[opensuse-security] Howto restrict number of sshd sessions per minute
Hi ListMates, I'm trying to resolve a problem with Susefirewall2 that I've had for some time and I'm hoping to get a resolution if possible. I'm trying this on a Dell Server T110 using opensuse linux 11.2 - uname: Linux bunyip 2.6.31.12-0.2-desktop #1 SMP PREEMPT 2010-03-16 21:25:39 +0100 i686 i686 i386 GNU/Linux. I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more. I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"). If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch and firewall those culprits BUT I would still like to know why the above code doesn't seem to work. Have I forgotten to edit something else? Any help would be much appreciated. If it helps, below is the result of the iptables -L - maybe someone can spot something here? Again much thanks for any help in this area. bunyip:/etc/sysconfig # iptables -L Chain INPUT (policy DROP) target prot opt source destination DROP all -- 60.210.8.234 anywhere DROP all -- 59.151.119.180 anywhere DROP all -- 61.160.249.80 anywhere DROP all -- 118.45.235.157 anywhere DROP all -- 210.51.191.232 anywhere DROP all -- pd95b8832.dip0.t-ipconnect.de anywhere DROP all -- 218.75.79.18 anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state ESTABLISHED ACCEPT icmp -- anywhere anywhere state RELATED input_ext all -- anywhere anywhere input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) target prot opt source destination Chain input_ext (2 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT udp -- anywhere anywhere udp spt:netbios-ns state RELATED ACCEPT gre -- anywhere anywhere LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ndmp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ndmp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:scp-config flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:scp-config LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:pptp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:pptp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp-data flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp-data LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ni-ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ni-ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:http flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:http LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:https flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:smtp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:smtp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:urd flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:urd LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ftp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ftp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpts:30000:30100 ACCEPT udp -- anywhere anywhere udp dpt:http ACCEPT udp -- anywhere anywhere udp dpt:https LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG level warning tcp-options ip-options prefix `SFW2-INext-DROPr ' DROP tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: ssh side: source ACCEPT tcp -- anywhere anywhere tcp dpt:ssh DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min burst 5 state NEW LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable bunyip:/etc/sysconfig # -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Otto Rodusek wrote:
I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more.
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch [...] bunyip:/etc/sysconfig # iptables -L
"SuSEfirewall2 status" output is more useful in such cases
Chain INPUT (policy DROP) [...] LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Remove ssh from FW_SERVICES_ACCEPT_EXT and FW_CONFIGURATIONS_EXT cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote:
Otto Rodusek wrote:
I'm trying to restrict the number of sshd login attempts to only 5 per minute and no more.
I've read the docs and have modified /etc/sysconfig/SuSEfirewall2 (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22") to (FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh").
If I check my logs I can still see that MANY sshd login attempts still happen within the 60 seconds. I have installed a perl program to catch [...] bunyip:/etc/sysconfig # iptables -L
"SuSEfirewall2 status" output is more useful in such cases
Chain INPUT (policy DROP) [...] LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Remove ssh from FW_SERVICES_ACCEPT_EXT and FW_CONFIGURATIONS_EXT
cu Ludwig
Hi Ludwig, Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs: Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:31 bunyip sshd[7633]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:32 bunyip sshd[7635]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:33 bunyip sshd[7637]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:34 bunyip sshd[7639]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:35 bunyip sshd[7641]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:36 bunyip sshd[7643]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:38 bunyip sshd[7645]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:39 bunyip sshd[7647]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:40 bunyip sshd[7649]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:41 bunyip sshd[7651]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:42 bunyip sshd[7653]: Invalid user oracle from 218.8.82.99 Jun 10 03:08:43 bunyip sshd[7656]: Invalid user test from 218.8.82.99 Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try? Here is the output from SuSEfirewall2 -status if it will help!!?? Again thanks for all the suggestions and help! Best regards. otto. PS: Here is the output from SuSEfirewall2 -status if it will help!!?? bunyip:/etc/sysconfig # SuSEfirewall2 status ### iptables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DROP all -- * * 118.217.217.47 0.0.0.0/0 0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 2791K 376M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED 8066 1084K input_ext all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 1 packets, 40 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 2633K 972M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED 1 40 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 7156 954K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 state RELATED 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 18 864 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 74 3552 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:47 8 412 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 9 476 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 38 2060 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 44 2444 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 1 48 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 1 48 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 3 144 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 3 144 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 45 2160 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 46 2208 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30100 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:80 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 3 180 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 20 1180 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 20 1180 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 628 113K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 48 3744 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 82 6396 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset 0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable ### iptables raw ### Chain PREROUTING (policy ACCEPT 11M packets, 1549M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- lo * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 10M packets, 5702M bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all -- * lo 0.0.0.0/0 0.0.0.0/0 ### ip6tables filter ### Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all lo * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state ESTABLISHED 0 0 ACCEPT icmpv6 * * ::/0 ::/0 state RELATED 0 0 input_ext all eth0 * ::/0 ::/0 0 0 input_ext all * * ::/0 ::/0 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET ' 0 0 DROP all * * ::/0 ::/0 Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING ' Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all * lo ::/0 ::/0 0 0 ACCEPT icmpv6 * * ::/0 ::/0 0 0 ACCEPT all * * ::/0 ::/0 state NEW,RELATED,ESTABLISHED 0 0 LOG all * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-OUT-ERROR ' Chain forward_ext (0 references) pkts bytes target prot opt in out source destination Chain input_ext (2 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 128 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 133 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 134 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 135 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 136 0 0 ACCEPT icmpv6 * * ::/0 ::/0 ipv6-icmp type 137 0 0 ACCEPT udp * * ::/0 ::/0 udp spt:137 state RELATED 0 0 ACCEPT 47 * * ::/0 ::/0 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10000 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10000 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:10001 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:10001 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:1723 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:1723 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:20 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:47 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:80 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:25 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:465 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:139 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:445 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:21 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpts:30000:30100 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpts:30000:30100 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:80 0 0 ACCEPT udp * * ::/0 ::/0 udp dpt:443 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp dpt:22 state NEW recent: CHECK seconds: 60 hit_count: 5 name: ssh side: source LOG flags 6 level 4 prefix `SFW2-INext-DROPr ' 0 0 DROP tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 5 TTL-Match name: ssh side: source 0 0 LOG tcp * * ::/0 ::/0 tcp dpt:22 state NEW limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-ACC ' 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 state NEW recent: SET name: ssh side: source 0 0 ACCEPT tcp * * ::/0 ::/0 tcp dpt:22 0 0 LOG tcp * * ::/0 ::/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG icmpv6 * * ::/0 ::/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 LOG udp * * ::/0 ::/0 limit: avg 3/min burst 5 state NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT ' 0 0 DROP all * * ::/0 ::/0 Chain reject_func (0 references) pkts bytes target prot opt in out source destination 0 0 REJECT tcp * * ::/0 ::/0 reject-with tcp-reset 0 0 REJECT udp * * ::/0 ::/0 reject-with icmp6-port-unreachable 0 0 REJECT all * * ::/0 ::/0 reject-with icmp6-addr-unreachable 0 0 DROP all * * ::/0 ::/0 ### ip6tables mangle ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination ### ip6tables raw ### Chain PREROUTING (policy ACCEPT 138 packets, 13384 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all lo * ::/0 ::/0 Chain OUTPUT (policy ACCEPT 150 packets, 14360 bytes) pkts bytes target prot opt in out source destination 0 0 NOTRACK all * lo ::/0 ::/0 -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-06-10 15:45, Otto Rodusek wrote:
Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs:
Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers
Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try?
