Hans wrote regarding 'Re: [SLE] SuSEfirewall2 misbehaving' on Fri, Aug 20 at 07:21:
Thanks Danny,
I had to modify it slightly, iptables didn't seem to like REJECT (weird?). I
Doh. The REJECT target is an extension now, rather than being built in like I remember from ipchains/ipfw. If you throw a "/sbin/modprobe ipt_REJECT" in there somewhere (or otherwise make that module load at boot, like in /etc/modulex.conf or something) REJECT oughtta work. I think DROP is probably just fine on that, though. If you're blocking internal access and external access, you might stick another rule on the end there (just before the last rule) to REJECT stuff with an internal source, just so you're not waiting for a timeout. I prefer DROP on external interfaces so it slows down port scanners, but internally I usually REJECT so the connecting application can return immediately. :) I'm glad it worked for you, anyway. --Danny