On Thursday 29 Nov 2012 16:29:24 Marcus Meissner wrote:
I have not fully looked up the details.
/etc/sysconfig/scripts/SuSEfirewall2-custom
fw_custom_after_chain_creation() { fw_custom_before_port_handling() { fw_custom_before_masq() { # could also be named "after_port_handling()" fw_custom_before_denyall() { # could also be named "after_forwardmasq()" fw_custom_after_finished() {
So I suspect before and up to fw_custom_before_masq(), depending what you want to achieve in PREROUTING.
Actually I want to make sure that access to certain ports on a public ip address are always blocked. (There are two public ip addresses on the same device.) In fact, after studying the SuSEfirewall2 script and thinking about this a bit more I placed the rules in fw_custom_before_denyall (this box is still on 11.4, so fw_custom_after_finished is not implemented.) This would seem to be the best way to guarantee that ports on this ip address cannot be opened accidentally elsewhere when the rules are built. It seems to work. :-) Paul -- Paul Reeves -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org