You have to increase "blockseconds" to more than 60 seconds. You have one attempt per minute, so they avoid the rule... - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwRQvoACgkQU92UU+smfQV+BACdGZndcm8sbdwJxOmOV7ExPjDh +fMAn3RrV+HNEoWmIiYwgufG0QGbHSBo =Tdkz -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Quoting Carlos E. R. (robin.listas@telefonica.net):
On 2010-06-10 15:45, Otto Rodusek wrote:
Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs:
Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers
Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try?
You have to increase "blockseconds" to more than 60 seconds. You have one attempt per minute, so they avoid the rule...
Hm, I'd read that as one per second, not one per minute... Susan -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Susan Dittmar wrote:
Quoting Carlos E. R. (robin.listas@telefonica.net):
On 2010-06-10 15:45, Otto Rodusek wrote:
Ok, tried all the suggestions and cleaned out SuSEfirewall2 as per above but I still get the following in my logs:
Jun 10 03:08:28 bunyip sshd[7626]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:29 bunyip sshd[7629]: User root from 218.8.82.99 not allowed because not listed in AllowUsers Jun 10 03:08:30 bunyip sshd[7631]: User root from 218.8.82.99 not allowed because not listed in AllowUsers
Obviously the line FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" isn't doing what it's supposed to do? Any other ideas I can try?
You have to increase "blockseconds" to more than 60 seconds. You have one attempt per minute, so they avoid the rule...
Hm, I'd read that as one per second, not one per minute...
Susan
Hi, Its actually 5 hits per 60 seconds or 12 seconds between invalid hits. Best regards. otto. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
*chuckle* I should have been more precise. I read *the log file* as one ssh attept per second, not one per minute as Carlos wrote. Susan -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-06-14 11:33, Susan Dittmar wrote:
*chuckle*
I should have been more precise. I read *the log file* as one ssh attept per second, not one per minute as Carlos wrote.
Yes, that's right. I misread the log. About the problem, I believe the ssh port must be opened by another rule; my understanding is that any other rule opening the ssh port takes precedence over the "FW_SERVICES_ACCEPT_*" one. Perhaps grepping for ssh in the file would find the culprit. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAkwWiWsACgkQU92UU+smfQXdeACgjl2UHVusgsWUMd9nkvPuV+p+ gAwAnAiuB72nYabrLZTZlJqH85ZLpF5L =DQwb -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2010-06-14 11:33, Susan Dittmar wrote:
*chuckle*
I should have been more precise. I read *the log file* as one ssh attept per second, not one per minute as Carlos wrote.
Yes, that's right. I misread the log.
About the problem, I believe the ssh port must be opened by another rule; my understanding is that any other rule opening the ssh port takes precedence over the "FW_SERVICES_ACCEPT_*" one. Perhaps grepping for ssh in the file would find the culprit.
- -- Cheers / Saludos,
Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkwWiWsACgkQU92UU+smfQXdeACgjl2UHVusgsWUMd9nkvPuV+p+ gAwAnAiuB72nYabrLZTZlJqH85ZLpF5L =DQwb -----END PGP SIGNATURE-----
Hi Carlos, Yep, I did all the checks and mods that others recommended. The only reference to ssh or port 22 (/etc/sysconfig/SuSEfirewall2) is the following line: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !! Thanks to all who helped. Best regards. Otto. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Otto Rodusek wrote:
so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !!
And you have issued a "SuSEfirewall2 start" after all the changes ? Togan -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Togan Muftuoglu wrote:
Otto Rodusek wrote:
so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !!
And you have issued a "SuSEfirewall2 start" after all the changes ?
Togan
Hi Togan, Most assuredly - I did/do restart the firewall after every mod!! Thanks for your feedback. Best regards. Otto. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2010-06-14 11:33, Susan Dittmar wrote:
*chuckle*
I should have been more precise. I read *the log file* as one ssh attept per second, not one per minute as Carlos wrote.
Yes, that's right. I misread the log.
About the problem, I believe the ssh port must be opened by another rule; my understanding is that any other rule opening the ssh port takes precedence over the "FW_SERVICES_ACCEPT_*" one. Perhaps grepping for ssh in the file would find the culprit.
- -- Cheers / Saludos,
Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Elessar)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAkwWiWsACgkQU92UU+smfQXdeACgjl2UHVusgsWUMd9nkvPuV+p+ gAwAnAiuB72nYabrLZTZlJqH85ZLpF5L =DQwb -----END PGP SIGNATURE-----
Hi Carlos, Yep, I did all the checks and mods that others recommended. The only reference to ssh or port 22 (/etc/sysconfig/SuSEfirewall2) is the following line: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !! Thanks to all who helped. Best regards. Otto. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Otto Rodusek wrote:
Yep, I did all the checks and mods that others recommended. The only reference to ssh or port 22 (/etc/sysconfig/SuSEfirewall2) is the following line:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !!
