Mailinglist Archive: opensuse-security (88 mails)

< Previous Next >
Re: [suse-security] Firewall denying outgoing connections?
  • From: Joe Knall <joe.knall@xxxxxxx>
  • Date: Sat, 15 Apr 2006 00:49:41 +0200
  • Message-id: <200604150049.41624.joe.knall@xxxxxxx>
Hi Carlos,

let me try to give you a hint though I'm not an expert on SuSEfirewall2.

On Freitag, 14. April 2006 17:06 Carlos E. R. wrote:
> What causes this error in the firewall?
> Apr 14 17:03:37 nimrodel kernel: SFW2-OUT-ERROR IN= OUT=eth0
> SRC= DST= LEN=40 TOS=0x08 PREC=0x00 TTL=64
> ID=53126 DF PROTO=TCP SPT=6881 DPT=4712 WINDOW=32767 RES=0x00 ACK
> URGP=0

The log tells you that your client (SRC=, SPT=6881) sends
somehow invalid answers (ACK) to a machine on the internet
(DST=, DPT=4712, tcp).

Why ERROR, not DROP?
As far as I can see SuSEfirewall2 doesn't block any outgoing connections
- your machine may connect wherever.

In /sbin/SuSEfirewall2 is exactly one place that produces this ERROR log
(lines 1104-1105, suse 9.3):
$iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED
$iptables -A OUTPUT -j LOG ${LOG}"-OUT-ERROR "

A packet which is not in NEW,ESTABLISHED,RELATED must be invalid
somehow, it's not handled by the first line but the second. But it
doesn't seem to be dropped afterwards, only logged as ERROR!
The immediately next three lines say:
# we want to let locally generated packets out since our task is not
# to protect the world from us, but protect us from the world ;)
# policy is ACCEPT $iptables -A OUTPUT -j ACCEPT

So your problem probably has nothing to do with the firewall itself but
the client or something in between (invalid packets).

> Why am I denied outgoing access to some ports now and then?
The "now and then" confirms the suspicion (client problem).

Apart from this your last paragraph shows some essential

> port 6881 is allowed entry in the config:
> FW_SERVICES_EXT_TCP="6881:6889"

This has _nothing_ to do with the above.

/etc/sysconfig/SuSEfirewall2 says:
# 9.)
# Which TCP services _on the firewall_ should be accessible from
# untrusted networks?

In other words: with FW_SERVICES_EXT_TCP you allow _incoming_
connections to your net/host, the internet is allowed to connect to
your machine on ports 6881 - 6889 tcp. Maybe that's not what you want.

Bye, Joe

< Previous Next >
Follow Ups