[opensuse-security] Re: [suse-security] iptables SuSEfirewall2
On 9.11.2006 23:07, Wade Grant wrote:
I know that SuSefirewall uses iptables but for example I want to make an entry for iptables -I INPUT -s 172.16.0.0/32 -j DROP Basically I want to drop any connections from the 172.16.0.0-172.16.255.255 network coming to a sendmail server. With the Yast and SuSefirewall scripts managing the iptables where will I put my entry in and how do I make iptables read the new entry? I tried issuing the above from the command line but I don't know how Suse likes to restart to read the new entry. Help would be appreciated.
By the way - your rule is incorrect for what you want to do. You should specify netmask /16 and not /32. /32 means 'host' and not entire subnet. -- Blade hails you... Heart once bold Now turned to stone Perfection my messenger from hell --Nightwish
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Boyan Tabakov schrieb:
On 9.11.2006 23:07, Wade Grant wrote:
I know that SuSefirewall uses iptables but for example I want to make an entry for iptables -I INPUT -s 172.16.0.0/32 -j DROP Basically I want to drop any connections from the 172.16.0.0-172.16.255.255 network coming to a sendmail server. With the Yast and SuSefirewall scripts managing the iptables where will I put my entry in and how do I make iptables read the new entry? I tried issuing the above from the command line but I don't know how Suse likes to restart to read the new entry. Help would be appreciated.
By the way - your rule is incorrect for what you want to do. You should specify netmask /16 and not /32. /32 means 'host' and not entire subnet.
Therefore you should tel the unknow what that means ... 0.0.0.0/0 - all IP's 0.0.0.0 - 255.255.255.255 123.0.0.0/8 - all IP's 123.0.0.0 - 123.255.255.255 123.123.0.0/16 - all IP's 123.123.0.0 - 123.123.255.255 123.123.123.0/24 - the whole subnet 123.123.1230 - 123.123.123.255 123.123.123.123/32 - only the host with IP 123.123.123.123 a.b.c.d/x means: adressrange =32-x bits of the subnet. If there is a half subnet (some use this for routing the limited number of real IP's): 123.123.123.x = IP of one of the half subnets clients (255.255.255.128 = subnetmask) therefore 123.123.123.0/25 is the whole subnet 123.123.123.0 - 123.123.123.127 and 123.123.123.128/25 is the second subnet 123.123.123.128 - 123.123.123.255 You can do this further on (this are only some examples)! There are two/three possible positions of clients: internet (dev_ext), intranet (dev_int) and the servers unprotected side (dev_dmz). Where your clients belong you must know. I think you mean external clients (whoohaa the bad client numbers), so place them in /etc/sysconfig/scripts/SuSEfirewall2-custom. put them here: fw_custom_before_antispoofing Don't overwrite the { or }-signs otherwise it won't work! Don't forget to activate this in /etc/sysconfig/SuSEfirewall2 (don't overwrite the ' -signs here otherwise it won't work!)! To restart it has shown to do so: /etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start instead of: /etc/init.d/SuSEfirewall2 restart A simple restart sometimes doesn't work from my experience (some chains still remain)! Regards Philippe P.S.: HTH! Nice that the lists now will work again (I always get strange ideas if there is no mail for a while in this list)! - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRVXO9ENg1DRVIGjBAQLshAb+KqoiDqCDR8Nn31DazEZ0EEqAimzlEXD9 DhJurFh/gslprDRyDiPjU7e8O4QZp6lYxtrV0d8meH9oN3xNpJDmexwML1mr9/4R NlyBS+1yhAit6fL9rYS00iAxe3XfWS5FU2TKxlPCQyUYErMZyRfXdc/wN7HjrKyy nzBDs6n7t9ldB6R8NiwIXPvEbykTEVrqMbc23qAB6gg/OepklhO8h3XUY3bIDbEF o5OGmSkIPvqgyRDFfSInhUG/xEu9EWuWpsWmXyd73DLhBML4/OVyaVr6sLvPdbU+ LWgfSQP5dRY= =zRWo -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Philippe Vogel wrote:
To restart it has shown to do so:
/etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start
That opens your machine to the world for a moment as stopping the firewall removes all filter rules and sets the policy to accept.
instead of:
/etc/init.d/SuSEfirewall2 restart
A simple restart sometimes doesn't work from my experience (some chains still remain)!
