here's a bit of a step-by-step description on how to keep nimda
and codered from filling your apache logs.
- SuSE 7.2 Professional
- iptables 1.2.3
- linux kernel 2.4.13-pre5
1. install kernel sources for a kernel >> 2.4.9, running 2.4.13-
pre5 here, works fine so far
2. get the sources for iptables 1.2.3 from
3. unpack sources somewhere
4. export KERNEL_DIR=$(where you put the kernel tree)
5. cd into unpacked iptables sources, there's a subdirectory
named patch-o-matic there
6. apply wanted patches by running ./runme $(name.of.patch)patch
for this here You'll want the string patch
You can also apply other patches, like the irc-conntrack patch
7. now there's a little bug in this patch...
here's a diff:
--- linux/net/ipv4/netfilter/ipt_string.c~ Sun Oct 21
+++ linux/net/ipv4/netfilter/ipt_string.c Sun Oct 21
@@ -62,7 +62,7 @@
sk = skip[haystack[right_end - i]];
sh = shift[i];
- right_end = max(int, right_end - i + sk,
right_end + sh);
+ right_end = max(right_end - i + sk, right_end +
8. now, make config/menuconfig/xconfig... as usual. You can
import your running kernel's config first.
9. enable the experimental stuff
10. go to networking options->netfilter, there's an option there
to enable string matching; set that to M
11. compile and install kernel as usual; remember to uncomment
the export INSTALL_PATH=/boot in the main makefile.
12. now build a rpm file for the new iptables stuff by installing
the source rpm which comes with suse, then edit the spec file,
put the iptables source in /usr/src/packages/SOURCE and rebuild.
13. now there are some small changes to the firewall config
a) uncomment the last line in
b) edit that file, I got the following stuff in mine:
for forbidden_string in root.exe cmd.exe .ida; do
iptables -I input_ext -p tcp --dport http -m string \
--string $forbidden_string -m state \
--state ESTABLISHED -j REJECT --reject-with tcp-reset
put that in the last supfunction defined in the custom rc file.
c) change the FW_LOG setting in firewall2.rc.config from reading
-log-level warning to -log-level kernel.warning
14. last: some small changes to /sbin/SuSEfirewall2
search in the script for the parts where the modules are loaded
and unloaded; be sure to add ipt_string (and the other new
modules you created by patching the kernel and enabling them in
make config) to the modules loading/unloading code there.
16. if you try now to access (from outside, of course) one of the
nimda or codered URLS, all you get is a 'connection reset by
peer', and the request doesn't show in apache log files.
btw, no guarantees, and the usual YMMV :)
I have basically a suse samba server setup. Eth0 is for the internet
connection (cable). Eth1 is my internal network. I use eth1 for my samba
server. When i have the shares/ drive letters mapped, whatever, Ill goto
access them and that computer will just lockup or timeout for about 1
minute, then it will resume operation normally. I have approx. 5 comptuers
on the suse server, and they all do this from windows xp to windows 98se. I
am using set up addresses of 192.168.0.x, where is greater than 2. My
question is have or is there something Ive setup wrong to cause this pause
to occur. ? Its becomming very annoying..and frustrating. Im using kernel
2.4.18-64GB-SMP with a dual processor setup. If anyone has any ideas please
let me know. Every package installed is orginal versions from the suse
install cdroms. (no updates done).
Anything come to mind. btw, ive replaced the switch, with a new netgear one,
and all the networks at startech ST100 Realtek 8139 chipsets on 100Tx.
I've searched the last 2 days for a solution, but found nothing. So I
try it here.
I've set up a "normal" HomeLAN with a Linux Gateway (SuSE 8.1) and
several Windows Clients.
The Linux Box has the following ethernet devices:
eth0 -- 192.168.0.1/24 -- connected to LAN
eth1 -- 192.168.1.100/24 -- connected to DSL Modem
The sofware I use are (all shipped with SuSE):
First, the connection from the gateway and the clients (over
masquerading) to the internet works fine and fast. I can dial in and
Ok, now my problem.
To dialin or out I connect to the gateway using PuTTY as ssh client.
(I have configured the firewall to accept ssh --> FW_SERVICES_INT_TCP="ssh")
The connect works, so I can start the dialin with #> cinternet --start
Now it happens... After a few seconds my PuTTY session don't react
on my input and after some more time I get a POPUP telling me:
"Software caused connection abort".
Then I have to wait till the dialin process has finished. Then I can
start a new PuTTY session to the gateway.
I think it must be the firewall who disconnects me, because if I
restart the firewall without dialin in, my PuTTY session just hangs about
2 seconds. But if I am dialed in (so my ppp interface is up) and I
restart the firewall, the "connection abort" error occours again.
Thanks for your help.
Hi there SuSErs...
Well I must be doing something really wrong because everything that I do with SuSEFirewall2 is just not working!
I have a small network with 5 PCs (all Win9X) and a Linux box (Currently SuSE 7.3) acting as a server. The server is a DHCP server and a Samba server for the entire network. So far everything is working perfect!!! Users log on the network, logon script executes etc....
Then a new task came up: let's input the internet into the network.
Configured a 56Kbps modem on the server with YAST. Manged to get my account setup and running. Made a test connection and netscape works great on the server as well as e-mail (pop3).
