[opensuse] A firewall rejection I don't understand.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I get quite a number of these in my firewall log: <0.4> 2013-04-10 01:41:09 Telcontar kernel - - - [1145683.188480] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=40362 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=54990 PROTO=UDP SPT=24645 DPT=53 LEN=44 ] <0.4> 2013-04-19 23:35:57 Telcontar kernel - - - [1528647.700090] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=93 TOS=0x00 PREC=0xC0 TTL=255 ID=48789 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.250 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=51914 PROTO=UDP SPT=22413 DPT=53 LEN=45 ] It is coming from my router to my desktop, but what is it about? - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFzJHEACgkQtTMYHG2NR9VxGgCgi/PbXubsnFNW8LK+KzynFfT2 1VgAn3SMoKg+ZIX61RIDrrqPtniMBGAx =8ctc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 20/04/13 20:27, Carlos E. R. escribió:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
I get quite a number of these in my firewall log:
<0.4> 2013-04-10 01:41:09 Telcontar kernel - - - [1145683.188480] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=40362 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=54990 PROTO=UDP SPT=24645 DPT=53 LEN=44 ]
<0.4> 2013-04-19 23:35:57 Telcontar kernel - - - [1528647.700090] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=93 TOS=0x00 PREC=0xC0 TTL=255 ID=48789 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.250 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=51914 PROTO=UDP SPT=22413 DPT=53 LEN=45 ]
It is coming from my router to my desktop, but what is it about?
ICMP type 3 code 0 == Network unreachable error. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-04-20 at 20:33 -0300, Cristian Rodríguez wrote:
El 20/04/13 20:27, Carlos E. R. escribió:
I get quite a number of these in my firewall log:
<0.4> 2013-04-10 01:41:09 Telcontar kernel - - - [1145683.188480] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=40362 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.254 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=54990 PROTO=UDP SPT=24645 DPT=53 LEN=44 ]
<0.4> 2013-04-19 23:35:57 Telcontar kernel - - - [1528647.700090] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=93 TOS=0x00 PREC=0xC0 TTL=255 ID=48789 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.250 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=51914 PROTO=UDP SPT=22413 DPT=53 LEN=45 ]
It is coming from my router to my desktop, but what is it about?
ICMP type 3 code 0 == Network unreachable error.
Ok, so the router is telling me that the netowkr was unreacheable, perhaps when attempting to send the package in brackets, that one to "80.58.61.250"? If that is an information the router is sending me, should not those packages be allowed? If so, how? - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFzNEUACgkQtTMYHG2NR9UZnQCdEoaaMLYHEHOo6OBshitPBayP h7MAoIAaZMA2XH7p/qeoIfk0CkZzK2C1 =5rSO -----END PGP SIGNATURE-----
On Sun, 21 Apr 2013 02:35:08 +0200 (CEST) "Carlos E. R." <robin.listas@telefonica.net> wrote:
If that is an information the router is sending me, should not those packages be allowed? If so, how?
More likely the other side DST=80.58.61.250 tells you that for ICMP, while it has no problems with UDP. -- Regards, Rajko. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday, 2013-04-20 at 19:44 -0500, Rajko wrote:
On Sun, 21 Apr 2013 02:35:08 +0200 (CEST) "Carlos E. R." <> wrote:
If that is an information the router is sending me, should not those packages be allowed? If so, how?
More likely the other side DST=80.58.61.250 tells you that for ICMP, while it has no problems with UDP.
But the package that goes to that machine is not ICMP. It is this one: [SRC=192.168.1.14 DST=80.58.61.250 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=51914 PROTO=UDP SPT=22413 DPT=53 LEN=45 ] It goes to the port 53, the DNS port. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFzPBUACgkQtTMYHG2NR9WXcQCfe218PSydKSYAUDFhEnFQ1Lnx LqcAmwfwkTdw8L7q5cL1J2KCgU54zWDW =tfbh -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Saturday, 2013-04-20 at 19:44 -0500, Rajko wrote:
On Sun, 21 Apr 2013 02:35:08 +0200 (CEST) "Carlos E. R." <> wrote:
If that is an information the router is sending me, should not those packages be allowed? If so, how?
More likely the other side DST=80.58.61.250 tells you that for ICMP, while it has no problems with UDP.
