On 2023-04-28 20:52, Per Jessen wrote:
Carlos E. R. wrote:
On 2023-04-28 19:19, Per Jessen wrote:
Carlos E. R. wrote:
The issue is - if it is a default, it is in the migration script and that would be weird.
Try running "iptables --list -n" and maybe grep for 'icmp'
I see I forgot to mention that I run the query in a computer that is still running SuSEfirewall2.
I did expect that, otherwise it would have been useless :-)
Telcontar:~ # iptables --list -n | grep -i icmp ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED REJECT all -- 0.0.0.0/0 0.0.0.0/0 owner GID match 1011 reject-with icmp-port-unreachable
That is an odd one, I don't think I have ever seen anything like that.
I think I remember where that one may come from, but I do not remember it was icmp.
No, it's for all protocols, the grep hits on on the reject-with reason.
This was used on acroread. That program run with that GID, and thus had it network connections denied. No talking back home.
Weird sh**t .... :-)
That was my concoction with help and ideas from here, very probably. Normally I write a comment saying where, but I don't see it now. I see a "SuSEfirewall2-custom~" dated 2008 with that code. Another one dated 2005 has this section:
#Cer 2051225 - from an email in suse-security # Blocking ssh attacks iptables -A INPUT -p tcp --syn --dport 22 -m recent --name sshattack --set iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SSH attack: ' iptables -A INPUT -p tcp --dport 22 --syn -m recent --name sshattack --update --seconds 60 --hitcount 6 -j REJECT
Ah, found where I got the trick for acrobat: ] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall. ] Date: Mon, 18 Apr 2005 15:56:26 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] Carl A. Schreiber wrote: ]> I'd like to learn more about this, would you mind to give an example ]> for such a rule? ] ] I did it with the following rule: ] iptables -A OUTPUT -m owner --gid-owner talker -j REJECT ] ] Then I set /usr/bin/netcat to be owned by group 'talker' and to mode ] 2755 (SGID). After that I could not connect anywhere with netcat. Once I ] chmodded netcat back to 755 it worked again.
[snip]
.5 was oldrouter.valinor .6 is one of the switches, don't know which. .29 I don't remember, it is not in the DNS, but seeing the syslog reference it had to be a router or access point. Not active anymore.
It is beginning to sound like you have a lot of old baggage to get rid of.
You don't say :-D
That is more stuff that you have added. It looks to me as if you accept type 4 (weird, "source quench?" ) type 8 (ping request)
See above. I just wrote a plain normal SuSEfirewall option.
Oh sure, I understand that, but it is nonetheless why you have ended up with something utterly unmaintainable. In my opinion, of course.
Look at it this way. I just wanted to trust machine at 192.168.1.5 for syslog and icmp. I simply told the firewall script in the approved manner to do it. How it did do it, is not my business. And why icmp? because it was probably spamming the log, and probably some feature of the router or switch or whatever it was did not work unless I allowed that packet to pass. Of course, I can purge now machine 192.168.1.5 because it no longer exists and I have forgotten what machine it was. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)