Works fine here on 11.2 $ while netcat -w 1 myhost 22 < /dev/null ; do :; done SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 $ Sometimes it helps to use e.g. 'watch' to see which rules trigger: $ watch -d sudo iptables -vnL input_ext Also try startig from scratch¹ and only modify FW_SERVICES_ACCEPT_EXT. cu Ludwig [1] cp /var/adm/fillup-templates/sysconfig.SuSEfirewall2 /etc/sysconfig/SuSEfirewall2 -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel wrote:
Otto Rodusek wrote:
Yep, I did all the checks and mods that others recommended. The only reference to ssh or port 22 (/etc/sysconfig/SuSEfirewall2) is the following line:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh"
so I'm pretty sure I got any precedence rules eliminated. So I still can't get iptables to play properly. Trying to restrict the number of ssh attempts per minute just doesn't seem to work with iptables. Oh well, hopefully I'll get this answered/solved some day...*sigh* !!
Works fine here on 11.2
$ while netcat -w 1 myhost 22 < /dev/null ; do :; done SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 SSH-2.0-OpenSSH_5.2 $
Sometimes it helps to use e.g. 'watch' to see which rules trigger: $ watch -d sudo iptables -vnL input_ext
Also try startig from scratch¹ and only modify FW_SERVICES_ACCEPT_EXT.
cu Ludwig
[1] cp /var/adm/fillup-templates/sysconfig.SuSEfirewall2 /etc/sysconfig/SuSEfirewall2
Hi Ludwig, Ok, this generated some interesting results. $ while netcat -w 1 myhost 22 < /dev/null ; do :; done SSH-2.0-OpenSSH_5.2 (607 lines of same as above)!!!!! $ So unlike yours, mine generated 607 lines before it stopped!! I then ran: bunyip:/var/log # watch -d sudo iptables -vnL input_ext Every 2.0s: sudo iptables -vnL input_ext Tue Jun 15 22:37:26 2010 Chain input_ext (2 references) pkts bytes target prot opt in out source destination 5608 749K DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:137 state RELATED 0 0 ACCEPT 47 -- * * 0.0.0.0/0 0.0.0.0/0 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10000 flags :0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 6 288 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:10001 flags :0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 24 1152 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:10001 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:1723 flags: 0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:20 flags:0x 17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:47 flags:0x 17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:47 2 108 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:80 flags:0x 17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 2 108 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 9 476 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:443 flags:0 x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 9 476 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:25 flags:0x 17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:465 flags:0 x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:465 2 96 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:139 flags:0 x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 2 96 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 4 224 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:445 flags:0 x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 6 494 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:445 15 720 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpt:21 flags:0x 17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 15 720 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp dpts:30000:3010 0 flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-ACC-TCP ' 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:30000:30100 Not sure if any of the above helps to isolate the issue. In fact, I did try to gen a new /etc/sysconfig/SuSEfirewall2 when all this started and the only line with reference to port 22 and or ssh was: FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" Again, thanks for all your feedback and help. Best regards. Otto. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Tue, Jun 15, 2010 at 10:40:22PM +0800, Otto Rodusek wrote:
/etc/sysconfig/SuSEfirewall2
Can you perhaps attach this file for review? And which device is your network card? One suspicion would be you have the external network card on the INTernal interface. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote:
On Tue, Jun 15, 2010 at 10:40:22PM +0800, Otto Rodusek wrote:
/etc/sysconfig/SuSEfirewall2
Can you perhaps attach this file for review? And which device is your network card?
One suspicion would be you have the external network card on the INTernal interface.
Ciao, Marcus
Hi Marcus, I have a single ethernet card - eth0 - and I have defined it as "external" in yast2 firewall. Attached here is the listing of /etc/sysconfig/SuSEfirewall2. I'm going to feel like an idiot if you find something obvious!!! Much thanks for your help and advice. Best regards. Otto. ================================================================= # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany. All rights reserved. # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany. All rights reserved. # Copyright (c) 2005-2008 SUSE LINUX Products GmbH Nuernberg, Germany. All rights reserved. # # Author: Marc Heuse, 2002 # Ludwig Nussel, 2004-2008 # # /etc/sysconfig/SuSEfirewall2 # # for use with /sbin/SuSEfirewall2 version 3.6 # # ------------------------------------------------------------------------ # # PLEASE NOTE THE FOLLOWING: # # Just by configuring these settings and using the SuSEfirewall2 you # are not secure per se! There is *not* such a thing you install and # hence you are saved from all (security) hazards. # # To ensure your security, you need also: # # * Secure all services you are offering to untrusted networks # (internet) You can do this by using software which has been # designed with security in mind (like postfix, vsftpd, ssh), # setting these up without misconfiguration and praying, that # they have got really no holes. Apparmor can help in # most circumstances to reduce the risk. # * Do not run untrusted software. (philosophical question, can # you trust SuSE or any other software distributor?) # * Check the security of your server(s) regulary # * If you are using this server as a firewall/bastion host to the # internet for an internal network, try to run proxy services # for everything and disable routing on this machine. # * If you run DNS on the firewall: disable untrusted zone # transfers and either don't allow access to it from the # internet or run it split-brained. # # Good luck! # # Yours, # SuSE Security