What is needed to fix in connection with SuSEfirewall to get whois working ?? Johan
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert. Dylan -- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Fredag 16 januar 2004 23:18 skrev Dylan:
On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert.
Dylan
Yes ... and did change that with the in the Susefirewall2 settings in the / etc/sysconfig menu in YAST. I think the problem is connected to the use of IPV6 and no assignment of interface (the part of the line I look at ...... IN= "nothing" SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 Johan
-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
* Dylan;
On Friday 16 January 2004 22:06 pm, yep@osterbo-net.dk wrote:
FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
You need to open the appropriate port (43). In Yast>security and users>firewall go to the services page and choose Expert.
NO not needed as it is established and related remember going from pc -->internet -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
* yep@osterbo-net.dk;
Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
According to the SuSEfirewall2 this is normal # Drop all until IPv6 is really supported test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP" So this is normal -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:
* yep@osterbo-net.dk;
on 16 Jan, 2004 wrote: Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
According to the SuSEfirewall2 this is normal
# Drop all until IPv6 is really supported
test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"
Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard) Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW). My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ...... Johan
So this is normal --
Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
On Friday 16 January 2004 23:13 pm, yep@osterbo-net.dk wrote:
Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:
* yep@osterbo-net.dk;
on 16 Jan, 2004 wrote: Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
According to the SuSEfirewall2 this is normal
# Drop all until IPv6 is really supported
test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"
Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard)
Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW).
My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ......
Are you sure you need ipv6 at all? Are you running or connected to an ipv6 network? Since you describe yourself as a network "n00b" I'd guess not. And I certainly wouldn't want to be fiddling in the SuSEFirewall2 script without being sure what I was doing. Dylan
Johan
So this is normal --
Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
Lørdag 17 januar 2004 00:19 skrev Dylan:
On Friday 16 January 2004 23:13 pm, yep@osterbo-net.dk wrote:
Fredag 16 januar 2004 23:43 skrev Togan Muftuoglu:
* yep@osterbo-net.dk;
on 16 Jan, 2004 wrote: Fredag 16 januar 2004 17:02 skrev yep@osterbo-net.dk:
What is needed to fix in connection with SuSEfirewall to get whois working ??
Johan
btw example entry from /var/log/messages
Jan 16 21:29:57 Beast kernel: SuSE-FW-OUT-IPv6_PROHIB IN= OUT=eth0 SRC=fe80:0000:0000:0000:02e0:18ff:fe98:2c0f DST=2001:0610:0240:0000:0193:0000:0000:0202 LEN=80 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=TC P SPT=23463 DPT=43 WINDOW=5760 RES=0x00 SYN URGP=0 OPT (020405A00402080A06BD8B110000000001030300)
According to the SuSEfirewall2 this is normal
# Drop all until IPv6 is really supported
test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A INPUT -j LOG ${LOG}"-IN-IPv6_PROHIB " $IP6TABLES -A INPUT -j "$DROP" test -z "$LDC" -o -z "$LDA" && $IP6TABLES -A OUTPUT -j LOG ${LOG}"-OUT-IPv6_PROHIB " $IP6TABLES -A OUTPUT -j "$DROP"
Ah SuSE is doing a little "we know what" is best for you" ..... Looks like there should be a couple more "boxes" for some selection/ de-selection in Yast in that area (hint you to you SuSE-guys - meaning that you can always bring the options to the table just have them selected as a standard then people can change to something non-standard)
Now if I "hash" (#) those lines out or ... change the drop to an accept the whois should work again (and the PROHIB to ALLOW).
My problem as a network-n00b is .... do I open up for a lot of $hit or just ipv6 services in general ......
Are you sure you need ipv6 at all? Are you running or connected to an ipv6 network? Since you describe yourself as a network "n00b" I'd guess not. And I certainly wouldn't want to be fiddling in the SuSEFirewall2 script without being sure what I was doing.
Dylan
No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw). Or would I get of easier of the hook if I only used the FW_quick options ?? Johan
Johan
So this is normal --
Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
-- "They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." -Benjamin Franklin
* yep@osterbo-net.dk;
No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw).
Or would I get of easier of the hook if I only used the FW_quick options ??
set 43 for FW_SERVICES_EXT_TCP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
Lørdag 17 januar 2004 08:18 skrev Togan Muftuoglu:
* yep@osterbo-net.dk;
on 17 Jan, 2004 wrote: No ... but the thing is I want whois running and according to the output of the firewall something has to change. My question again is where can I change it in YAST if at all (running SuSE 9.0 PRO btw).
Or would I get of easier of the hook if I only used the FW_quick options ??
set 43 for FW_SERVICES_EXT_TCP
I actually did .... but I think my problems stems from the confusion of the different zones. (And maybee the complexity rises with my router put into the equation) But with the router as only "defense" whois works nicely allthough port 43 is filtered there. Johan
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer Please reply to the list; http://susefaq.sf.net Please don't CC me.
participants (3)
-
Dylan
-
Togan Muftuoglu
-
yep@osterbo-net.dk