I looked at my firewall using iptables and wondered if I was being
protected.
It seems that the first statement accepts all protocols from anywhere to
anywhere. So are most of the statements left in the INPUT chain
meaningless? I have made 2 changes manually to the firewall. One to
allow port 6881 traffic and to prevent 6881 resets by middlemen on a
connection. When I delete the first line my browser stops working. I
had been forced to use a untainted kernel and so apparmor does not
load. Is that why this is behaving weirdly? Does apparmor with its
kernel patches add another chain/table to the SuSEfirewall2? Doesn't
"ACCEPT" stop processing of rules in a given chain?
root:~>
root:~>iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
DROP tcp -- anywhere anywhere tcp
dpt:6881 flags:RST/RST
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:111 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:111
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:20 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:20
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:21 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:21
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:2401 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:2401
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:80 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:80
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:6881 flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp dpt:6881
reject_func tcp -- anywhere anywhere tcp
dpt:113 state NEW
LOG all -- anywhere anywhere limit: avg
3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options
ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE =
multicast
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg
3/min burst 5 state INVALID LOG level warning tcp-options ip-options
prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with
tcp-reset
REJECT udp -- anywhere anywhere reject-with
icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with
icmp-proto-unreachable
root:~>
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse-security+help(a)opensuse.org