Greetings, Is there away to block an ip-address completely with SuSEFirewall ? -- -- Chadley Wilson Production Line Superintendant Pinnacle Micro Manufacturers of Proline Computers ==================================== Exercise freedom, Use LINUX =====================================
Hi, Chadley Wilson schrieb:
Greetings,
Is there away to block an ip-address completely with SuSEFirewall ?
It is possible but not that easy. You can add custom iptables rules in a separate file and call it from the SuSE Firewall; look out for /etc/sysconfig/scripts/SuSEfirewall2-custom. Alternatively, you could use an own firewall script instead of SuSE FW. In order to build the rules, you could use e.g. fwbuilder (http://www.fwbuilder.org) and add the rules to your script. My experience is that SuSE FW is just fine to have a generic protection but if you need a more granular configuration, a custom iptables rule set is the better way to go. Regards Reto
Chadley Wilson wrote:
Greetings,
Is there away to block an ip-address completely with SuSEFirewall ?
Yes, specify the IP address in the custom rules for SuSEFirewall2. The diff below results from copying /etc/sysconfig/scripts/SuSEFirewall2-custom to /root/local-rules and then adding the DROP/LOG lines for the specified address. The changes go into the "anti-spoof" element of the custom rules. This example drops all IP traffic to/from 192.168.1.192/32. Yours, C. E. Brooks /ceb\ *** /etc/sysconfig/scripts/SuSEfirewall2-custom Sat Mar 19 14:26:56 2005 --- /root/local-rules Mon Aug 22 18:28:34 2005 *************** *** 25,30 **** --- 25,36 ---- #example: allow incoming multicast packets for any routing protocol #iptables -A INPUT -j ACCEPT -d 224.0.0.0/24 + iptables -A INPUT -j LOG --src 192.168.1.192 --log-prefix "DROP-AS-INSRC " + iptables -A INPUT -j DROP --src 192.168.1.192 + + iptables -A OUTPUT -j LOG --dst 192.168.1.192 --log-prefix "DROP-AS-OUTDST " + iptables -A OUTPUT -j DROP --dst 192.168.1.192 + true }
participants (3)
-
Chadley Wilson -
Charles E. Brooks -
Reto Inversini