* Chris FitzGerald;
on 08 Nov, 2002 wrote: Hi all,
I have my firewall up and running thanks to the firewall2.pdf i found in
Thanks! All the replys coming in are bringing enlightment to my Linux
Experience ;)
only a shame i discovered it so late (after I set up a win"shit"2000 domain)
lol
thanks again
----- Original Message -----
From: "Togan Muftuoglu"
Glad that it helped you
1. Is it safe to change the startup sequence like that for security
reasons ?
No as with the first run of SuSEConfig things will change to their default
2. If the script is parsed and doesn't find the servers, are the ports
then open or are they closed out of security and do they stay closed ?
3. Can I safely put SuSEfirewall2_final to S99 ?
No based on the above
Here is what is happening
Phase One
# /etc/init.d/SuSEfirewall2_init # ### BEGIN INIT INFO # Provides: SuSEfirewall2_init # Required-Start: serial # Required-Stop: $network # Default-Start: 2 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: SuSEfirewall2 phase 1 # Description: SuSEfirewall2_init does some basic setup and is the # phase 1 of 3 of the SuSEfirewall initialization
When this phase starts it will call SuSEfirewall2 with paramater "close" you can have look to the firewall2.pdf page 3 Technical Background of SuSEfirewal2
After that the second phase starts once related services have been activated mentioned in the "Required start" section as shown below
### BEGIN INIT INFO # Provides: SuSEfirewall2_setup # Required-Start: SuSEfirewall2_init network $local_fs route dhclient # Required-Stop: $local_fs # Default-Start: 3 4 5 # Default-Stop: 0 1 2 6 # Short-Description: SuSEfirewall2 phase 2 # Description: SuSEfirewall2_setup does some basic setup and is the # phase 2 of 3 of the SuSEfirewall initialization.
At this stage SuSEfirewall is called with "start" parameter and /etc/sysconfig/SuSefirewall2 is parsed and the rules are applied Now you have a better protection for the services running at this stage
Finally the last phase starts after the "Required services have started" as you can see below this stage should start after squid ( just to note since you have mentioned it)
# /etc/init.d/SuSEfirewall2_final # ### BEGIN INIT INFO # Provides: SuSEfirewall2_final # Required-Start: SuSEfirewall2_setup $remote_fs rpc named sshd inetd # dhcp nscd nessusd wpmd squid ipsec # Required-Stop: SuSEfirewall2_setup # Default-Start: 3 4 5 # Default-Stop: # Short-Description: SuSEfirewall2 phase 3
So this is the intended way of the SuSEfirewall2 if there are warning during the second phase you can ignore the warnings since at the end (meaning after the final stage ) it should work as it is designed nad configured.
On the other hand you may have manually adjusted the start sequence of some services and that may be causing problems.
To have some idea regarding the services have a look at http://dinamizm.ath.cx/services.html it might give you clues if you have changed the order of services manually
HTH
--
Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here