Carlos E. R. wrote:
Ah, found where I got the trick for acrobat:
] Date: Sun, 17 Apr 2005 18:52:27 +0200 ] From: nordi ] To: suse-security@ ] Subject: Re: [suse-security] How to block Acroread 7 with SuSE FW2? ] ] In order to block that traffic you could make the acroread executable ] SGID 'acro' and then block all traffic coming from group 'acro'. ] Iptables has an option for doing this by using the --gid-owner option. ] Of course that works only with a local firewall.
Interesting. Well, thanks for the explanation, at least you can get rid of that now.
Oh sure, I understand that, but it is nonetheless why you have ended up with something utterly unmaintainable. In my opinion, of course.
Look at it this way.
I just wanted to trust machine at 192.168.1.5 for syslog and icmp. I simply told the firewall script in the approved manner to do it. How it did do it, is not my business.
Of course - the question is _why_ you chose to be so restrictive with traffic between your _own_ machines. I too restrict certain (groups of) machines, e.g. unknown wifi devices, but I would never go to the level of restricting individual intrnal machines.
And why icmp? because it was probably spamming the log, and probably some feature of the router or switch or whatever it was did not work unless I allowed that packet to pass.
I think I would have chose a different method to stop something spamming a logfile, but never mind - the issue is that your solution from 1725 has been turned into a jungle of rules in 2023. Time to reassess. I suggest you just accept all icmp, for ipv4 you can even skip the ping-flood protection. After 24 hours, check your logs to see if any have been filled up. -- Per Jessen, Zürich (16.4°C) Member, openSUSE Heroes (2016 - present) We're hiring - https://en.opensuse.org/openSUSE:Heroes