SuSEFirewall 2 / SuSE 8.1 accepting packets it should not
Hi Uli,
checking my logs today I found that my firewall accepts some (not all!) packets to TCP high ports, although I thought I had them all closed. The firewall script is the latest update for 8.1, the system is SuSE 8.1 with all current patches installed. Any ideas? Maybe the packets in your log are answer packets to a connection your computer initiated. Guess your computer initiates an ftp connection to some computer in the internet. The destination port is the port 21 of the ftp server, and the source port is e.g. port 1234 of your computer.
No, I definitely did not use FTP or any other protocol which would listen on the ports where these packets were accepted (the ports are the Kazaa / eDonkey ports).
So the answer packet from the ftp server has source port 21, and the destination port is the port 1234 of your computer. Do you want the firewall to drop this packet?
The source port of the packets is no well-known port, so most likely this is a Kazaa or eDonkey client which did not recognize that the dynamic IP was re-issued to my computer when it was in use before for file sharing. So I definitely want the firewall to drop ALL these packet, not only some of them (each second packet, as it seems...) Bye, Jürgen
-----BEGIN PGP SIGNED MESSAGE----- Hi Jürgen!
So I definitely want the firewall to drop ALL these packet, not only some of them (each second packet, as it seems...)
I'm not using SuSE 8.1, so can't really help you with your problem, but now that you mention it: Oct 23 19:58:03 akira kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=217.82.120.186 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63058 DF PROTO=TCP SPT=3822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT (020405AC010303030101080A000000000000000001010402) Oct 23 19:58:03 akira kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=217.82.120.186 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63058 DF PROTO=TCP SPT=3822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT (020405AC010303030101080A000000000000000001010402) The above looks to me like *one* packet, which only gets logged twice (same ID). Maybe the new SuSE-FW2 logs the packet first like it *would* accept it, but passes it on further down the chain until it is finally dropped by the default rule. Could there be a bug in the new firewall script? Marc or anyone? Regards, Andy - -- Andreas J. Mueller email: <andy@muelli.net> PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (MingW32) iQC9AwUBPbhHSfobN5o9QdlBAQHAiQU/ZI/AaeUbzejEU1Tlyr/qYXkcNj/RHqE5 Rf2a3bUM17zbrLhflRJcLANbmIaqnJuLUrt351/ftjjqMSSHjUP/ee//qoyY42ZJ SVduTyzTwjV6oKoFTvUuMZMlKULkGxUgsasU33RQXfCDV9pkeYgeKTrhba2GWKea fH7OXSoeZn2ZQpruqdQyA8zrQH8ucdE/7EJl6rvGXgtB6XBTVneVLU+N9I+6b2pg =pcmw -----END PGP SIGNATURE-----
participants (2)
-
Andreas J Mueller -
Juergen.Mell@t-online.de