Team # # ------------------------------------------------------------------------ # # Configuration HELP: # # If you have got any problems configuring this file, take a look at # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES or use YaST # # # If you are an end-user who is NOT connected to two networks (read: # you have got a single user system and are using a dialup to the # internet) you just have to configure (all other settings are OK): # 2) and maybe 9). # # If this server is a firewall, which should act like a proxy (no direct # routing between both networks), or you are an end-user connected to the # internet and to an internal network, you have to setup your proxys and # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14) # # If this server is a firewall, and should do routing/masquerading between # the untrusted and the trusted network, you have to reconfigure (all other # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13), # 14) # # If you want to run a DMZ in either of the above three standard setups, you # just have to configure *additionally* 4), 9), 12), 13), 18) # # Please note that if you use service names, they have to exist in # /etc/services. There is for example no service "dns", it's called # "domain"; email is called "smtp" etc. # # ------------------------------------------------------------------------ ## Path: Network/Firewall/SuSEfirewall2 ## Description: SuSEfirewall2 configuration ## Type: string ## Default: any # # 2.) # Which are the interfaces that point to the internet/untrusted # networks? # # Enter all untrusted network devices here # # Format: space separated list of interface or configuration names # # The special keyword "any" means that packets arriving on interfaces not # explicitly configured as int, ext or dmz will be considered external. Note: # this setting only works for packets destined for the local machine. If you # want forwarding or masquerading you still have to add the external interfaces # individually. "any" can be mixed with other interface names. # # Examples: "ippp0 ippp1", "any dsl0" # # Note: alias interfaces (like eth0:1) are ignored # FW_DEV_EXT="eth0 ppp0" ## Type: string # # 3.) # Which are the interfaces that point to the internal network? # # Enter all trusted network interfaces here. If you are not # connected to a trusted network (e.g. you have just a dialup) leave # this empty. # # Format: space separated list of interface or configuration names # # Examples: "tr0", "eth0 eth1" # FW_DEV_INT="" ## Type: string # # 4.) # Which are the interfaces that point to the dmz or dialup network? # # Enter all the network devices here which point to the dmz/dialups. # A "dmz" is a special, seperated network, which is only connected # to the firewall, and should be reachable from the internet to # provide services, e.g. WWW, Mail, etc. and hence is at risk from # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an # example. # # Note: You have to configure FW_FORWARD to define the services # which should be available to the internet and set FW_ROUTE to yes. # # Format: space separated list of interface or configuration names # # Examples: "tr0", "eth0 eth1" # FW_DEV_DMZ="" ## Type: yesno ## Default: no # # 5.) # Should routing between the internet, dmz and internal network be # activated? # # Set this to "yes" if you either want to masquerade internal # machines or allow access to the dmz (or internal machines, but # this is not a good idea). # # This option overrides IP_FORWARD from # /etc/sysconfig/network/options # # Setting this option one alone doesn't do anything. Either activate # masquerading with FW_MASQUERADE below if you want to masquerade # your internal network to the internet, or configure FW_FORWARD to # define what is allowed to be forwarded. You also need to define # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ. # # defaults to "no" if not set # FW_ROUTE="no" ## Type: yesno ## Default: no # # 6.) # Do you want to masquerade internal networks to the outside? # # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV # # "Masquerading" means that all your internal machines which use # services on the internet seem to come from your firewall. Please # note that it is more secure to communicate via proxies to the # internet than to use masquerading. # # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ. # # defaults to "no" if not set # FW_MASQUERADE="no" ## Type: string ## Default: zone:ext # # 6a.) # You also have to define on which interfaces to masquerade on. # Those are usually the same as the external interfaces. Most users # can leave the default. # # The special string "zone:" concatenated with the name of a zone # means to take all interfaces in the specified zone. # # Old version of SuSEfirewall2 used a shell variable ($FW_DEV_EXT) # here. That method is deprecated as it breaks auto detection of # interfaces. Please use zone:ext instead. # # Examples: "ippp0", "zone:ext" # FW_MASQ_DEV="zone:ext" ## Type: string ## Default: 0/0 # # Which internal computers/networks are allowed to access the # internet via masquerading (not via proxys on the firewall)? # # Format: space separated list of # <source network>[,<destination network>,<protocol>[,port[:port]] # # If the protocol is icmp then port is interpreted as icmp type # # Examples: - "0/0" unrestricted access to the internet # - "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. # - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. - # - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the # 10.0.1.0/24 network is allowed to access unprivileged # ports whereas 10.0.2.0/24 is granted unrestricted # access. # - "0/0,!10.0.0.0/8" unrestricted access to the internet # with the exception of 10.0.0.8 which will not be # masqueraded. # FW_MASQ_NETS="0/0" ## Type: string ## Default: 0/0 # # Which computers/networks to exclude from masquerading. # # Note that this only affects the POSTROUTING chain of the nat # table. Ie the forwarding rules installed by FW_MASQ_NETS do not # include the listed exceptions. # *** Since you may use FW_NOMASQ_NETS together with IPsec make sure # that the policy database is loaded even when the tunnel is not up # yet. Otherwise packets to the listed networks will be forwarded to # the internet unencrypted! *** # # Format: space separated list of # <source network>[,<destination network>,<protocol>[,port[:port]] # # If the protocol is icmp then port is interpreted as icmp type # # Examples: - "0/0,10.0.0.0/8" do not masquerade packets from # anywhere to the 10.0.0.0/8 network # FW_NOMASQ_NETS="" ## Type: list(yes,no,notrack) ## Default: no # # 7.) # Do you want to protect the firewall from the internal