I am trying to restrict ports below 1024 on my internal network interface. In /etc/sysconfig SuSEfirewall my configuration says: FW_MASQ_NETS="192.168.100.0/24,0.0,tcp,1024:65535" When I restart SuSEfirewall the logs show: rcSuSEfirewall2 restart Starting Firewall Initialization (phase 2 of 3) iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified This happens with any port or portrange I choose. I tried also FW_MASQ_NETS="192.168.100.0/24,tcp,1024:65535" as described in the SuSE examples. In this SuSEfirewall complains: The protocol with FW_MASQ_NETS must be tcp, udp or empty-> 192.168.100.0/24,tcp,1024:65535 Thanks for any advice! Best wishes Enrique -- Dirk Enrique Seiffert CaribeNet S.A. - Cartagena - Colombia www.caribenet.com
On Fri, 14 Jan 2005, Dirk Enrique Seiffert wrote:
I am trying to restrict ports below 1024 on my internal network interface. In /etc/sysconfig SuSEfirewall my configuration says:
FW_MASQ_NETS="192.168.100.0/24,0.0,tcp,1024:65535"
shouldnt thsi be "0/0" and this would masquerade ports 1024:65535 only, would it ? does this make sense ? in the code is see :: $IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $NET1 $NET2 $PROTO $PORT -o $DEV --to-ports 61000-65095 might be a problem too
When I restart SuSEfirewall the logs show:
rcSuSEfirewall2 restart Starting Firewall Initialization (phase 2 of 3) iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified
This happens with any port or portrange I choose. I tried also FW_MASQ_NETS="192.168.100.0/24,tcp,1024:65535" as described in the SuSE examples. In this SuSEfirewall complains:
The protocol with FW_MASQ_NETS must be tcp, udp or empty-> 192.168.100.0/24,tcp,1024:65535
from looking into the script i would suggest the doc is wrong. -- BINGO: conveniently integrate economically sound technology --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
El Sáb 15 Ene 2005 12:28, engelbert.gruber@ssg.co.at escribió:
FW_MASQ_NETS="192.168.100.0/24,0.0,tcp,1024:65535"
shouldnt thsi be "0/0" Sorry about such a stupid Error, you are absolutely right! FW_MASQ_NETS="192.168.100.0/24,0/0,tcp,1024:65535" works as desired.
and this would masquerade ports 1024:65535 only, would it ? does this make sense ?
in the code is see ::
$IPTABLES -A POSTROUTING -j MASQUERADE -t nat -s $NET1 $NET2 $PROTO $PORT -o $DEV --to-ports 61000-65095
might be a problem too
When I restart SuSEfirewall the logs show:
rcSuSEfirewall2 restart Starting Firewall Initialization (phase 2 of 3) iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified Try `iptables -h' or 'iptables --help' for more information. iptables v1.2.9: invalid TCP port/service `65535' specified
This happens with any port or portrange I choose. I tried also FW_MASQ_NETS="192.168.100.0/24,tcp,1024:65535" as described in the SuSE examples. In this SuSEfirewall complains:
The protocol with FW_MASQ_NETS must be tcp, udp or empty-> 192.168.100.0/24,tcp,1024:65535
from looking into the script i would suggest the doc is wrong.
Yes, there are two mistakes in the examples: The one discussed here, a second example says: "10.0.1.0/24,0/0tcp,21", obviously a comma missing before tcp. # Choice: leave empty or any number of hosts/networks seperated by a space. # Every host/network may get a list of allowed services, otherwise everything # is allowed. A target network, protocol and service is appended by a comma to # the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with # unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows # the 10.0.1.0 network to use www/ftp to the internet. # "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too. # Set this variable to "0/0" to allow unrestricted access to the internet. Thanks a lot Enrique
-- BINGO: conveniently integrate economically sound technology --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
-- Dirk Enrique Seiffert CaribeNet S.A. - Cartagena - Colombia www.caribenet.com
participants (2)
-
Dirk Enrique Seiffert -
engelbert.gruber@ssg.co.at