SuSE Firewall accepting and dropping same packets?
In my firewall logs (/var/log/messages), generated by SuSEfirewall2 in SuSE 8.1 I will get two identical lines, both time stamped the same second and everything, except the first one is ACCEPT, and the second one is DENY. Has anyone seen this and know what causes this, or how to fix it. The packets in question should be denied. I don't have anything complex set up on the firewall (i.e. no masq, routing, dmz, etc. are set up). I don't understand how two similar packets (if not the same packets) are being both accepted and denied, this shouldn't be. Thanks, -Jeric -- JericAtSbcglobalDotNetwork 4:02am up 17 days, 19:51, 7 users, load average: 0.07, 0.05, 0.01
The 02.12.08 at 04:03, Jeric wrote:
In my firewall logs (/var/log/messages), generated by SuSEfirewall2 in SuSE 8.1 I will get two identical lines, both time stamped the same second and everything, except the first one is ACCEPT, and the second one is DENY. Has anyone seen this and know what causes this, or how to fix it. The packets in question should be denied. I don't have anything complex set up on the firewall (i.e. no masq, routing, dmz, etc. are set up). I don't understand how two similar packets (if not the same packets) are being both accepted and denied, this shouldn't be.
Yes, I mentioned that the other day. I'm thinking that it could be the same packet, allowed entry, and then dropped because ther is no handler for it (no daemon listening). Dec 8 20:27:56 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=193.152.137.135 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=48243 DF PROTO=TCP SPT=37021 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 8 20:27:56 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=193.152.137.135 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=48243 DF PROTO=TCP SPT=37021 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) -- Cheers, Carlos Robinson
On Sun, 2002-12-08 at 19:14, Carlos E. R. wrote:
Yes, I mentioned that the other day. I'm thinking that it could be the same packet, allowed entry, and then dropped because ther is no handler for it (no daemon listening).
Dec 8 20:27:56 nimrodel kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=193.152.137.135 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=48243 DF PROTO=TCP SPT=37021 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4) Dec 8 20:27:56 nimrodel kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= SRC=193.152.43.8 DST=193.152.137.135 LEN=44 TOS=0x00 PREC=0x00 TTL=252 ID=48243 DF PROTO=TCP SPT=37021 DPT=5327 WINDOW=8760 RES=0x00 SYN URGP=0 OPT (020405B4)
Opps, I missed the original post on that thread. After seeing the original question that you posted with the firewall logs, that's pretty much exactly how mine are. However, if a packet gets past the SuSE firewall script and is dropped due to the port being closed, is that not handled by ippl? I noticed that some dropped packets have the "SuSE-FW" prefix, while others have the "ippl" prefix. So, in our case, ippl is not recording the passed package, but SuSE firewall script still has it. This is kind of bugging me, since I am wondering if I have to ditch the SuSE Firewall2 script altogether (because it is being flaky and unreliable, so it seems), and create an IPTables set of rules on my own (big pain to do so, too, I'd rather amend the SuSE Firewall one). Any further info on this much appreciated. -Jeric -- JericAtSbcglobalDotNetwork 9:13pm up 18 days, 13:01, 7 users, load average: 3.08, 3.15, 3.16
The 02.12.08 at 21:20, Jeric wrote:
not recording the passed package, but SuSE firewall script still has it. This is kind of bugging me, since I am wondering if I have to ditch the SuSE Firewall2 script altogether (because it is being flaky and unreliable, so it seems), and create an IPTables set of rules on my own (big pain to do so, too, I'd rather amend the SuSE Firewall one).
I think is just lack of information on our part :-)
Any further info on this much appreciated.
There was mention of a susefirewall howto here in the list, but I still have not read it. -- Cheers, Carlos.
On Monday 09 December 2002 20:13, Carlos E. R. wrote:
The 02.12.08 at 21:20, Jeric wrote:
not recording the passed package, but SuSE firewall script still has it. This is kind of bugging me, since I am wondering if I have to ditch the SuSE Firewall2 script altogether (because it is being flaky and unreliable, so it seems), and create an IPTables set of rules on my own (big pain to do so, too, I'd rather amend the SuSE Firewall one).
I think is just lack of information on our part :-)
Any further info on this much appreciated.
There was mention of a susefirewall howto here in the list, but I still have not read it.
http://susefaq.sourceforge.net/articles/firewall/fw_manual.html -- Pam R: <Yet another cute tag line> Linux StepbyStep: http://www.linux-sxs.org/stepbystep.html
participants (3)
-
Carlos E. R. -
Jeric -
Pam R