Huh? Please open a bug report if that's reproducible. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Philippe Vogel wrote:
To restart it has shown to do so:
/etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start
That opens your machine to the world for a moment as stopping the firewall removes all filter rules and sets the policy to accept. Only for a small amount of time and with a secure system it is not a
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ludwig Nussel schrieb: problem. Mention: A secure system only opens a limited amount of ports - A System not opening ports doesn't need a firewall and is as secure as the user of this system. Not using a virus scanner is not a risk if you know what you do and you use a "non victimizable" os (don't answer to this as this is a kind of philosophy for some persons)!
instead of:
/etc/init.d/SuSEfirewall2 restart
A simple restart sometimes doesn't work from my experience (some chains still remain)!
Huh? Please open a bug report if that's reproducible.
cu Ludwig This is reproducible but not in all cases SuSEfirewall2 shows this behaviour.
The next thing in mind is that all DMZ-chains get initialized without having a DMZ so I customized the script a bit without the DMZ-chains (without uneccessary chains - and there are a lot even remaining - the script runs faster). Another thing would be customizable QoS-chains which I always edit for some services not listed there. Regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRVdbJkNg1DRVIGjBAQIyYQb/SvomhQHibhDvpGhUtikFOFc4TgwQz7GL ylpN0hre5tHJuI26hKSPIeNZx1CN689pyQQocxJM7m5/QSaILHkqyp0Ho1DksBVs 9e3yoZ6ufG3fqHCPPhIw4ioHT51ugka54BVPSJqlrVZrf0vMH8caUCiPs3blnEGp tPYTrgPYXos4pElOJlIxe1R/MmIBR2Lug4nfoWLlC5YgEBL4Gm3/VFwhEZ8KMhPI yf3Z8Qw1+urAmqVjSZoNEKF0CnGzjzXpA+TzmCwUvPV9QVU9TeTF5aeHIOy2IAOD XG0C8WHFBpE= =Dnp9 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Mention: A secure system only opens a limited amount of ports - A System not opening ports doesn't need a firewall and is as secure as the user of this system.
Wrong. Because of: ICMP, IGMP, ARP, ... -- Bye, Thomas -- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing -- "Never underestimate what a shower can give to you." --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Philippe Vogel wrote:
instead of:
/etc/init.d/SuSEfirewall2 restart
A simple restart sometimes doesn't work from my experience (some chains still remain)!
Huh? Please open a bug report if that's reproducible.
This is reproducible but not in all cases SuSEfirewall2 shows this behaviour.
The next thing in mind is that all DMZ-chains get initialized without having a DMZ so I customized the script a bit without the DMZ-chains (without uneccessary chains - and there are a lot even remaining - the script runs faster).
Which version of SuSEfirewall2 are you talking about?
Another thing would be customizable QoS-chains which I always edit for some services not listed there.
Patches welcome. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Monday 2006-11-13 at 09:32 +0100, Ludwig Nussel wrote:
Philippe Vogel wrote:
To restart it has shown to do so:
/etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start
That opens your machine to the world for a moment as stopping the firewall removes all filter rules and sets the policy to accept.
I understand that running "SuSEfirewall2" with no parameters reloads the rules fine. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFFWGSAtTMYHG2NR9URAjYvAJ9CnjvrAFnIOmEg7lzbff4T3hcYjgCfXpVW GckzJwU5LLYSo1UNvETyxVA= =OUSb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (5)
-
Boyan Tabakov -
Carlos E. R. -
Ludwig Nussel -
Philippe Vogel -
Thomas Biege