But the package that goes to that machine is not ICMP. It is this one:
[SRC=192.168.1.14 DST=80.58.61.250 LEN=65 TOS=0x00 PREC=0x00 TTL=64 [ID=51914 PROTO=UDP SPT=22413 DPT=53 LEN=45 ]
It goes to the port 53, the DNS port.
It is your desktop [192.168.1.14] trying to reach 80.58.61.250:53 and your router [192.168.1.1] saying the network cant be reached or that port 53 isn't open. -- Per Jessen, Zürich (9.4°C) http://www.dns24.ch/ - free DNS hosting, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 16:06 +0200, Per Jessen wrote:
Carlos E. R. wrote:
It is your desktop [192.168.1.14] trying to reach 80.58.61.250:53 and your router [192.168.1.1] saying the network cant be reached or that port 53 isn't open.
Yes, that is what I'm understanding. But why does the openSUSE firewall reject that information? I expect that some process in my system is interested in that information. Should I open my firewall for it, and then, how? That IP is in fact the IP of my ISP DNS (I just found out), so the port 53 is open (I verified). It is possible that they fail now and then. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlFz/9EACgkQtTMYHG2NR9WKnACfZsDtd+j1C/sq0SxYC/cjF2n5 pToAniYkO224DkK+eAIpylwj9AySE8ev =uEHg -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
But why does the openSUSE firewall reject that information? I expect that some process in my system is interested in that information. Should I open my firewall for it, and then, how?
I don't know what the situation is with SuSEfirewall, but some people block all ICMP, thinking it will protect them attacks. But in the process they block legitimate ICMP messages which they should be allowing, if they're to use the Internet properly. For example, if you're on the wrong route to a host, a router may generate an ICMP redirect, advising of the proper route. But if all ICMP is blocked, then your computer will not see that and keep trying until it times out. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 11:13 -0400, James Knott wrote:
Carlos E. R. wrote:
But why does the openSUSE firewall reject that information? I expect that some process in my system is interested in that information. Should I open my firewall for it, and then, how?
I don't know what the situation is with SuSEfirewall, but some people block all ICMP, thinking it will protect them attacks. But in the process they block legitimate ICMP messages which they should be allowing, if they're to use the Internet properly. For example, if you're on the wrong route to a host, a router may generate an ICMP redirect, advising of the proper route. But if all ICMP is blocked, then your computer will not see that and keep trying until it times out.
I had these settings: FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH="" I have added: FW_TRUSTED_NETS="192.168.1.1,icmp" And I'll see what happens... - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0BhgACgkQtTMYHG2NR9WObACffjW3jAKRbO2IlusH4OifFggU QnoAoIjhPMx+CmMY21qXS5PGqXqR3iCw =syPD -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 05:30 PM, Carlos E. R. wrote:
I had these settings:
FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_SOURCEQUENCH=""
I have added:
FW_TRUSTED_NETS="192.168.1.1,icmp"
If that does not work can you try FW_LOG_LIMIT="no" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 17:30 +0200, Carlos E. R. wrote:
I have added:
FW_TRUSTED_NETS="192.168.1.1,icmp"
And I'll see what happens...
Does not work. <0.4> 2013-04-21 23:27:21 Telcontar kernel - - - [1615129.084655] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=22728 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.250 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=2736 PROTO=UDP SPT=7861 DPT=53 LEN=44 ] - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0WwYACgkQtTMYHG2NR9UdWgCgiR5rtFkkGFB4OjrlCx+8z7NB CK8AnijQ0jDrUZtKBNjo3F/BFMb69Ph6 =FLNB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 11:32 PM, Carlos E. R. wrote:
On Sunday, 2013-04-21 at 17:30 +0200, Carlos E. R. wrote:
I have added:
FW_TRUSTED_NETS="192.168.1.1,icmp"
And I'll see what happens...
Does not work.
