I am trying to understand SuSEfirewall2, and am a little confused by the rules it has generated. In the sample below, eth0 is internal an has address 203.8.195.164, eth1 is external and has address 61.62.63.64. Confusion #1: ------------- My understanding of the INPUT queue is that only packets routed locally will pass through the queue. So why why base decisions on the target IP address? Why not replace: iptables -A INPUT -j input_ext -i eth1 -d 61.62.63.64 iptables -A INPUT -j input_int -i eth0 -d 203.8.195.164 with iptables -A INPUT -j input_ext -i eth1 iptables -A INPUT -j input_int -i eth0 Confusion #2: ------------- Since a local network packet addressed to either eth0 or eth1 will route to the firewall machine, is this line sufficient to prevent access? iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-ACCESS_DENIED_FOR_INT -i eth0 -d 61.62.63.64 iptables -A INPUT -i eth0 -d 61.62.63.64 -j DROP I would have expected a matching '-i eth0 -d 203.8.195.164' to cover all possible target addresses of the server. Any clarifications would be appreciated.... Thanks, Philip Warner. ------------ debug output ----------- iptables -A INPUT -j ACCEPT -i lo iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED -p udp --sport 67 -d 255.255.255.255/32 --dport 68 iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-DROP-ANTI-SPOOFING -s 127.0.0.0/8 iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-DROP-ANTI-SPOOFING -d 127.0.0.0/8 iptables -A INPUT -j DROP -s 127.0.0.0/8 iptables -A INPUT -j DROP -d 127.0.0.0/8 iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-DROP-ANTI-SPOOFING -s 203.8.195.164 iptables -A INPUT -j DROP -s 203.8.195.164 iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-DROP-ANTI-SPOOFING -s 61.62.63.64 iptables -A INPUT -j DROP -s 61.62.63.64 <Confusing1> iptables -A INPUT -j input_ext -i eth1 -d 61.62.63.64 iptables -A INPUT -j input_int -i eth0 -d 203.8.195.164 </Confusing1> iptables -A INPUT -j DROP -i eth1 -d 61.62.63.255 iptables -A INPUT -j DROP -i eth1 -d 255.255.255.255 iptables -A INPUT -j DROP -i eth0 -d 203.8.195.255 iptables -A INPUT -j DROP -i eth0 -d 255.255.255.255 <Confusing2> iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-ACCESS_DENIED_FOR_INT -i eth0 -d 61.62.63.64 iptables -A INPUT -i eth0 -d 61.62.63.64 -j DROP <Confusing2> iptables -A INPUT -j LOG --log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW-UNALLOWED-TARGET iptables -A INPUT -j DROP ---------------------------------------------------------------- Philip Warner | __---_____ Albatross Consulting Pty. Ltd. |----/ - \ (A.B.N. 75 008 659 498) | /(@) ______---_ Tel: (+61) 0500 83 82 81 | _________ \ Fax: (+61) 0500 83 82 82 | ___________ | Http://www.rhyme.com.au | / \| | --________-- PGP key available upon request, | / and from pgp5.ai.mit.edu:11371 |/
participants (1)
-
Philip Warner