-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
What causes this error in the firewall?
Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
Apr 14 17:03:57 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53548 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
Apr 14 17:04:17 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53840 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
Apr 14 17:04:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=54228 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
Why am I denied outgoing access to some ports now and then? These seem to be triggered by bttorrent downloading the RC1, but I also get some to port 80. At the moment, dozens like the log entry above.
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
- -- Cheers, Carlos Robinson
2006/4/14, Carlos E. R.:
Apr 14 17:04:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=54228 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
Why am I denied outgoing access to some ports now and then? These seem to be triggered by bttorrent downloading the RC1, but I also get some to port 80. At the moment, dozens like the log entry above.
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
Carlos,
Just a thought, but check your firewall's rules for outgoing packages. The rule you said before is defined as follows:
FW_SERVICES_EXT_TCP Which TCP services _on the firewall_ should be accessible from untrusted networks.
So this rule seems to be used to allow or deny external sites accessing to local computer.
Greetings,
-- Camaleón
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Friday 2006-04-14 at 17:33 +0200, Camaleón wrote:
Just a thought, but check your firewall's rules for outgoing packages. The rule you said before is defined as follows:
As far as I know, as I didn't write the firewall script, none. I only use the configuration... This is SuSEfirewall2, you know.
FW_SERVICES_EXT_TCP Which TCP services _on the firewall_ should be accessible from untrusted networks.
So this rule seems to be used to allow or deny external sites accessing to local computer.
I know. So that's why I ask why the heck is it denying _some_ outgoing packets. Not really denying, but saying it is an error. What error?
(google points to hundreds of questions, no answers)
- -- Cheers, Carlos Robinson
Hi Carlos,
let me try to give you a hint though I'm not an expert on SuSEfirewall2.
On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
What causes this error in the firewall?
Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
The log tells you that your client (SRC=192.168.1.12, SPT=6881) sends somehow invalid answers (ACK) to a machine on the internet (DST=85.85.72.60, DPT=4712, tcp).
Why ERROR, not DROP? As far as I can see SuSEfirewall2 doesn't block any outgoing connections - your machine may connect wherever.
In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log (lines 1104-1105, suse 9.3): $iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED $iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "
A packet which is not in NEW,ESTABLISHED,RELATED must be invalid somehow, it's not handled by the first line but the second. But it doesn't seem to be dropped afterwards, only logged as ERROR! The immediately next three lines say: # we want to let locally generated packets out since our task is not # to protect the world from us, but protect us from the world ;) # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT
So your problem probably has nothing to do with the firewall itself but the client or something in between (invalid packets).
Why am I denied outgoing access to some ports now and then?
The "now and then" confirms the suspicion (client problem).
Apart from this your last paragraph shows some essential misunderstanding:
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
This has _nothing_ to do with the above.
/etc/sysconfig/SuSEfirewall2 says: # 9.) # Which TCP services _on the firewall_ should be accessible from # untrusted networks?
In other words: with FW_SERVICES_EXT_TCP you allow _incoming_ connections to your net/host, the internet is allowed to connect to your machine on ports 6881 - 6889 tcp. Maybe that's not what you want.
Bye, Joe
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Saturday 2006-04-15 at 00:49 +0200, Joe Knall wrote:
let me try to give you a hint though I'm not an expert on SuSEfirewall2.
Ok :-)
On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
What causes this error in the firewall?
Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0 SRC=192.168.1.12 DST=85.85.72.60 LEN=40 TOS=0x08 PREC=0x00 TTL=64 ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK URGP=0
The log tells you that your client (SRC=192.168.1.12, SPT=6881) sends somehow invalid answers (ACK) to a machine on the internet (DST=85.85.72.60, DPT=4712, tcp).
Ah. That is starting to make some sense.
Why ERROR, not DROP? As far as I can see SuSEfirewall2 doesn't block any outgoing connections
- your machine may connect wherever.
In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log (lines 1104-1105, suse 9.3): $iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED $iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "
A packet which is not in NEW,ESTABLISHED,RELATED must be invalid somehow, it's not handled by the first line but the second. But it doesn't seem to be dropped afterwards, only logged as ERROR! The immediately next three lines say: # we want to let locally generated packets out since our task is not # to protect the world from us, but protect us from the world ;) # policy is ACCEPT $iptables -A OUTPUT -j ACCEPT
So your problem probably has nothing to do with the firewall itself but the client or something in between (invalid packets).
Well, it logged about a dozen or more of such to the same machine; the error is occasional, but when it happens, it is repeatable. It is not related to only one client, because previously I saw it when browsing with Mozilla, now and then, and now I see it with BitTorrent-4.0.2-3.1, but many. It may be related to something wrong deep somewhere in the kernel or glibc or who knows.
Apart from this your last paragraph shows some essential misunderstanding:
port 6881 is allowed entry in the config:
FW_SERVICES_EXT_TCP="6881:6889"
This has _nothing_ to do with the above.
I know, I know. I only added the reference to that for completeness, just in case.
- -- Cheers, Carlos Robinson
-
Camaleón -
Carlos E. R. -
Joe Knall