<0.4> 2013-04-21 23:27:21 Telcontar kernel - - - [1615129.084655] SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC=00:21:85:16:2d:0b:00:30:da:70:d7:ea:08:00 SRC=192.168.1.1 DST=192.168.1.14 LEN=92 TOS=0x00 PREC=0xC0 TTL=255 ID=22728 PROTO=ICMP TYPE=3 CODE=0 [SRC=192.168.1.14 DST=80.58.61.250 LEN=64 TOS=0x00 PREC=0x00 TTL=64 ID=2736 PROTO=UDP SPT=7861 DPT=53 LEN=44 ]
Did you try FW_LOG_LIMIT="no" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2013-04-22 at 00:49 +0200, Togan Muftuoglu wrote:
On 04/21/2013 11:32 PM, Carlos E. R. wrote:
Did you try
FW_LOG_LIMIT="no"
The logging is not a problem, the firewall log is only 2.5 MB, and the first entry dates from 2011 :-) What it worries me is that the packet gets rejected, and what effect may it have on on networking. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0b4sACgkQtTMYHG2NR9X1xACeKdZY8tlh1q+lFmdKdrKG6PVw ZlsAn0C9Wm1+sSUE7QlVjj05sWg1mksw =RxuG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/22/2013 01:00 AM, Carlos E. R. wrote:
On Monday, 2013-04-22 at 00:49 +0200, Togan Muftuoglu wrote:
On 04/21/2013 11:32 PM, Carlos E. R. wrote:
Did you try
FW_LOG_LIMIT="no"
The logging is not a problem, the firewall log is only 2.5 MB, and the first entry dates from 2011 :-)
What it worries me is that the packet gets rejected, and what effect may it have on on networking.
# How many packets per time unit get logged for each logging rule. # When empty a default of 3/minute is used to prevent port scans # flooding your log files. For desktop usage it's a good idea to # have the limit, if you are using logfile analysis tools however # you might want to disable it. So setting it to "no" may help to identify the issue -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2013-04-22 02:45, Togan Muftuoglu wrote:
# How many packets per time unit get logged for each logging rule. # When empty a default of 3/minute is used to prevent port scans # flooding your log files. For desktop usage it's a good idea to # have the limit, if you are using logfile analysis tools however # you might want to disable it.
So setting it to "no" may help to identify the issue
Ok, I'm convinced. But it breaks: Telcontar:~ # SuSEfirewall2 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom iptables-batch v1.4.12.1: bad rate "NO"' Try `iptables-batch -h' or 'iptables-batch --help' for more information. SuSEfirewall2: Error: iptables-batch failed, re-running using iptables iptables v1.4.12.1: bad rate "NO"' Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.12.1: bad rate "NO"' Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.12.1: bad rate "NO"' Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.12.1: bad rate "NO"' Try `iptables -h' or 'iptables --help' for more information. iptables v1.4.12.1: bad rate "NO"' Try `iptables -h' or 'iptables --help' for more information. ip6tables-batch v1.4.12.1: bad rate "NO"' Try `ip6tables-batch -h' or 'ip6tables-batch --help' for more information. SuSEfirewall2: Error: ip6tables-batch failed, re-running using ip6tables ip6tables v1.4.12.1: bad rate "NO"' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.12.1: bad rate "NO"' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.12.1: bad rate "NO"' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.12.1: bad rate "NO"' Try `ip6tables -h' or 'ip6tables --help' for more information. ip6tables v1.4.12.1: bad rate "NO"' Try `ip6tables -h' or 'ip6tables --help' for more information. SuSEfirewall2: Firewall rules successfully set - -- Cheers / Saludos, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlF0i28ACgkQIvFNjefEBxqpbgCgoqA+JJ+NbzrtZJAqexmUZi1F mn4AoLV5IvYqSC02qW7UtWg6gclAcVp8 =eJ6f -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/22/2013 02:59 AM, Carlos E. R. wrote:
On 2013-04-22 02:45, Togan Muftuoglu wrote:
# How many packets per time unit get logged for each logging rule. # When empty a default of 3/minute is used to prevent port scans # flooding your log files. For desktop usage it's a good idea to # have the limit, if you are using logfile analysis tools however # you might want to disable it.
So setting it to "no" may help to identify the issue
Ok, I'm convinced. But it breaks:
Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL to 'yes' disables this option as well. It should be in lower case
iptables v1.4.12.1: bad rate "NO"'
Are you sure you did put in lower case -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2013-04-22 at 03:24 +0200, Togan Muftuoglu wrote:
iptables v1.4.12.1: bad rate "NO"'
Are you sure you did put in lower case
Certainly not, I used uppercase; I did not remember that case was important here. Ok, the change is done. We'll see what happens. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0mNUACgkQtTMYHG2NR9VYKACeJMzeymGuh3IAM03kzbUhKdXe VOwAn34Q1wu/MY9gx4gfAvMj6ovGzxyZ =XOg2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 12:13 PM, James Knott wrote:
Carlos E. R. wrote:
But why does the openSUSE firewall reject that information? I expect that some process in my system is interested in that information. Should I open my firewall for it, and then, how?
