SuSEfirewall2 no external ports open up
hello list, i have a problem with my firewall on my 9.1: if i allow some ports in /etc/sysconfig/SuSEfirewall2, for example FW_SERVICES_EXT_TCP = "8080" and restart the firewall i can see no rulez in iptables -L INPUT or input_ext that accept this port and requests are being blocked on that port. i did set up the same system on a different location and everything is working fine there...i can see all necessary rules in the input_ext chain. if i manually add a rule on my machine for that port it works fine, but why aren;t the rules set up correctly if i enter everything in /etc/sysconfig/SuSEfirewall2??? i don't get it...has anybody a clue what to do here??? TIA and best regards luk
Am Dienstag, 16. November 2004 15:38 schrieb dadirtyluk:
FW_SERVICES_EXT_TCP = "8080"
and restart the firewall i can see no rulez in iptables -L INPUT or input_ext that accept this port and requests are being blocked on that port.
check if FW_QUICKMODE="yes". if so, you have to add the open ports to FW_SERVICES_QUICK_TCP instead of FW_SERVICES_TCP. likewise goes for _UDP and _IP of course. bye MH
hi there.
check if FW_QUICKMODE="yes". if so, you have to add the open ports to FW_SERVICES_QUICK_TCP instead of FW_SERVICES_TCP. likewise goes for _UDP and _IP of course.
FW_QUICKMODE='no' maybe i test if it works in quickmode later on... greetz luk
Am Dienstag, 16. November 2004 16:11 schrieb dadirtyluk:
hi there.
check if FW_QUICKMODE="yes". if so, you have to add the open ports to FW_SERVICES_QUICK_TCP instead of FW_SERVICES_TCP. likewise goes for _UDP and _IP of course.
FW_QUICKMODE='no'
maybe i test if it works in quickmode later on...
and all three SuSEfirewall services are active? chkconfig|grep SuSEfirewall should look like this: celebrimbor:~ # chkconfig |grep SuSEfirewall2 SuSEfirewall2_final 35 SuSEfirewall2_init 35 SuSEfirewall2_setup 35 or "on" instead of the "35" bye, MH
hello, i checked the hints you posted and here's the output:
and all three SuSEfirewall services are active?
chkconfig|grep SuSEfirewall should look like this: celebrimbor:~ # chkconfig |grep SuSEfirewall2 SuSEfirewall2_final 35 SuSEfirewall2_init 35 SuSEfirewall2_setup 35
everything is 'on' and "grep -Ev ^\(#\|$\) /etc/sysconfig/SuSEfirewall2" gives FW_QUICKMODE="no" FW_DEV_EXT="ppp0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.1.0/24" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="smtp domain 4662 113" FW_SERVICES_EXT_UDP="domain 4666" # Common: domain FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_SERVICES_INT_TCP="ssh ftp smtp domain swat netbios-ssn imaps www 4080" FW_SERVICES_INT_UDP="domain netbios-ssn" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="yes" FW_FORWARD="" # Beware to use this! FW_FORWARD_MASQ="" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_KERNEL_SECURITY="yes" FW_ANTISPOOF="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="int" FW_IGNORE_FW_BROADCAST="no" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="yes" FW_IPSEC_TRUST="no" FW_IPSEC_MARK="" FW_LOG="" hope that helps helping me :P luk
Am Dienstag, 16. November 2004 17:23 schrieb dadirtyluk:
hello,
chkconfig|grep SuSEfirewall should look like this:
everything is 'on'
well, with
FW_PROTECT_FROM_INTERNAL="no"
you can leave these empty:
FW_SERVICES_INT_TCP="ssh ftp smtp domain swat netbios-ssn imaps www 4080" FW_SERVICES_INT_UDP="domain netbios-ssn"
looks good to me. send the output of a "iptables -L -n" and the content of /var/log/boot.msg please. bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
heya,
well, with
FW_PROTECT_FROM_INTERNAL="no" you can leave these empty: FW_SERVICES_INT_TCP="ssh ftp smtp domain swat netbios-ssn imaps www 4080" FW_SERVICES_INT_UDP="domain netbios-ssn"
yeah i know...just set it to no as i lost my will to fight ;)
looks good to me. send the output of a "iptables -L -n" and the content of /var/log/boot.msg please.
i checked the iptables of chain INPUT and input_ext extensively for a rule that even mentiones the given portz but there wasn't a single thing... what do you expect from boot.msg? i can see every part of the firewall initialisation being run and exit with 0...that should be ok IMHO... greetz luk
On Tuesday, 16 November 2004 18.01, dadirtyluk wrote:
heya,
well, with
FW_PROTECT_FROM_INTERNAL="no"
you can leave these empty:
FW_SERVICES_INT_TCP="ssh ftp smtp domain swat netbios-ssn imaps www
4080"
FW_SERVICES_INT_UDP="domain netbios-ssn"
yeah i know...just set it to no as i lost my will to fight ;)
looks good to me. send the output of a "iptables -L -n" and the content of /var/log/boot.msg please.
i checked the iptables of chain INPUT and input_ext extensively for a rule that even mentiones the given portz but there wasn't a single thing...
Could it be that you have REJECT_ALL_INCOMING_CONNECTIONS set in /etc/sysconfig/personal-firewall ?
i checked the iptables of chain INPUT and input_ext extensively for a rule that even mentiones the given portz but there wasn't a single thing...
Could it be that you have REJECT_ALL_INCOMING_CONNECTIONS set in /etc/sysconfig/personal-firewall ?
thx alot dude, i checked that and after setting it from 'modem' to 'no' all needed rules were applied!!! didn't know i had to look into personal firewall if i use firewall2 thx again c ya luk -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
no, no... 8080 was just a number that came into my head as an example. no listed port is working... luk -----Ursprüngliche Nachricht----- Von: Anders Johansson [mailto:andjoh@rydsbo.net] Gesendet: Sonntag, 17. Oktober 2004 17:48 An: suse-security@suse.com Betreff: Re: AW: [suse-security] SuSEfirewall2 no external ports open up On Tuesday, 16 November 2004 17.23, dadirtyluk wrote:
FW_SERVICES_EXT_TCP="smtp domain 4662 113"
I don't see 8080 here. Are these the services that aren't opened even though they are listed here? -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Tuesday, 16 November 2004 15.38, dadirtyluk wrote:
hello list,
i have a problem with my firewall on my 9.1: if i allow some ports in /etc/sysconfig/SuSEfirewall2, for example
FW_SERVICES_EXT_TCP = "8080"
and restart the firewall i can see no rulez in iptables -L INPUT or input_ext that accept this port and requests are being blocked on that port.
i did set up the same system on a different location and everything is working fine there...i can see all necessary rules in the input_ext chain.
if i manually add a rule on my machine for that port it works fine, but why aren;t the rules set up correctly if i enter everything in /etc/sysconfig/SuSEfirewall2???
i don't get it...has anybody a clue what to do here???
If you post the output of "grep -Ev ^\(#\|$\) /etc/sysconfig/SuSEfirewall2" perhaps someone could see what's wrong
participants (3)
-
Anders Johansson -
dadirtyluk -
Mathias Homann