SuSE firewall 2 and whois

newer
connecting via cable modem

older
Can't logon with Gnome

yep＠osterbo-net.dk

16 Jan 2004 16 Jan '04

16:02

What is needed to fix in connection with SuSEfirewall to get whois working ?? Johan

Show replies by date

yep＠osterbo-net.dk

16 Jan 16 Jan

22:06

New subject: [SLE] SuSE firewall 2 and whois

Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...

What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

Dylan

22:18

New subject: [SLE] SuSE firewall 2 and whois

On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:

...

Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert. Dylan -- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin

yep＠osterbo-net.dk

22:42

New subject: [SLE] SuSE firewall 2 and whois

Fredag 16 januar 2004 23:18 skrev Dylan:

...

On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:

...
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert.

Dylan

Yes ... and did change that with the in the Susefirewall2 settings in the / etc/sysconfig menu in YAST. I think the problem is connected to the use of IPV6 and no assignment of interface (the part of the line I look at ...... IN= "nothing" SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 Johan

...

-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin

Togan Muftuoglu

22:44

New subject: [SLE] SuSE firewall 2 and whois

* Dylan; on 16 Jan, 2004 wrote:

...

On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:

...
FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert.

NO not needed as it is established and related remember going from pc -->internet -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

Togan Muftuoglu

22:43

New subject: [SLE] SuSE firewall 2 and whois

* yep@osterbo-net.dk; on 16 Jan, 2004 wrote:

...

Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

According to the SuSEfirewall2 this is normal # Drop all until IPv6 is really supported test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP" So this is normal -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

yep＠osterbo-net.dk

23:13

New subject: [SLE] SuSE firewall 2 and whois

Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:

...

* yep@osterbo-net.dk; on 16 Jan, 2004 wrote:

...
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

According to the SuSEfirewall2 this is normal

# Drop all until IPv6 is really supported

test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"

Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard) Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW). My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ...... Johan

...

So this is normal --

Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

Dylan

23:19

New subject: [SLE] SuSE firewall 2 and whois

On Friday 16 January 2004 23:13 pm, yep@osterbo-net.dk wrote:

...

Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:

...
* yep@osterbo-net.dk; on 16 Jan, 2004 wrote:

...
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

According to the SuSEfirewall2 this is normal

# Drop all until IPv6 is really supported

test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"

Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard)

Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW).

My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ......

Are you sure you need ipv6 at all? Are you running or connected to an ipv6 network? Since you describe yourself as a network "n00b" I'd guess not. And I certainly wouldn't want to be fiddling in the SuSEFirewall2 script without being sure what I was doing. Dylan

...

Johan

...
So this is normal --

Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin

yep＠osterbo-net.dk

23:39

New subject: [SLE] SuSE firewall 2 and whois

Lørdag 17 januar 2004 00:19 skrev Dylan:

...

On Friday 16 January 2004 23:13 pm, yep@osterbo-net.dk wrote:

...
Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:

...
* yep@osterbo-net.dk; on 16 Jan, 2004 wrote:

...
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:

...
What is needed to fix in connection with SuSEfirewall to get whois working ??

Johan

btw example entry from /var/log/messages

Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)

According to the SuSEfirewall2 this is normal

# Drop all until IPv6 is really supported

test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"

Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard)

Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW).

My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ......

Are you sure you need ipv6 at all? Are you running or connected to an ipv6 network? Since you describe yourself as a network "n00b" I'd guess not. And I certainly wouldn't want to be fiddling in the SuSEFirewall2 script without being sure what I was doing.

Dylan

No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw). Or would I get of easier of the hook if I only used the FW_quick options ?? Johan

...

...
Johan

...
So this is normal --

Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin

Togan Muftuoglu

17 Jan 17 Jan

07:18

New subject: [SLE] SuSE firewall 2 and whois

* yep@osterbo-net.dk; on 17 Jan, 2004 wrote:

...

No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw).

Or would I get of easier of the hook if I only used the FW_quick options ??

set 43 for FW_SERVICES_EXT_TCP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

yep＠osterbo-net.dk

12:58

New subject: [SLE] SuSE firewall 2 and whois

Lørdag 17 januar 2004 08:18 skrev Togan Muftuoglu:

...

* yep@osterbo-net.dk; on 17 Jan, 2004 wrote:

...
No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw).

Or would I get of easier of the hook if I only used the FW_quick options ??

set 43 for FW_SERVICES_EXT_TCP

I actually did .... but I think my problems stems from the confusion of the different zones. (And maybee the complexity rises with my router put into the equation) But with the router as only "defense" whois works nicely allthough port 43 is filtered there. Johan

...

--

Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.

7411

Age (days ago)

7412

Last active (days ago)

List overview

Download

10 comments

3 participants

participants (3)

Dylan
Togan Muftuoglu
yep＠osterbo-net.dk