I don't know what the situation is with SuSEfirewall, but some people block all ICMP, thinking it will protect them attacks. But in the process they block legitimate ICMP messages which they should be allowing, if they're to use the Internet properly. For example, if you're on the wrong route to a host, a router may generate an ICMP redirect, advising of the proper route. But if all ICMP is blocked, then your computer will not see that and keep trying until it times out.
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it. - icmp fragmentation-needed - icmp time-exceeded -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it.
In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed
That one is missing
- icmp time-exceeded
It is there Carlos, maybe better to bugzilla the icmp fragmentation-needed -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Togan Muftuoglu wrote:
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it. In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed That one is missing
- icmp time-exceeded It is there
Carlos, maybe better to bugzilla the icmp fragmentation-needed
Hmmm.... I just checked my 11.4 firewall and none of that is there. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 21/04/13 14:29, Togan Muftuoglu escribió:
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it.
In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed
That one is missing
- icmp time-exceeded
It is there
Carlos, maybe better to bugzilla the icmp fragmentation-needed
Huh. if it is *really* not there, then SUSEfirewall will break Path MTU discovery ...(!?!?) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 07:41 PM, Cristian Rodríguez wrote:
Huh. if it is *really* not there, then SUSEfirewall will break Path MTU discovery ...(!?!?)
Unless I can't see it it is not there, and I am looking to the git version git describe --tags HEAD openSUSE-12.2-9-gd103128 Regarding path mtu this is what is there # MSS stuff needs this? if [ "$FW_ROUTE" = yes ]; then $IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 21/04/13 15:01, Togan Muftuoglu escribió:
$IPTABLES -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu fi
Ok, that 's a different to approach the problem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Apr 21, 2013 at 02:41:37PM -0300, Cristian Rodríguez wrote:
El 21/04/13 14:29, Togan Muftuoglu escribió:
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it.
In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed
That one is missing
- icmp time-exceeded
It is there
Carlos, maybe better to bugzilla the icmp fragmentation-needed
Huh. if it is *really* not there, then SUSEfirewall will break Path MTU discovery ...(!?!?)
The ICMP related match should take care of it. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 19:29 +0200, Togan Muftuoglu wrote:
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it.
In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed
That one is missing
- icmp time-exceeded
It is there
Carlos, maybe better to bugzilla the icmp fragmentation-needed
Sorry people, I got lost in the way :-) I don't know what settings you are checking, those are not variables in the "/etc/sysconfig/SuSEfirewall2" file, and thus I have no idea what I should report. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0KZ4ACgkQtTMYHG2NR9WqKACfYzgWUEZPSvaC4sYJ8GE3GFZv BOkAn32EukS0/mRc4e8KEnC1pKw2E9Xa =QiOb -----END PGP SIGNATURE-----
On 04/21/2013 08:01 PM, Carlos E. R. wrote:
On Sunday, 2013-04-21 at 19:29 +0200, Togan Muftuoglu wrote:
On 04/21/2013 05:43 PM, Cristian Rodríguez wrote:
Yes, also the following icmp types must never be blocked, if SUSEfirewall does not implicitely creates rules always allowing them, then it is absolutely retarded and you should not use it.
In SuSEfirewall2 safe_icmp_replies and safe_icmp_replies6 defines what are allowed
- icmp fragmentation-needed
That one is missing
- icmp time-exceeded
It is there
Carlos, maybe better to bugzilla the icmp fragmentation-needed
Sorry people, I got lost in the way :-)
I don't know what settings you are checking, those are not variables in the "/etc/sysconfig/SuSEfirewall2" file, and thus I have no idea what I should report.
