[opensuse-security] SuSEfirewall2- how can/does it work?
I looked at my firewall using iptables and wondered if I was being protected. It seems that the first statement accepts all protocols from anywhere to anywhere. So are most of the statements left in the INPUT chain meaningless? I have made 2 changes manually to the firewall. One to allow port 6881 traffic and to prevent 6881 resets by middlemen on a connection. When I delete the first line my browser stops working. I had been forced to use a untainted kernel and so apparmor does not load. Is that why this is behaving weirdly? Does apparmor with its kernel patches add another chain/table to the SuSEfirewall2? Doesn't "ACCEPT" stop processing of rules in a given chain? root:~> root:~>iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request DROP tcp -- anywhere anywhere tcp dpt:6881 flags:RST/RST ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:111 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:111 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:20 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:20 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:21 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:21 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:2401 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:2401 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:80 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:80 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:6881 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:6881 reject_func tcp -- anywhere anywhere tcp dpt:113 state NEW LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV ' DROP all -- anywhere anywhere Chain reject_func (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable root:~> --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am Samstag, 29. März 2008 schrieb Don Harter:
I looked at my firewall using iptables and wondered if I was being protected. It seems that the first statement accepts all protocols from anywhere to anywhere. [...]
root:~> root:~>iptables -L [...]
Try "iptables -vL" and you will see. HTH Jan -- I know that you believe you understand what you think I said, but I am not sure you realize that what you heard is not what I meant. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Yes . Thank you. Someone else pointed that out to me. The first statement refers to lo-local host. When I turned that off X windows couldn't talk to my localhost. I had a computer lockup on me and just before that I was getting possible syn flooding messages. I had my 6881 port statements in the wrong place. It seems that SuSEfirewall2 automatically checks for syn flooding for each port opened. Jan Ritzerfeld wrote:
Am Samstag, 29. März 2008 schrieb Don Harter:
I looked at my firewall using iptables and wondered if I was being protected. It seems that the first statement accepts all protocols from anywhere to anywhere. [...]
root:~> root:~>iptables -L [...]
Try "iptables -vL" and you will see.
HTH Jan
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Don Harter -
Jan Ritzerfeld