https://bugzilla.novell.com/show_bug.cgi?id=344648#c2
Lukas Ocilka changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
Info Provider| |lnussel@novell.com
--- Comment #2 from Lukas Ocilka 2007-11-30 08:20:17 MST ---
Hmm, I'll check how it is possible to add custom rules of this level.
There are already some custom rules but you can't modify add
iptables -A INPUT -m state --state INVALID -j DROP
On the other hand, does it mean that all INVALID packets are dropped by
default?
See /etc/sysconfig/SuSEfirewall2
## Type: yesno
## Default: no
#
# 26.)
# Do you want to REJECT packets instead of DROPing?
#
# DROPing (which is the default) will make portscans and attacks much
# slower, as no replies to the packets will be sent. REJECTing means, that
# for every illegal packet, a connection reject packet is sent to the
# sender.
#
# Choice: "yes" or "no", if not set defaults to "no"
#
# Defaults to "no" if not set
#
FW_REJECT=""
So, they're actually dropped by default.
My current iptables:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
input_int all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
input_ext all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min
burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
DROP all -- 0.0.0.0/0 0.0.0.0/0
Not accepted packets are dropped (and logged).
Ludwig: is there some way we can do the requested '--state INVALID -j DROP' at
the beginning of the iptables rules?
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.