They are not settings but the predefined icmp types in the SuSEfirewall2, grep safe_icmp SuSEfirewall2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 20:11 +0200, Togan Muftuoglu wrote:
They are not settings but the predefined icmp types in the SuSEfirewall2,
grep safe_icmp SuSEfirewall2
Telcontar:~ # grep safe_icmp SuSEfirewall2 grep: SuSEfirewall2: No such file or directory Telcontar:~ # Anyway, I can not report anything: a bug in 12.1 will be ignored. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0LacACgkQtTMYHG2NR9UAUwCgiqrW8bzgFCakycIDfkYBOoHG HCUAn0i41FEQ4HoT/Mt+ochaM2lhig+l =qf+c -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 04/21/2013 08:19 PM, Carlos E. R. wrote:
On Sunday, 2013-04-21 at 20:11 +0200, Togan Muftuoglu wrote:
They are not settings but the predefined icmp types in the SuSEfirewall2,
grep safe_icmp SuSEfirewall2
Telcontar:~ # grep safe_icmp SuSEfirewall2 grep: SuSEfirewall2: No such file or directory Telcontar:~ #
Sorry I was running the grep in the git source directory, you want to grep in the /sbin/SuSEfirewall2 but the safest is sudo which SuSEfirewall2 | xargs grep safe_icmp
Anyway, I can not report anything: a bug in 12.1 will be ignored.
The problem exists in the git version of SuSEFirewall2 so I do not think openSUSE version is important here git://gitorious.org/opensuse/susefirewall2.git -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 21:10 +0200, Togan Muftuoglu wrote:
On 04/21/2013 08:19 PM, Carlos E. R. wrote:
Telcontar:~ # grep safe_icmp SuSEfirewall2 grep: SuSEfirewall2: No such file or directory Telcontar:~ #
Sorry I was running the grep in the git source directory, you want to grep in the /sbin/SuSEfirewall2 but the safest is
sudo which SuSEfirewall2 | xargs grep safe_icmp
Telcontar:~ # which SuSEfirewall2 | xargs grep safe_icmp safe_icmp_replies="echo-reply destination-unreachable time-exceeded parameter-problem timestamp-reply address-mask-reply protocol-unreachable redirect" safe_icmpv6_replies="echo-reply destination-unreachable packet-too-big time-exceeded parameter-problem" for itype in $stateless_icmpv6_types $safe_icmpv6_replies; do # local icmp_types="$safe_icmp_replies" # icmp_types="$safe_icmpv6_replies" for itype in $safe_icmp_replies; do for itype in $safe_icmpv6_replies; do Telcontar:~ #
Anyway, I can not report anything: a bug in 12.1 will be ignored.
The problem exists in the git version of SuSEFirewall2 so I do not think openSUSE version is important here
Possibly, but Bugzillas reported against 12.1 will not be investigated because it goes out of maintenance in two months, IIRC. Please remember that two months _before_ the official demise of 11.4, a lot of bugs were routinely closed (the decision to do so was posted here), without even reading many of them. Thus, sorry, I'm not going to waste time reporting a bug that will not be investigated at all. I have, in fact, reported bugs on 12.3 which got no response yet. I don't see much incentive to reporting even on recent versions... :-( - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0QK4ACgkQtTMYHG2NR9XokQCgi0NUZQWgLekLEzsHRbsiJuFr PGgAn2hklk5bhsRBMTkxUrT04ccZOnmW =alZM -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Apr 21, 2013 at 09:40:30PM +0200, Carlos E. R. wrote:
On Sunday, 2013-04-21 at 21:10 +0200, Togan Muftuoglu wrote:
On 04/21/2013 08:19 PM, Carlos E. R. wrote:
Telcontar:~ # grep safe_icmp SuSEfirewall2 grep: SuSEfirewall2: No such file or directory Telcontar:~ #
Sorry I was running the grep in the git source directory, you want to grep in the /sbin/SuSEfirewall2 but the safest is
sudo which SuSEfirewall2 | xargs grep safe_icmp
Telcontar:~ # which SuSEfirewall2 | xargs grep safe_icmp safe_icmp_replies="echo-reply destination-unreachable time-exceeded parameter-problem timestamp-reply address-mask-reply protocol-unreachable redirect" safe_icmpv6_replies="echo-reply destination-unreachable packet-too-big time-exceeded parameter-problem" for itype in $stateless_icmpv6_types $safe_icmpv6_replies; do # local icmp_types="$safe_icmp_replies" # icmp_types="$safe_icmpv6_replies" for itype in $safe_icmp_replies; do for itype in $safe_icmpv6_replies; do Telcontar:~ #
Anyway, I can not report anything: a bug in 12.1 will be ignored.
