Re: [suse-security] Blocking a domain with SuseFirewall2
Also, if you have set up FW_SERVICES_EXT_TCP="80" this expressley allows all connections, and so will be a conflicting rule. You need to take port 80 out of that string and create a trust rule in: - # 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # Please note that a trusted host/net is *not* allowed to ping the firewall # until you set it to allow also icmp! # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS="" In other rules you can use ! to make an exception, can anyone confirm if that will work in this rule? -- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain
Am Montag, 30. August 2004 09:42 schrieb b@rry.co.za:
Also, if you have set up FW_SERVICES_EXT_TCP="80"
this expressley allows all connections, and so will be a conflicting rule. You need to take port 80 out of that string and create a trust rule in: -
No, you need not. If you insert a rule into "fw_custom_before_antispoofing", as it was recently suggested by Phillippe Wiede, that rule will be executed before anything else. "DROP" is a terminating target, so the connection attempt will be dropped, whichever other rules you may have. Best regards, Johannes
# 10.) # Which services should be accessible from trusted hosts/nets? # # Define trusted hosts/networks (doesnt matter if they are internal or # external) and the TCP and/or UDP services they are allowed to use. # Please note that a trusted host/net is *not* allowed to ping the firewall # until you set it to allow also icmp! # # Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or # networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16" # Optional, enter a protocol after a comma, e.g. "1.1.1.1,icmp" # Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22" # FW_TRUSTED_NETS=""
In other rules you can use ! to make an exception, can anyone confirm if that will work in this rule?
-- Reader, suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself. -- Mark Twain
-- Dipl.-Vw. Johannes Becker Alfred-Weber-Institut für Wirtschaftswissenschaften der Universität Heidelberg Lehrstuhl für Statistik Hauptstraße 126 D-69117 Heidelberg Telefon: +49-(0)6221-54 2931 Telefax: +49-(0)6221-54 3589 e-Mail: Johannes.Becker@urz.uni-heidelberg.de WWW: http://wss.uni-hd.de
participants (2)
-
b@rry.co.za
-
Johannes Becker