Hallo,
hier mal die Ausgabe von iptables ich sehe da leider nur Zeichen.
iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT 0 -- anywhere anywhere state RELATED,ESTAB LISHED input_ext 0 -- anywhere anywhere input_ext 0 -- anywhere anywhere LOG 0 -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET ' DROP 0 -- anywhere anywhere
Chain FORWARD (policy DROP) target prot opt source destination LOG 0 -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT 0 -- anywhere anywhere ACCEPT 0 -- anywhere anywhere state NEW,RELATED,E STABLISHED LOG 0 -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
Chain forward_ext (0 references) target prot opt source destination
Chain input_ext (2 references) target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:netbios-dgm
nun ja... port 137 port 138
ACCEPT udp -- anywhere anywhere PKTTYPE = broadcast udp dpt:ntp
DROP 0 -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp > source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTAB LISHED icmp time-exceeded ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:5801 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:5801 LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:5901 flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-op tions prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:5901 LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp dpt:microsoft-ds flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-optio ns ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds
port 445
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-option s ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn
port 139
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP ' ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns ACCEPT udp -- anywhere anywhere udp dpt:ntp
hmmm
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG 0 -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2- INext-DROP-DEFLT ' DROP 0 -- anywhere anywhere PKTTYPE = multicast LOG tcp -- anywhere anywhere limit: avg 3/min bu rst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options pre fix `SFW2-INext-DROP-DEFLT ' LOG icmp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG udp -- anywhere anywhere limit: avg 3/min bu rst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT ' LOG 0 -- anywhere anywhere limit: avg 3/min bu rst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext- DROP-DEFLT-INV ' DROP 0 -- anywhere anywhere
Chain reject_func (1 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-res et REJECT udp -- anywhere anywhere reject-with icmp-po rt-unreachable REJECT 0 -- anywhere anywhere reject-with icmp-pr oto-unreachable
Gruß Sebastian
oha... einer der 4 Ports ist "unnütz"... aber mehr werden von Samba nicht benutzt... hmm manche 2 mal (input chain , forward chain...)... ich frage mich so... hängt der Rechner direkt am Internet??
wenn nicht.. ist es sinvoller "nach aussen" Firewalling zu betreiben... intern ist das dann nicht nötig! Zumindest in meinen Netzen gigt es eine relativ restriktive Firewall nach aussen ... innen ist NIX...Ansichtssache...
Grüsse Fred
ps: wo loggt die Firewall ??? /var/log/localmessages oder /var/log/messages oder...??
das steht eigentlich auch drin (im Log) wo es warum klemmt...allerdings viel Drumherum....
Die Ports habe ich mittlerweile freigegeben und es funktioniert. Da das interne Netz ein offenes Hochschulnetz ist behalte ich den Firewall besser. Jetzt fehlt mir nur noch der Zugriff auf eine der Freigaben von außen, die anderen funktionieren aber eine Bockt, aber das hat Zeit. Gruß Sebastian -- Um die Liste abzubestellen, schicken Sie eine Mail an: opensuse-de+unsubscribe@opensuse.org Um eine Liste aller verfuegbaren Kommandos zu bekommen, schicken Sie eine Mail an: opensuse-de+help@opensuse.org