The problem exists in the git version of SuSEFirewall2 so I do not think openSUSE version is important here
Possibly, but Bugzillas reported against 12.1 will not be investigated because it goes out of maintenance in two months, IIRC. Please remember that two months _before_ the official demise of 11.4, a lot of bugs were routinely closed (the decision to do so was posted here), without even reading many of them.
Thus, sorry, I'm not going to waste time reporting a bug that will not be investigated at all.
I have, in fact, reported bugs on 12.3 which got no response yet. I don't see much incentive to reporting even on recent versions... :-(
That probably depends on the assignee, but should not stop you. BTW this block is also active for ICMP handling and if the DNS query was timely before, it should be arriving via related: # need to accept icmp RELATED packets (bnc#382004) $LAA $IPTABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmp -m conntrack --ctstate RELATED $IPTABLES -A INPUT -j "$ACCEPT" -p icmp -m conntrack --ctstate RELATED $LAA $IP6TABLES -A INPUT ${LOG}"-IN-ACC-REL " -p icmpv6 -m conntrack --ctstate RELATED $IP6TABLES -A INPUT -j "$ACCEPT" -p icmpv6 -m conntrack --ctstate RELATED This btw goes for the other routing related ICMP types that people missed by direct greps. CIao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 22:38 +0200, Marcus Meissner wrote:
On Sun, Apr 21, 2013 at 09:40:30PM +0200, Carlos E. R. wrote:
Thus, sorry, I'm not going to waste time reporting a bug that will not be investigated at all.
I have, in fact, reported bugs on 12.3 which got no response yet. I don't see much incentive to reporting even on recent versions... :-(
That probably depends on the assignee, but should not stop you.
Ok, I'll trust you. Reported. <https://bugzilla.novell.com/show_bug.cgi?id=816400> Bug 816400 - SuSEfirewall2 rejects ICMP packets it should accept. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlF0V0MACgkQtTMYHG2NR9UZ6ACdH04NSn24MVC7KdtAgt+fOfPm YRYAnilssLoihFMCIDv/UXg960T19mLm =qi9t -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2013-04-21 at 23:16 +0200, Carlos E. R. wrote:
On Sunday, 2013-04-21 at 22:38 +0200, Marcus Meissner wrote:
Thus, sorry, I'm not going to waste time reporting a bug that will not be investigated at all.
I have, in fact, reported bugs on 12.3 which got no response yet. I don't see much incentive to reporting even on recent versions... :-(
That probably depends on the assignee, but should not stop you.
Ok, I'll trust you. Reported.
<https://bugzilla.novell.com/show_bug.cgi?id=816400> Bug 816400 - SuSEfirewall2 rejects ICMP packets it should accept.
I'll write here a summary of that Bugzilla, for those interested. My system is using a local named server. It is configured thus: forwarders { 192.168.1.1; }; forward first; which means that it first asks the router for dns queries, and then the router asks the DNS servers of my ISP, which are assigned dynamically to my ISP when it connects. The DNS server inside my openSUSE server knows nothing about those DNS servers the router is querying. When my ADSL link goes down, and my computer asks the router, this one can not resolve, and it is then when it sends those ICMP packages back to the computer with that information, which can not be tracked to any prior packet and then rejected in the firewall. Marcus dedicated too much time to investigate this. It appears that it is harmless, and there is no need to dedicate more time to it. I'm happy with the resolution. Anybody wanting to read more details, they are in the bugzilla. As to the other things that people in this thread said they might be broken, they are outside my understanding, so it is up to them to investigate further if they think it is interesting enough. Thanks a lot to everybody, specially for Marcus for his time. - -- Cheers, Carlos E. R. (from 12.1 x86_64 "Asparagus" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) iEYEARECAAYFAlGJiBwACgkQtTMYHG2NR9Xp0QCfRQsaKDVxN/O2l7cZgOAVi+Ko zB0An142gpSanKQipfPhlA2yvJ6juNgK =UY0Z -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Carlos E. R. -
Carlos E. R. -
Cristian Rodríguez -
James Knott -
Marcus Meissner -
Per Jessen -
Rajko -
Togan Muftuoglu