Hi Carlos,
let me try to give you a hint though I'm not an expert on SuSEfirewall2.
On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
What causes this error in the firewall?
Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
The log tells you that your client (SRC=192.168.1.12, SPT=6881) sends somehow invalid answers (ACK) to a machine on the internet (DST=85.85.72.60, DPT=4712, tcp).
Why ERROR, not DROP? As far as I can see SuSEfirewall2 doesn't block any outgoing connections - your machine may connect wherever.
In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log (lines 1104-1105, suse 9.3): $iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED $iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "
A packet which is not in NEW,ESTABLISHED,RELATED must be invalid somehow, it's not handled by the first line but the second. But it doesn't seem to be dropped afterwards, only logged as ERROR! The immediately next three lines say: # we want to let locally generated packets out since our task is not # to protect the world from us, but protect us from the world ;) # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT
So your problem probably has nothing to do with the firewall itself but the client or something in between (invalid packets).
Why am I denied outgoing access to some ports now and then?
The "now and then" confirms the suspicion (client problem).
Apart from this your last paragraph shows some essential misunderstanding:
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
This has _nothing_ to do with the above.
/etc/sysconfig/SuSEfirewall2 says: # 9.) # Which TCP services _on the firewall_ should be accessible from # untrusted networks?
In other words: with FW_SERVICES_EXT_TCP you allow _incoming_ connections to your net/host, the internet is allowed to connect to your machine on ports 6881 - 6889 tcp. Maybe that's not what you want.
Bye, Joe