Susefirewall2 fills my logs with reports of dropped packets as a stupid windows network monitor tries to talk SNMP. I've asked them to stop, but often "fixing the internet" is not the easiest way to resolve problems. The SLES9 version of Susefirewall2 lacks the parameter "FW_SERVICES_DROP_EXT="0/0,tcp,161" # Packets to silently reject without log message. So as I've done so often, I upgraded the SLES9 RPM. rpm -Fvh SuSEfirewall2-3.3-18.noarch.rpm Pulled a copy of /etc/sysconfig/Susefirewall2 across from my 9.3 workstation and customised it. Rebooted and it seems to work fine. I'll give it a week and upgrade all the production boxes. Just wanted to share that, (and see if anyone knew why not...) michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.
On Thursday 27 July 2006 16:50, Michael James wrote:
Susefirewall2 fills my logs with reports of dropped packets as a stupid windows network monitor tries to talk SNMP.
I've asked them to stop, but often "fixing the internet" is not the easiest way to resolve problems.
The SLES9 version of Susefirewall2 lacks the parameter "FW_SERVICES_DROP_EXT="0/0,tcp,161" # Packets to silently reject without log message.
So as I've done so often, I upgraded the SLES9 RPM. rpm -Fvh SuSEfirewall2-3.3-18.noarch.rpm
Pulled a copy of /etc/sysconfig/Susefirewall2 across from my 9.3 workstation and customised it. Rebooted and it seems to work fine. I'll give it a week and upgrade all the production boxes.
Just wanted to share that, (and see if anyone knew why not...) michaelj
SLES9 is an enterprise class server, but SuseFirewall is a user class firewall tool. Rip it out and install Shorewall. It is Vastly more powerful, dramatically easier to use, better documented,and full of features. -- _____________________________________ John Andersen
On Thu, Jul 27, 2006 at 05:02:09PM -0800, John Andersen wrote:
On Thursday 27 July 2006 16:50, Michael James wrote:
Susefirewall2 fills my logs with reports of dropped packets as a stupid windows network monitor tries to talk SNMP.
I've asked them to stop, but often "fixing the internet" is not the easiest way to resolve problems.
The SLES9 version of Susefirewall2 lacks the parameter "FW_SERVICES_DROP_EXT="0/0,tcp,161" # Packets to silently reject without log message.
So as I've done so often, I upgraded the SLES9 RPM. rpm -Fvh SuSEfirewall2-3.3-18.noarch.rpm
Pulled a copy of /etc/sysconfig/Susefirewall2 across from my 9.3 workstation and customised it. Rebooted and it seems to work fine. I'll give it a week and upgrade all the production boxes.
Just wanted to share that, (and see if anyone knew why not...) michaelj
SLES9 is an enterprise class server, but SuseFirewall is a user class firewall tool.
Susefirewall is not a user class firewall tool, sorry. While the upgrade method (using 9.3 package) above is not supported, it will work fine. Ciao, Marcus
On Thursday 27 July 2006 21:58, Marcus Meissner wrote:
On Thu, Jul 27, 2006 at 05:02:09PM -0800, John Andersen wrote:
On Thursday 27 July 2006 16:50, Michael James wrote:
Susefirewall2 fills my logs with reports of dropped packets as a stupid windows network monitor tries to talk SNMP.
I've asked them to stop, but often "fixing the internet" is not the easiest way to resolve problems.
The SLES9 version of Susefirewall2 lacks the parameter "FW_SERVICES_DROP_EXT="0/0,tcp,161" # Packets to silently reject without log message.
So as I've done so often, I upgraded the SLES9 RPM. rpm -Fvh SuSEfirewall2-3.3-18.noarch.rpm
Pulled a copy of /etc/sysconfig/Susefirewall2 across from my 9.3 workstation and customised it. Rebooted and it seems to work fine. I'll give it a week and upgrade all the production boxes.
Just wanted to share that, (and see if anyone knew why not...) michaelj
SLES9 is an enterprise class server, but SuseFirewall is a user class firewall tool.
Susefirewall is not a user class firewall tool, sorry.
Oops, didn't mean to offend... But it is missing too many features for production use in large shops in MY opinion, and configuration is sort of mysterious. Those features it does have are sort of hard to figure out, but I do use it for workstations. -- _____________________________________ John Andersen
On Sat, 29 Jul 2006 10:18 am, John Andersen wrote:
SLES9 is an enterprise class server, but SuseFirewall is a user class firewall tool.
Susefirewall is not a user class firewall tool, sorry.
Oops, didn't mean to offend...
But it is missing too many features for production use in large shops in MY opinion, and configuration is sort of mysterious.
Those features it does have are sort of hard to figure out, but I do use it for workstations.
Largely I'm happy with Susefirewall2 (at least the 9.3 version) A couple of things though: How to get it to log to /var/log/firewall instead of /var/log/messages? /var/log/mess gets much too messy And I tried to get rate limiting on SSH connections working to cut the brute force SSH scanning, but this didn't work within Susefirewall2. # # /etc/sysconfig/Susefirewall2-custom # ########################################## # Rate limit brute force SSH attacks, rules by Andrew Pollock # # # # http://blog.andrew.net.au/2005/02/17#ipt_recent_and_ssh_attacks # #-----------------------------------------------------------------------# # First whitelist a few hosts iptables -N SSH_WHITELIST iptables -A SSH_WHITELIST -s susejam.cbf.csiro.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s bookreading.net -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s alianet.alia.org.au -m recent --remove --name SSH -j ACCEPT iptables -A SSH_WHITELIST -s flat.alia.org.au -m recent --remove --name SSH -j ACCEPT # Then implement the "recent" based filter iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 300 --hitcount 6 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 3600 --hitcount 36 --rttl --name SSH -j DROP -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166 No matter how much you pay for software, you always get less than you hoped. Unless you pay nothing, then you get more.
participants (3)
-
John Andersen -
Marcus Meissner -
Michael James