network? # Requires: FW_DEV_INT # # If you set this to "yes", internal machines may only access # services on the firewall you explicitly allow. If you set this to # "no", any internal user can connect (and attack) any service on # the firewall. # # The value "notrack" acts similar to "no" but additionally # connection tracking is switched off for interfaces in the zone. # This is useful to gain better performance on high speed # interfaces. # # defaults to "yes" if not set # # see also FW_REJECT_INT # FW_PROTECT_FROM_INT="no" ## Type: string # # 9.) # Which TCP services _on the firewall_ should be accessible from # untrusted networks? # # Format: space separated list of ports, port ranges or well known # service names (see /etc/services) # # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_TCP="10000 10001 1723 20 47" ## Type: string # # Which UDP services _on the firewall_ should be accessible from # untrusted networks? # # Format: space separated list of ports, port ranges or well known # service names (see /etc/services) # # Example: "53", "syslog" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_UDP="" ## Type: string # # Which IP services _on the firewall_ should be accessible from # untrusted networks? # # Usually for VPN/Routing services that END at the firewall like # IPsec, GRE, PPTP or OSPF # # Format: space separated list of ports, port ranges or well known # protocol names (see /etc/protocols) # # Example: "esp" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_IP="gre" ## Type: string # # Which RPC services _on the firewall_ should be accessible from # untrusted networks? # # Port numbers of RPC services are dynamically assigned by the # portmapper. Therefore "rpcinfo -p localhost" has to be used to # automatically determine the currently assigned port for the # services specified here. # # USE WITH CAUTION! # regular users can register rpc services and therefore may be able # to have SuSEfirewall2 open arbitrary ports # # Example: "mountd nfs" # # Note: this setting has precedence over FW_SERVICES_ACCEPT_* # FW_SERVICES_EXT_RPC="" ## Type: string # # Which services _on the firewall_ should be accessible from # untrusted networks? # # Packages can drop a configuration file that specifies all required # ports into /etc/sysconfig/SuSEfirewall2.d/services. That is handy for # services that require multiple ports or protocols. Enter the space # separated list of configuration files you want to load. # # The content of those files is merged into # FW_SERVICES_$zone_$protocol, ie has precedence over # FW_SERVICES_ACCEPT_* # # Example: "samba-server nfs-server" #FW_CONFIGURATIONS_EXT="apache2 apache2-ssl postfix samba-client samba-server sshd vsftpd" FW_CONFIGURATIONS_EXT="apache2 apache2-ssl postfix samba-client samba-server vsftpd" ## Type: string # # see comments for FW_SERVICES_EXT_TCP FW_SERVICES_DMZ_TCP="" ## Type: string # # see comments for FW_SERVICES_EXT_UDP FW_SERVICES_DMZ_UDP="" ## Type: string # # see comments for FW_SERVICES_EXT_IP FW_SERVICES_DMZ_IP="" ## Type: string # # see comments for FW_SERVICES_EXT_RPC FW_SERVICES_DMZ_RPC="" ## Type: string # # see comments for FW_CONFIGURATIONS_EXT #FW_CONFIGURATIONS_DMZ="sshd" FW_CONFIGURATIONS_DMZ="" ## Type: string # # see comments for FW_SERVICES_EXT_TCP FW_SERVICES_INT_TCP="" ## Type: string # # see comments for FW_SERVICES_EXT_UDP FW_SERVICES_INT_UDP="" ## Type: string # # see comments for FW_SERVICES_EXT_IP FW_SERVICES_INT_IP="" ## Type: string # # see comments for FW_SERVICES_EXT_RPC FW_SERVICES_INT_RPC="" ## Type: string # # see comments for FW_CONFIGURATIONS_EXT #FW_CONFIGURATIONS_INT="sshd" FW_CONFIGURATIONS_INT="" ## Type: string # # Packets to silently drop without log message # # Format: space separated list of net,protocol[,port][,sport] # Example: "0/0,tcp,445 0/0,udp,4662" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # FW_SERVICES_DROP_EXT="" ## Type: string # # see FW_SERVICES_DROP_EXT FW_SERVICES_DROP_DMZ="" ## Type: string # # see FW_SERVICES_DROP_EXT FW_SERVICES_DROP_INT="" ## Type: string ## Default: # # Packets to silently reject without log message. Common usage is # TCP port 113 which if dropped would cause long timeouts when # sending mail or connecting to IRC servers. # # Format: space separated list of net,protocol[,dport][,sport] # Example: "0/0,tcp,113" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # FW_SERVICES_REJECT_EXT="" ## Type: string # # see FW_SERVICES_REJECT_EXT FW_SERVICES_REJECT_DMZ="" ## Type: string # # see FW_SERVICES_REJECT_EXT FW_SERVICES_REJECT_INT="" ## Type: string ## Default: # # Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP} # and more specific than FW_TRUSTED_NETS # # Format: space separated list of net,protocol[,dport[,sport[,flags]]] # Example: "0/0,tcp,22" # # Supported flags are # hitcount=NUMBER : ipt_recent --hitcount parameter # blockseconds=NUMBER : ipt_recent --seconds parameter # recentname=NAME : ipt_recent --name parameter # Example: # Allow max three ssh connects per minute from the same IP address: # "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh" # # The special value _rpc_ is recognized as protocol and means that dport is # interpreted as rpc service name. See FW_SERVICES_EXT_RPC for # details. # # Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP # take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same # port with both options. # # Note2: the iptables recent module may not be available for ipv6. To # avoid an error message use 0.0.0.0/0 instead of 0/0. This will # install the rule for ipv4 only. # #FW_SERVICES_ACCEPT_EXT="0/0,tcp,22" # # Modofied by otto 7/jun2010 FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=5,blockseconds=60,recentname=ssh" ## Type: string # # see FW_SERVICES_ACCEPT_EXT FW_SERVICES_ACCEPT_DMZ="" ## Type: string # # see FW_SERVICES_ACCEPT_EXT FW_SERVICES_ACCEPT_INT="" ## Type: string ## Default: # # Services to allow that are considered RELATED by the connection tracking # engine. # # Format: space separated list of net,protocol[,sport[,dport]] # # Example: # Allow samba broadcast replies marked as related by # nf_conntrack_netbios_ns from a certain network: # "192.168.1.0/24,udp,137" # # See also FW_LOAD_MODULES # FW_SERVICES_ACCEPT_RELATED_EXT="" ## Type: string # # see FW_SERVICES_ACCEPT_RELATED_EXT FW_SERVICES_ACCEPT_RELATED_DMZ="" ## Type: string # # see FW_SERVICES_ACCEPT_RELATED_EXT FW_SERVICES_ACCEPT_RELATED_INT="" ## Type: string # # 10.) # Which services should be accessible from 'trusted' hosts or nets? # # Define trusted hosts or networks (doesn't matter whether they are internal or # external) and the services (tcp,udp,icmp) they are allowed to use. This can # be used instead of