Here's the dump, hope it helps. Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:domain flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:domain LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:imap flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:imap LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:imaps flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:imaps LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pop3 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pop3s flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:domain LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable Boyan Tabakov wrote:
On 9.2.2007 16:50:38 Dos Wizard wrote:
But this isn't what exactly I was waiting for ... okay after my usual tradition of custom compiling tarball kernels I have ended with a 2.6.20 SuSE 10.1 pretty running okay and optimized for the CPU model the box uses, so voila a fast and stable system.
Now assigning the NIC to the external zone (it is, there's no NAT behind that box) and activating firewall all open ports from outside to inside they do work! All ports from inside to outside are kept blocked, so DNS fails for example, until someone tells me what file to edit manually and add the required from inside ports to be opened as well.
The following is an lsmod list, hoping something isn't missing. When I activate firewall additional modules do load, but this won't solve the problem.
Hi, What is the output of:
# iptables -t filter --list
with your firewall running?
SuSE firewall does not normally block any outgoing traffic. Are outgoing connections ok if no firewall is started?
Yes outgoing connections are okay with a stopped firewall. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org