by kleindoofi 24 Feb '01

24 Feb '01

hi, following the competent advice of a listmember i got the nessus tarballs. however nessus-libraies do not compile even after installing flex, bison, glibdev and glibtk as advised in faq. error reads: ---snip--- libtool: install: `libpcap-nessus.la' is not a valid libtool archive Try `libtool --help --mode=install' for more information. make[1]: *** [install-libpcap-nessus.la] Error 1 make[1]: Leaving directory `/home/mini/zips/nessus-libraries/libpcap-nessus' make: *** [install] Error 2 --snip-- any ideas about this ? tia dan

3 2

German Office...
by Roman Drahtmueller 24 Feb '01

24 Feb '01

Hi there, There has been an explosion in the Nürnberg office building at about 1:30 MET. Some load control panel in the electric power central of the building blew up so that we are out of electricity now. Nobody was injured, and the fire fighters were there before anything more serious has happened. The more "critical" parts (transformer) of the power system survived it, so that we don't expect a long lasting failure, but it might take more than just a few hours 'till we are online again. They're already working on it. Until then, www.suse.de, ftp.suse.de as well as the mail exchangers for all suse.de email addresses are offline. The mailing lists are also concerned, whereas the .com addresses should work, generally. It looks messy... Roman. -- - - | Roman Drahtmüller <draht(a)suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -

3 2