My Firewall2-custom.rc.config will not load. What am I doing wrong? Any Dumb User Friendly Answers are appreciated ###Firewall2-custom.rc.config### # Copyright (c) 1999,2000 SuSE GmbH Nuernberg, Germany. All rights reserved. # # Authors: Marc Heuse <marc@suse.de>, # Volker Kuhlmann <kuhlmav@elec.canterbury.ac.nz> # # /etc/rc.config.d/firewall-custom.rc.config # # ------------------------------------------------------------------------ # # This is file is for SuSEfirewall >= v4.0 and is an example for using # the hooks which are supplied since v4.0 to load customized ipchains rules. # # THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! SO READ CAREFULLY ! # IT IS USEFUL TO CROSS-READ /sbin/SuSEfirewall TO SEE HOW HOOKS WORK ! # # ------------------------------------------------------------------------ fw_custom_before_antispoofing() { # these rules will be loaded before any anti spoofing rules will be # loaded. Effectively the only filter lists already effective are # 1) allow any traffic via the loopback interface, 2) allow DHCP stuff, # 3) allow SAMBA stuff [2 and 3 only if FW_SERVICE_... are set to "yes"] # You can use this hook to prevent logging of uninteresting broadcast # packets or to allow certain packet through the anti-spoofing mechanism. #example: allow incoming multicast packets for any routing protocol #ipchains -I input -j ACCEPT -d 224.0.0.0/24 true } fw_custom_before_port_handling() { # could also be named "after_antispoofing()" # these rules will be loaded after the anti-spoofing and icmp handling # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall generated rules are hit. #example: always filter backorifice/netbus trojan connect requests and log them. iptables -A INPUT -j DROP -p tcp --destination-port 31337 iptables -A INPUT -j DROP -p udp --destination-port 31337 iptables -A INPUT -j DROP -p tcp --destination-port 12345:12346 iptables -A INPUT -j DROP -p udp --destination-port 12345:12346 # Syn-flood protection: iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j DROP ## Make sure NEW tcp connections are SYN packets iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP ## Fragments iptables -A INPUT -i eth0 -f -j LOG --log-prefix "IPTABLES FRAGMENTS: " iptables -A INPUT -i eth0 -f -j DROP ## What if I get spoofed # Refuse packets claiming to be from a Class A private network. iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP # Refuse packets claiming to be from a Class B private network. iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP # Refuse packets claiming to be from a Class C private network. iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # Refuse Class D multicast addresses. Multicast is illegal as a source address. iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP # Refuse Class E reserved IP addresses. iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP # Furtive port scanner: iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT # Ping of death: iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT # Refuse those that think that they are local, me as well iptables -A INPUT -i eth0 -d 127.0.0.1/8 -j DROP # All you can eat Local traffic iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT ## AUTH server # Reject ident probes witha tcp reset iptables -A INPUT -i eth0 -p tcp --dport 113 -j REJECT --reject-with tcp-reset true } fw_custom_before_masq() { # could also be named "after_port_handling()" # these rules will be loaded after the IP protocol and TCP/UDP port # handling, but before any IP forwarding (routing), masquerading # will be done. # NOTE: reverse masquerading is before directly after # fw_custom_before_port_handling !!!! # You can use this hook to ... hmmm ... I'm sure you'll find a use for # this ... true } fw_custom_before_denyall() { # could also be named "after_forwardmasq()" # these are the rules to be loaded after IP forwarding and masquerading # but before the logging and deny all section is set by SuSEfirewall. # You can use this hook to prevent the logging of annoying packets. #example: prevent logging of talk requests from anywhere iptables -A INPUT -j DROP -p udp --destination-port 517:518 true }