I tried configuring SuSEfirewall to manage all incoming requests from the PCs of the network. The firewall warned me about masquerading etc. so I downloaded the latest version of SuSEfirewall2 from the internet and installed it.
Since I only need direct masquerading to be done (no proxies are currently working on the net) I made all the necessary changes as outlined in the examples supplied with the software. Since I needed to have Samba to keep working on the network, I opened (among others) 139 port for samba to work.
Double checked all the changes that I have made and run rcSuSEfirewall2 to see what happens. Strange enough when wvdial executes it tells me that DNS is not functioning properly since www.suse.com cannot be found (or something like that please forgive me I am away from the Linux station now).
Further on, when I open mIRC or other like programs (winmx etc) from a station, I look at the activity of IPtraf (I check this to see what happens) and I see no connections being created whatsoever.... mIRC prompts me that there was an error trying to find the host....
I have made no changes to the Win9X PCs.
Is there something that I am forgeting to do?? I undestand that it is impossible for all of you to react to this since I have no output of the SuSEfirewall.conf file being published to this message.... I understand.
Can someone please send me their configuration file so I can see what you have done, on a system that currently is working fine?? In addition, is there something that I have to do regarding route or routing??
What about the Win9X PCs?? Is there something that I have to do there??
I thank you so very much for all your help is advance!!!! I am killing myself trying to figure this one out for about 2 weeks now and managed nothing more than thin air!!!!!
On Mon, Dec 30, 2002 at 08:16:18PM -0600, Fernando Valderrabano Reyes wrote:
> > Replacing 0/0 with your internal net (the one on eth1) might help.
> I've changed the 0/0 to 10.100.1.0/24 (my internal network is from
> 10.100.1.0 to 10.100.1.255)
> the following error comes:
> /sbin/SuSEfirewall2: line 696: test: 10.100.1.0/24: integer expression
> iptables v1.2.7a: Maximum prefix length 29 for --log-prefix
> Try `iptables -h' or 'iptables --help' for more information.
> Warning: FW_SERVICE_DNS defined, but no DNS server found running!
Are you running an older version of the susefirewall2 rpm? IIRC there
was a problem that has been corrected by an update.
> also, I don't know why it says I don't have any dns server running (named
> is running).
No idea right now, maybe the firewall is started before bind?
Joerg Mayer <jmayer(a)loplof.de>
I found out that "pro" means "instead of" (as in proconsul). Now I know
what proactive means.
I have a IPTables firewall and a automatically generated html log-file of my
DROP chain via fwlogwatch.
Since a long time these logs are bloated from incoming requests at Port 4665
(edonkey). I wonder why there are so many retries...
Now I have to decide between two possibilities:
1. Instead of DROPping with my own (logging)drop chain, only DROP without
2. REJECT the requests instead of DROPping.
maybe the second variant preserve me from thousands of requests within a
hour, but on the other hand I outed myself with that and the edonkey
scanners (or whatever the source of the requests will be) are so tricky to
try all other ports to connect...
does anyone have an advice?
Microsoft is not the answer, its the question
And the answer is no.
I'm using the SuSEfirewall2 for firewalling and NAT, I have two interfaces
(INT & EXT), where the external is eth0 and the internal is eth1.
Everything seems to work fine but I can't see anything in the external
interface from the external one (that means I can't access the webpages I
This is my config:
FW_SERVICES_EXT_TCP="www smtp domain ftp ssh https pop3"
FW_SERVICES_INT_TCP="ssh smtp domain ftp pop3 http https imap"
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when tarting
FW_FORWARD="" # Beware to use this!
FW_FORWARD_MASQ="" # Beware to use this!
Is there anything wrong?
Fernando Valderrábano Reyes
FROM Computer Systems.
"UNIXMEXICO la comunidad *nix en todo México!"
I have suse 7.3 & have 2 network card for
installing NAT & router that one card is for internal
network and another is for external network.
I have problem with that because when i assign an
IP as a default gateway for one card it's
automatically write for another card and if i remove
that, IP as a default gateway for another card was
removed, on the other hand IP for default gateway for
2 network cards was dependent to each other but in
windows 2000 i don't have this problem and the IP
default gateway for two net cards are independent to
each other and i can assign differents IP as a default
gateway for two network card on the same machine for
example one card maybe have a IP for default gateway
and another card on the same machine don't have any IP
for default gateway.
I don't know is it bug for suse 7.3 or it's true?
What can i do with this problem?
Ps:i configure 2 network cards in control center
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
"The KDE Project today released a security advisory affecting all versions
of KDE 2 and KDE 3. The advisory is the culmination of the security audit
which delayed the release of KDE 3.1 until January. While no exploits are
currently known, the KDE Project strongly encourages all KDE users to
upgrade to KDE 3.0.5a, which was also announced today, or to apply the
patches provided for KDE 2.2.2. Due to the year-end Holidays, few binary
packages are available at this time. Please check the KDE 3.0.5a information
page and your vendor's website periodically for available packages. Note
that some vendors are expected to incorporate the security improvements into
new builds of KDE 3.0.5."
So, any chance to get update packages for any suse distribution _below_ 8.1?
Die unaufgeforderte Zusendung einer Werbemail an Privatleute verst� gegen 1
UWG und 823 I BGB (Beschlu�des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede
kommerzielle Nutzung der bermittelten persnlichen Daten sowie deren
Weitergabe an Dritte ist ausdrcklich untersagt!