Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] pers.firewall- rulechains get longer and longer
On Wednesday 16 January 2002 14:13, Ekki Plicht wrote:
> Hi list,
> as a newbie to Linux I decided to use SuSEpersonal-firewall for simplicity
> reasons.
> Works fine on a T-DSL line with dial-on-demand.

Good decision, and congrats on the setup.

> To learn how the fw works i looked at the output of iptables -L .
> Now, after some days i looked again and found that the "forward" rules get
> longer and longer. I am not sure, but my guess is that for each dial-up a
> new line is added.
>
> The line is:
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> TCPMSS tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> TCPMSS tcp -- anywhere anywhere tcp
> flags:SYN,RST/SYN TCPMSS clamp to PMTU
> and on and on, 40 lines at last count.
>
> Does anybody know the reason for this?
> Has this something to do with how the script for the pers. fw is invoked at
> each dial-up?

I use a very similar setup, with additional rules added by my ip-up.local
script. I've not used the FORWARD rule yet, and haven't got 'masq' enabled,
so I've not seen this problem yet.

What I'd suggest is you put in a rule on ip-down.local, to empty the FORWARD
rule with 'iptables -F FORWARD', or just delete the rule that is added on
each dial up.

Rob

< Previous Next >
References