FW_SERVICES_* for further access restriction. Please note # that this is no replacement for authentication since IP addresses can be # spoofed. Also note that trusted hosts/nets are not allowed to ping the # firewall until you also permit icmp. # # Format: space separated list of network[,protocol[,port]] # in case of icmp, port means the icmp type # # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" # FW_TRUSTED_NETS="" ## Type: string ## Default: # # 11.) # Specify which ports are allowed to access unprivileged ports (>1023) # # Format: yes, no or space separated list of ports # # You may either allow everyone from anyport access to your highports ("yes"), # disallow anyone ("no"), anyone who comes from a defined port (portnumber or # known portname). Note that this is easy to circumvent! The best choice is to # keep this option unset or set to 'no' # # defaults to "no" if not set (good choice) # # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2 # FW_ALLOW_INCOMING_HIGHPORTS_TCP="" ## Type: string ## Default: # # See FW_ALLOW_INCOMING_HIGHPORTS_TCP # # defaults to "no" if not set (good choice) # # Note: Use of this variable is deprecated and it will likely be # removed in the future. If you think it should be kept please # report your use case at # http://forge.novell.com/modules/xfmod/project/?susefirewall2 # # If you use this variable to enable browsing samba/windows shares # you most likely have misconfigured your firewall. You should # either put the utilized interface into the internal zone or use # e.g. FW_SERVICES_ACCEPT_RELATED_EXT # FW_ALLOW_INCOMING_HIGHPORTS_UDP="" ## Type: string # # 13.) # Which services or networks are allowed to be routed through the # firewall, no matter which zone they are in? # Requires: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must have valid, non-private, IP addresses which were # assigned to you by your ISP. This opens a direct link to the # specified network, so please think twice befor using this option! # # Format: space separated list of # <source network>,<destination network>[,protocol[,port[,flags]]] # # If the protocol is icmp then port is interpreted as icmp type # # The only flag currently supported is 'ipsec' which means to only # match packets that originate from an IPsec tunnel # # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any # service on the host 2.2.2.2 # - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16 # to access any service in the network 4.4.4.4/24 # - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages # from 5.5.5.5 to 6.6.6.6 # - "0/0,0/0,udp,514" always permit udp port 514 to pass # the firewall # - "192.168.1.0/24,10.10.0.0/16,,,ipsec \ # 10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic # from 192.168.1.0/24 to 10.10.0.0/16 and vice versa # provided that both networks are connected via an # IPsec tunnel. # - "fd76:9dbb:91a3:1::/64,fd76:9dbb:91a3:4::/64,tcp,ssh" # allow ssh from one IPv6 network to another # FW_FORWARD="" ## Type: string # # 13a.) # # same as FW_FORWARD but packages are rejected instead of accepted # # Requires: FW_ROUTE # FW_FORWARD_REJECT="" ## Type: string # # 13b.) # # same as FW_FORWARD but packages are dropped instead of accepted # # Requires: FW_ROUTE # FW_FORWARD_DROP="" ## Type: string # # 14.) # Which services accessed from the internet should be allowed to masqueraded # servers (on the internal network or dmz)? # Requires: FW_ROUTE # # With this option you may allow access to e.g. your mailserver. The # machines must be in a masqueraded segment and may not have public # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface # you have to set FW_FORWARD from internal to DMZ for the service as # well to allow access from internal! # # Please note that this should *not* be used for security reasons! # You are opening a hole to your precious internal network. If e.g. # the webserver there is compromised - your full internal network is # compromised! # # Format: space separated list of # <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]] # # Protocol must be either tcp or udp # # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on # port 80 coming from the 4.0.0.0/8 network to the # internal server 10.10.0.10 # - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on # port 80 coming from the 4.0.0.0/8 network to the # internal server 10.10.0.10 on port 81 # - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202" # the network 200.200.200.0/24 trying to access the # address 202.202.202.202 on port 80 will be forwarded # to the internal server 10.0.0.10 on port 81 # # Note: du to inconsitent iptables behaviour only port numbers are possible but # no service names (https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=273) # FW_FORWARD_MASQ="" ## Type: string # # 15.) # Which accesses to services should be redirected to a local port on # the firewall machine? # # This option can be used to force all internal users to surf via # your squid proxy, or transparently redirect incoming webtraffic to # a secure webserver. # # Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]] # Where protocol is either tcp or udp. dport is the original # destination port and lport the port on the local machine to # redirect the traffic to # # An exclamation mark in front of source or destination network # means everything EXCEPT the specified network # # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080" # # Note: contrary to previous SuSEfirewall2 versions it is no longer necessary # to additionally open the local port FW_REDIRECT="" ## Type: yesno ## Default: yes # # 16.) # Which kind of packets should be logged? # # When set to "yes", packages that got dropped and are considered # 'critical' will be logged. Such packets include for example # spoofed packets, tcp connection requests and certain icmp types. # # defaults to "yes" if not set # FW_LOG_DROP_CRIT="yes" ## Type: yesno ## Default: no # # whether all dropped packets should be logged # # Note: for broadcasts to be logged you also need to set # FW_IGNORE_FW_BROADCAST_* to 'no' # # defaults to "no" if not set # FW_LOG_DROP_ALL="no" ## Type: yesno ## Default: yes # # When set to "yes", packages that got accepted and are considered # 'critical' will be logged. Such packets include for example tcp # connection requests, rpc connection requests, access to high # udp/tcp port and forwarded pakets. # # defaults to "yes" if not set # FW_LOG_ACCEPT_CRIT="yes" ## Type: yesno ## Default: no # # whether all accepted packets should be logged # # Note: setting this to 'yes' causes _LOTS_ of log entries and may # fill your disk quickly. It also disables FW_LOG_LIMIT # # defaults to "no" if not set # FW_LOG_ACCEPT_ALL="no" ## Type: string # # How many packets per time unit get logged for each logging rule. # When empty a default of 3/minute is used to prevent port scans # flooding your log files. For desktop usage it's a good idea to # have the limit, if you are using logfile analysis tools however # you might want to disable it. # # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL # to 'yes' disables this option as well. # # Format: a digit and suffix /second, /minute, /hour or /day FW_LOG_LIMIT="" ## Type: string # # iptables logging option. Must end with --log-prefix and some prefix # characters # # You may specify an alternative logging target by starting the # string with "-j ". E.g. "-j ULOG --ulog-prefix SFW2" # # Note that ULOG doesn't work with IPv6 # # only change this if you know what you are doing! FW_LOG="" ## Type: yesno ## Default: yes # # 17.) # Do you want to enable additional kernel TCP/IP security features? # If set to yes, some obscure kernel options are set. # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate, # icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate, # ip_local_port_range, log_martians, rp_filter, routing flush, # bootp_relay, proxy_arp, secure_redirects, accept_source_route # icmp_echo_ignore_broadcasts, ipfrag_time) # # Tip: Set this to "no" until you have verified that you have got a # configuration which works for you. Then set this to "yes" and keep it # if everything still works. (It should!) ;-) # # Choice: "yes" or "no", if not set defaults to "yes" # FW_KERNEL_SECURITY="yes" ## Type: yesno ## Default: no # # 18.) # Keep the routing set on, if the firewall rules are unloaded? # REQUIRES: FW_ROUTE # # Choices "yes" or "no", if not set defaults to "no" # FW_STOP_KEEP_ROUTING_STATE="no" ## Type: yesno ## Default: yes # # 19.) # Allow the firewall to reply to icmp echo requests # # defaults to "no" if not set # FW_ALLOW_PING_FW="yes" ## Type: yesno ## Default: no # # 19a.) # Allow hosts in the dmz to be pinged from hosts in other zones even # if neither FW_FORWARD nor FW_MASQUERADE is set # # Requires: FW_ROUTE # # defaults to "no" if not set # FW_ALLOW_PING_DMZ="no" ## Type: yesno ## Default: no # # 19b.) # Allow hosts in the external zone to be pinged from hosts in other # zones even if neither FW_FORWARD nor FW_MASQUERADE is set # # Requires: FW_ROUTE # # defaults to "no" if not set # FW_ALLOW_PING_EXT="no" ## Type: yesno ## Default: yes # # 21.) # Allow ICMP sourcequench from your ISP? # # If set to yes, the firewall will notice when connection is choking, however # this opens yourself to a denial of service attack. Choose your poison. # # Defaults to "yes" if not set # FW_ALLOW_FW_SOURCEQUENCH="" ## Type: string(yes,no) # # 22.) # Allow IP Broadcasts? # # Whether the firewall allows broadcasts packets. # Broadcasts are used for e.g. for Netbios/Samba, RIP, OSPF and Games. # # If you want to drop broadcasts however ignore the annoying log entries, set # FW_IGNORE_FW_BROADCAST_* to yes. # # Note that if you allow specifc ports here it just means that broadcast # packets for that port are not dropped. You still need to set # FW_SERVICES_*_UDP to actually allow regular unicast packets to # reach the applications. # # Format: either # - "yes" or "no" # - list of udp destination ports # # Examples: - "631 137" allow broadcast packets on port 631 and 137 # to enter the machine but drop any other broadcasts # - "yes" do not install any extra drop rules for # broadcast packets. They'll be treated just as unicast # packets in this case. # - "no" drop all broadcast packets before other filtering # rules # # defaults to "no" if not set # FW_ALLOW_FW_BROADCAST_EXT="no" ## Type: string # # see comments for FW_ALLOW_FW_BROADCAST_EXT FW_ALLOW_FW_BROADCAST_INT="no" ## Type: string # # see comments for FW_ALLOW_FW_BROADCAST_EXT FW_ALLOW_FW_BROADCAST_DMZ="no" ## Type: string(yes,no) # # Suppress logging of dropped broadcast packets. Useful if you don't allow # broadcasts on a LAN interface. # # This setting only affects packets that are not allowed according # to FW_ALLOW_FW_BROADCAST_* # # Format: either # - "yes" or "no" # - list of udp destination ports # # Examples: - "631 137" silently drop broadcast packets on port 631 and 137 # - "yes" do not log dropped broadcast packets # - "no" log all dropped broadcast packets # # # defaults to "no" if not set FW_IGNORE_FW_BROADCAST_EXT="yes" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT FW_IGNORE_FW_BROADCAST_INT="no" ## Type: string # # see comments for FW_IGNORE_FW_BROADCAST_EXT FW_IGNORE_FW_BROADCAST_DMZ="no" ## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 23.) # Specifies whether routing between interfaces of the same zone should be allowed # Requires: FW_ROUTE="yes" # # Set this to allow routing between interfaces in the same zone, # e.g. between all internet interfaces, or all internal network # interfaces. # # Caution: Keep in mind that "yes" affects all zones. ie even if you # need inter-zone routing only in the internal zone setting this # parameter to "yes" would allow routing between all external # interfaces as well. It's better to use # FW_ALLOW_CLASS_ROUTING="int" in this case. # # Choice: "yes", "no", or space separate list of zone names # # Defaults to "no" if not set # FW_ALLOW_CLASS_ROUTING="" ## Type: string # # 25.) # Do you want to load customary rules from a file? # # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES="" ## Type: yesno ## Default: no # # 26.) # Do you want to REJECT packets instead of DROPing? # # DROPing (which is the default) will make portscans and attacks much # slower, as no replies to the packets will be sent. REJECTing means, that # for every illegal packet, a connection reject packet is sent to the # sender. # # Choice: "yes" or "no", if not set defaults to "no" # # Defaults to "no" if not set # # You may override this value on a per zone basis by using a zone # specific variable, e.g. FW_REJECT_DMZ="yes" # FW_REJECT="" ## Type: yesno ## Default: no # # see FW_REJECT for description # # default config file setting is "yes" assuming that slowing down # portscans is not strictly required in the internal zone even if # you protect yourself from the internal zone # FW_REJECT_INT="yes" ## Type: string # # 27.) # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket) # for more information about HTB see http://www.lartc.org # # If your download collapses while you have a parallel upload, # this parameter might be an option for you. It manages your # upload stream and reserves bandwidth for special packets like # TCP ACK packets or interactive SSH. # It's a list of devices and maximum bandwidth in kbit. # For example, the german TDSL account, provides 