Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] Help needed for configuring firewall with YAST
  • From: Stefan Suurmeijer <stefan@xxxxxxxxxxxx>
  • Date: Sun, 6 Aug 2000 15:14:14 +0200 (CEST)
  • Message-id: <Pine.LNX.4.21.0008061444100.6675-100000@xxxxxxxxxxxxxxxxxxxx>
On Sun, 6 Aug 2000, Franky GOETHALS wrote:

> Stefan Suurmeijer wrote:
> >
> > On Sat, 5 Aug 2000, Franky GOETHALS wrote:
> >
> > > Hello all,
> > >
> > > Since i while i've remarked the following lines in my firewall-log :
> > >
> > > Jul 18 21:40:11 penguin dhcpcd[109]: sending DHCP_REQUEST for 213.224.69.28 to
> > > 195.130.132.18
> > > Jul 18 21:40:11 penguin kernel: Packet log: input DENY eth0 PROTO=17
> > > 195.130.132.18:67 213.224.69.28:68 L=330 S=0x00 I=60193 F=0x4000 T=252 (#127)
> > > Jul 18 21:40:11 penguin dhcpcd[109]: DHCP_ACK received from (195.130.132.18)
> > >
> > > Does anyone can help me ? I appears to be in the
> Stefan,
>
> The value of this variable is allready 'yes'.
>
> Any other ideas ?
>
> Tnx allready,
>
> Franky.
>

Well, if that value is set to yes, theoretically all traffic coming from
system x port 67 to your port 68 should be allowed (see
/sbin/SuSEfirewall). If it isn't, you probably defined another rule
somewhere specifically denying these connections from this system. To say
anything meaningfull, I'd have to take a look at either your
firewall.rc.config or your ipchains -L output. What you could do is take a
look at your ipchains -L|grep DENY output and see if there's a rule
blocking udp connections from the dhcp server.
If you really want control over the rules generated, you should use a
custom made script instead of SuSEfirewall, adding only those rules you
need.


>
> > > 'critical' messages for the firewall.
> > >
> >
> > What it's telling you is that host 195.130.132.18 is sending an udp
> > (PROTO=17) package to host 213.224.69.28 with bootp information (port 67 &
> > 68) and that package is being denied. If you use the standard Suse
> > firewall configuration script (/etc/rc.config.d/firewall.rc.config) you
> > should have:
> >
> > FW_SERVICE_DHCLIENT="no" # if you use dhclient to get an ip address
> > # you have to set this to "yes" !
> >
> > set to yes, or manually add a rule for accepting bootp packages
> >
> > > I would like to allow these requests through my firewall, but i didn't
> > > succeed. I'm trying to configure it with YAST & FW_- variables in the
> > > configuration-file.
> > >
>


Stefan




==========================================
Stefan Suurmeijer
Network Specialist
University of Groningen
tel: (+31) 50 363 3423
fax: (+31) 50 363 7272
E-mail (business): s.m.suurmeijer@xxxxxxxxxx
E-mail (private): stefan@xxxxxxxxxxxx
==========================================

Quis custodiet ipsos custodes? (Who'll watch the watchmen?) - Unknown





< Previous Next >
Follow Ups
References