reject outgoing packages...
Hello List, one of my firewalls (SuSEfirewall2 including openvpn tunnel) is giving the following error message on start/restart: "Starting Firewall Initialization (phase 2 of 3) It's not possible to reject outgoing packets. Expect Timeouts." this seems funny to me, because i did not configure anything to reject outgoing packages. I have the following setup - what did i miss? thanks a lot! [eth2 is outside, eth1 is inside, tun0 is openvpn-tunnel] ----------------------------------------- FW_QUICKMODE="no" FW_DEV_EXT="eth2" FW_DEV_INT="eth1 tun0" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="<our vpn-port>" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="22 80 8080" FW_SERVICES_INT_UDP="53" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="<here are the routing directives for the vpn-connected lans>" FW_LOG_DROP_CRIT="no" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="no" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="no" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="yes" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_REJECT="no" FW_HTB_TUNE_DEV="" ---------------------------------- (I have added lots of customrules, which are tested and do work, and the error appears independent from these rules, so left that out.) thanks a lot!! -- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
Markus Feilner wrote:
one of my firewalls (SuSEfirewall2 including openvpn tunnel) is giving the following error message on start/restart: "Starting Firewall Initialization (phase 2 of 3) It's not possible to reject outgoing packets. Expect Timeouts." this seems funny to me, because i did not configure anything to reject outgoing packages.
That message is printed if your kernel/ip6tables does not support the REJECT target. It only affects ipv6.
[...] FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
Are you sure that is actually needed? cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Am Dienstag, 15. Februar 2005 12:41 schrieb Ludwig Nussel:
Markus Feilner wrote:
one of my firewalls (SuSEfirewall2 including openvpn tunnel) is giving the following error message on start/restart: "Starting Firewall Initialization (phase 2 of 3) It's not possible to reject outgoing packets. Expect Timeouts." this seems funny to me, because i did not configure anything to reject outgoing packages.
That message is printed if your kernel/ip6tables does not support the REJECT target. It only affects ipv6. Ok, so no need to worry, thanks!
[...] FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
Are you sure that is actually needed?
cu Ludwig
Unfortunately yes... automatical updates of closed-source-software. :-(
-- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
participants (2)
-
Ludwig Nussel -
Markus Feilner