The 03.06.15 at 14:18, Anders Johansson wrote:
If the packet rejected is part of an ongoing conversation, it should not not matter if I close every port on the firewall, because it is a response, and thus will get in.
Not necessarily. You would have to allow packets of state ESTABLISHED, otherwise everything would be blocked.
Well, I hope the susefirewall script takes care of that for me - I'm not capable of doing it meself ;-)
I'l try to set up ethereal or something to try capture dns conversations. Now, I wonder how to fire up ethereal (or soemthing else) automatically when networks goes up - perhaps tcpdump would be better [...]
Let us know what you find out. I've suspected for a while that there is something subtly wrong in the SuSEfirewall, but I've never suffered enough from it to muster up the energy to research it :)
Gotcha! :-) At least, I think I have captured some (after booting). My firewall log says: Jun 15 23:26:18 nimrodel kernel: SuSE-FW-ILLEGAL-TARGET IN=ppp0 OUT= MAC= SRC=192.36.148.17 DST=81.41.200.185 LEN=122 TOS=0x00 PREC=0x00 TTL=39 ID=46511 DF PROTO=UDP SPT=53 DPT=1024 LEN=102 (repeated 13 times, in one second) Now, lets see what I have captured. [...] Nothing :-( The first capture occurs at 23:26:20.414464, two seconds later. tcpdump didn't see a thing :-( 23:26:20.414464 < ip 138: rns.arl.army.mil.domain > 185.Red-81-41-200.pooles.rima-tde.net.1024: [udp sum ok] 24957*- q: AAAA? A.ROOT-SERVERS.NET. 0/1/0 ns: ROOT-SERVERS.NET. SOA A.ROOT-SERVERS.NET. nstld.verisign-grs.com. 2003050200 14400 7200 1209600 3600000 (94) (DF) (ttl 40, id 0, len 122) I guess the firewall is impeding it... no, tcpdump is starting one second too late: Jun 15 23:26:19 nimrodel ip-up.local: --> Up ppp0 /dev/ttyS1 115200 L: 81.41.200.185 R: 80.58.197.104 Par: Ok, I'll change my script a bit, and we'll see what happens tomorrow (I can not start tcpdump manually because the interface ppp0 doesn't exist till I connect). I'll put a five second before the stuff sending/reciving mail etc. -- Cheers, Carlos Robinson