Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
SuSEfirewall 5.1 and open ports
  • From: Togan Muftuoglu <toganm@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 16:34:49 +0200
  • Message-id: <20020124163449.B2981@xxxxxxxxxxxx>

While going over the last things for the DMZ server I found a part which
I do not understand there copule of hardcoded areas like line 841 in
SuSEFirewall 5.1
I have only enabled www and https and allowed ping for external and for
trusted IP I have enbaled ssh. Why these hardcoded line are necessary I
do not understand. if it was 1024:65535 it would have made more sense
to me, as these are safer (relative to 600:65534).

# This sucks, we need this rule so we can receive data ... hello stealth scan
for i in $DEV_INT $DEV_DMZ $DEV_WORLD; do
$IPCHAINS -A input -j "$ACCEPT" -p tcp -d $i 600:65535 '!' -y $LAA

and here why ftp-data port is hard coded

for i in $DEV_INT $DEV_DMZ $DEV_WORLD; do
$IPCHAINS -A input -j "$ACCEPT" -p tcp -d $i 20 '!' -y $LAA

I know I can change these entries but rather then doing them blindly I
would like understand the reasoning


Togan Muftuoglu

< Previous Next >
This Thread
  • No further messages