RE: SuSE Firewall: Disabling Kernel Security Options
Thanks Dave, What about the other stuff it spurts out like: ll: header <ethernet addr> etc? Is that in the same place? (I don't want to remove something that was there before the firewall changes). Is this kernel security stuff merely related to logging? (The guide says you should get the firewall working first before enabling it). Tim Harrell
-----Original Message----- From: Dave Jones [mailto:davej@suse.de] Sent: Thursday, August 23, 2001 5:23 PM To: Harrell, Tim Cc: 'SuseLinux' Subject: Re: SuSE Firewall: Disabling Kernel Security Options
On Thu, 23 Aug 2001, Harrell, Tim wrote:
I'm no longer running any kind of firewall at all so why am I still getting these martian messages? Has it patched the kernel somehow?
No, it's a sysctl you can change at any time without needing to rebuild kernel.
cat /proc/sys/net/ipv4/conf/*/log_martians and you'll get some '1's if its enabled.
echo 0 > /proc/sys/net/ipv4/conf/*/log_martians and the messages will be supressed.
regards,
Dave.
-- | Dave Jones. http://www.suse.de/~davej | SuSE Labs
On Thu, 23 Aug 2001, Harrell, Tim wrote:
What about the other stuff it spurts out like: ll: header <ethernet addr> etc? Is that in the same place? (I don't want to remove something that was there before the firewall changes).
*shrug* not sure about that one. Never seen it get printed.
Is this kernel security stuff merely related to logging? (The guide says you should get the firewall working first before enabling it).
The martian stuff is just logging, well not strictly true.. the packets also get dropped as they are unroutable. Martians are reserved IP addresses ie, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, and a few other ranges. Packets from these addresses should never be seen on the internet, and should be reserved to LANs. Not sure what the other stuff we've bundled under 'kernel security' is, as I'm not too familiar with our firewall package. I should take a day out to take a look at it sometime. There are a few other options in /proc/sys, related to such things, I imagine it's just controlling those. Not all of these are related to logging, some of them can reduce the possibility of ip spoofed packets getting through etc. regards, Dave. -- | Dave Jones. http://www.suse.de/~davej | SuSE Labs
participants (2)
-
Dave Jones -
Harrell, Tim