-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2023-04-28 at 18:29 +0200, Per Jessen wrote:
Carlos E. R. wrote:
I don't understand what the next block is. Do I really need it?
<icmp-block name="this-and-that"/>
I presume it was migrated from your SFW2 setup, so I guess you needed it previously.
I never wrote those. They must be default rules.
Maybe check one of your other machines still using SFW2. You ought to see a long list of rules targeting those icmps.
Oh, I have the file of this machine intact.
Isengard:/etc/firewalld/zones # grep -i address-unreachable /etc/sysconfig/SuSEfirewall2 Isengard:/etc/firewalld/zones #
The reference is not there, it has to be some default.
That is not a safe way to determine it. The issue is - if it is a default, it is in the migration script and that would be weird.
Try running "iptables --list -n" and maybe grep for 'icmp'
Telcontar:~ # iptables --list -n | grep -i icmp ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED REJECT all -- 0.0.0.0/0 0.0.0.0/0 owner GID match 1011 reject-with icmp-port-unreachable ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT icmp -- 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.16 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INext-DROP-DEFLT " ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT icmp -- 192.168.1.1 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.5 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.6 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.29 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.15 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED ACCEPT icmp -- 192.168.1.16 0.0.0.0/0 ctstate NEW,RELATED,ESTABLISHED LOG icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix "SFW2-INint-DROP-DEFLT " REJECT udp -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable Telcontar:~ #
For comparison, from my opensuse mirror:
jensen:~ # iptables --list -n| grep icmp ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 2/sec burst 5 DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmptype 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0
- -- Cheers, Carlos E. R. (from openSUSE 15.4 x86_64 at Telcontar) -----BEGIN PGP SIGNATURE----- iHoEARECADoWIQQZEb51mJKK1KpcU/W1MxgcbY1H1QUCZEv5hRwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJELUzGBxtjUfViAgAoJTPnJDujIbzfJWixHU7 7v0wcZdAAJ9XU3oQIFwTMbk5p4G1DMZl0gEuaQ== =G0go -----END PGP SIGNATURE-----