128kbit/s upstream # and 768kbit/s downstream. We can only tune the upstream. # # Example: # If you want to tune a 128kbit/s upstream DSL device like german TDSL set # the following values: # FW_HTB_TUNE_DEV="dsl0,125" # where dsl0 is your pppoe device and 125 stands for 125kbit/s upstream # # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll # get a better performance if you keep the value a few percent under your # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in # it's own buffers because queing is done by us now. # So for a 256kbit upstream # FW_HTB_TUNE_DEV="dsl0,250" # might be a better value than "dsl0,256". There is no perfect value for a # special kind of modem. The perfect value depends on what kind of traffic you # have on your line but 5% under your maximum upstream might be a good start. # Everthing else is special fine tuning. # If you want to know more about the technical background, # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/ # is a good start # FW_HTB_TUNE_DEV="" ## Type: list(no,drop,reject) ## Default: drop # # 28.) # What to do with IPv6 Packets? # # On older kernels ip6tables was not stateful so it's not possible to implement # the same features as for IPv4 on such machines. For these there are three # choices: # # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6 # traffic unless you setup your own rules. # # - drop: drop all IPv6 packets. # # - reject: reject all IPv6 packets. This is the default if stateful matching is # not available. # # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6 # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this. # # Leave empty to automatically detect whether your kernel supports stateful matching. # FW_IPv6="" ## Type: yesno ## Default: yes # # 28a.) # Reject outgoing IPv6 Packets? # # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option # does only make sense with FW_IPv6 != no # # Defaults to "yes" if not set # FW_IPv6_REJECT_OUTGOING="" ## Type: list(yes,no,int,ext,dmz,) ## Default: no # # 29.) # Trust level of IPsec packets. # # You do not need to change this if you do not intend to run # services that should only be available trough an IPsec tunnel. # # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz' # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec # packets belong to the same zone as the interface they arrive on. # # Note: you still need to explicitely allow IPsec traffic. # Example: # FW_IPSEC_TRUST="int" # FW_SERVICES_EXT_IP="esp" # FW_SERVICES_EXT_UDP="isakmp" # FW_PROTECT_FROM_INT="no" # # Defaults to "no" if not set # FW_IPSEC_TRUST="no" ## Type: string ## Default: # # 30.) # Define additional firewall zones # # The built-in zones INT, EXT and DMZ must not be listed here. Names # of additional zones must only contain lowercase ascii characters. # To define rules for the additional zone, take the approriate # variable for a built-in zone and substitute INT/EXT/DMZ with the # name of the additional zone. # # Example: # FW_ZONES="wlan" # FW_DEV_wlan="wlan0" # FW_SERVICES_wlan_TCP="80" # FW_ALLOW_FW_BROADCAST_wlan="yes" # FW_ZONES="" ## Type: string(no,auto) ## Default: # # Set default firewall zone # # Format: 'auto', 'no' or name of zone. # # When set to 'no' no firewall rules will be installed for unknown # or unconfigured interfaces. That means traffic on such interfaces # hits the default drop rules. # # When left empty or when set to 'auto' the zone that has the # interface string 'any' configured is used for all unconfigured # interfaces (see FW_DEV_EXT). If no 'any' string was found the # external zone is used. # # When a default zone is defined a catch all rule redirects traffic # from interfaces that were not present at the time SuSEfirewall2 # was run to the default zone. Normally SuSEfirewall2 needs to be # run if new interfaces appear to avoid such unknown interfaces. # # Default to 'auto' if not set # FW_ZONE_DEFAULT="" ## Type: list(yes,no,auto,) ## Default: # # 31.) # Whether to use iptables-batch # # iptables-batch commits all rules in an almost atomic way similar # to iptables-restore. This avoids excessive iptables calls and race # conditions. # # Choice: # - yes: use iptables-batch if available and warn if it isn't # - no: don't use iptables-batch # - auto: use iptables-batch if available, silently fall back to # iptables if it isn't # # Defaults to "auto" if not set # FW_USE_IPTABLES_BATCH="" ## Type: string ## Default: # # 32.) # Which additional kernel modules to load at startup # # Example: # FW_LOAD_MODULES="nf_conntrack_netbios_ns" # # See also FW_SERVICES_ACCEPT_RELATED_EXT # FW_LOAD_MODULES="nf_conntrack_netbios_ns" ## Type: string ## Default: # # 33.) # Bridge interfaces without IP address # # Traffic on bridge interfaces like the one used by xen appears to # enter and leave on the same interface. Add such interfaces here in # order to install special permitting rules for them. # # Format: list of interface names separated by space # # Note: this option is deprecated, use FW_FORWARD_ALLOW_BRIDGING instead # # Example: # FW_FORWARD_ALWAYS_INOUT_DEV="xenbr0" # FW_FORWARD_ALWAYS_INOUT_DEV="" ## Type: string ## Default: # # Whether traffic that is only bridged but not routed should be # allowed. Such packets appear to pass though the forward chain so # normally they would be dropped. # # Note: it is not possible to configure SuSEfirewall2 as bridging # firewall. This option merely controls whether SuSEfirewall2 should # try to not interfere with bridges. # # Choice: # - yes: always install a rule to allow bridge traffic # - no: don't install a rule to allow bridge traffic # - auto: install rule only if there are bridge interfaces # # Defaults to "auto" if not set # FW_FORWARD_ALLOW_BRIDGING="" ## Type: yesno ## Default: yes # # Write status information to /var/run/SuSEfirewall2/status for use # by e.g. graphical user interfaces. Can safely be disabled on # servers. # # Defaults to "yes" if not set # FW_WRITE_STATUS="" ## Type: yesno ## Default: yes # # Allow dynamic configuration overrides in # /var/run/SuSEfirewall2/override for use by e.g. graphical user # interfaces. Can safely be disabled on servers. # # Defaults to "yes" if not set # FW_RUNTIME_OVERRIDE="" ## Type: yesno ## Default: yes # # Install NOTRACK target for interface lo in the raw table. Doing so # speeds up packet processing on the loopback interface. This breaks # certain firewall setups that need to e.g. redirect outgoing # packets via custom rules on the local machine. # # Defaults to "yes" if not set # FW_LO_NOTRACK="" -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (7)
-
Carlos E. R. -
Carlos E. R. -
Ludwig Nussel -
Marcus Meissner -
Otto Rodusek -
Susan Dittmar -
Togan Muftuoglu