-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Boyan Tabakov schrieb:
On 9.11.2006 23:07, Wade Grant wrote:
I know that SuSefirewall uses iptables but for example I want to make an entry for iptables -I INPUT -s 172.16.0.0/32 -j DROP Basically I want to drop any connections from the 172.16.0.0-172.16.255.255 network coming to a sendmail server. With the Yast and SuSefirewall scripts managing the iptables where will I put my entry in and how do I make iptables read the new entry? I tried issuing the above from the command line but I don't know how Suse likes to restart to read the new entry. Help would be appreciated.
By the way - your rule is incorrect for what you want to do. You should specify netmask /16 and not /32. /32 means 'host' and not entire subnet.
Therefore you should tel the unknow what that means ... 0.0.0.0/0 - all IP's 0.0.0.0 - 255.255.255.255 123.0.0.0/8 - all IP's 123.0.0.0 - 123.255.255.255 123.123.0.0/16 - all IP's 123.123.0.0 - 123.123.255.255 123.123.123.0/24 - the whole subnet 123.123.1230 - 123.123.123.255 123.123.123.123/32 - only the host with IP 123.123.123.123 a.b.c.d/x means: adressrange =32-x bits of the subnet. If there is a half subnet (some use this for routing the limited number of real IP's): 123.123.123.x = IP of one of the half subnets clients (255.255.255.128 = subnetmask) therefore 123.123.123.0/25 is the whole subnet 123.123.123.0 - 123.123.123.127 and 123.123.123.128/25 is the second subnet 123.123.123.128 - 123.123.123.255 You can do this further on (this are only some examples)! There are two/three possible positions of clients: internet (dev_ext), intranet (dev_int) and the servers unprotected side (dev_dmz). Where your clients belong you must know. I think you mean external clients (whoohaa the bad client numbers), so place them in /etc/sysconfig/scripts/SuSEfirewall2-custom. put them here: fw_custom_before_antispoofing Don't overwrite the { or }-signs otherwise it won't work! Don't forget to activate this in /etc/sysconfig/SuSEfirewall2 (don't overwrite the ' -signs here otherwise it won't work!)! To restart it has shown to do so: /etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start instead of: /etc/init.d/SuSEfirewall2 restart A simple restart sometimes doesn't work from my experience (some chains still remain)! Regards Philippe P.S.: HTH! Nice that the lists now will work again (I always get strange ideas if there is no mail for a while in this list)! - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRVXO9ENg1DRVIGjBAQLshAb+KqoiDqCDR8Nn31DazEZ0EEqAimzlEXD9 DhJurFh/gslprDRyDiPjU7e8O4QZp6lYxtrV0d8meH9oN3xNpJDmexwML1mr9/4R NlyBS+1yhAit6fL9rYS00iAxe3XfWS5FU2TKxlPCQyUYErMZyRfXdc/wN7HjrKyy nzBDs6n7t9ldB6R8NiwIXPvEbykTEVrqMbc23qAB6gg/OepklhO8h3XUY3bIDbEF o5OGmSkIPvqgyRDFfSInhUG/xEu9EWuWpsWmXyd73DLhBML4/OVyaVr6sLvPdbU+ LWgfSQP5dRY= =zRWo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org