Hi Darryl,
So far as I can interpret, the rules should be allowing the dhcp
protocols (and when I first set up the dhcp server on this machine, it
all worked fine with the firewall running. I didn't think I'd changed
anything). That said, I've not worked with iptables before (this config
is basicly what's come out of Yast). So, if I may, I'll take you up on
your implied offer to look at my configuration files (btw, did you
want to see the config of my dhcpclient, or server? Perhaps it's
sufficient to know that the dhcp server is such that all works properly
when the firewall is shut down):
# egrep "^[^#]" /etc/sysconfig/SuSEfirewall2
FW_DEV_EXT="eth-id-00:01:6c:a7:4c:1c"
FW_DEV_INT=""
FW_DEV_DMZ=""
FW_ROUTE="no"
FW_MASQUERADE="no"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INT="no"
FW_SERVICES_EXT_TCP="domain ipp microsoft-ds netbios-dgm netbios-ns
netbios-ssn ssh bootpc bootps"
FW_SERVICES_EXT_UDP="bootpc bootps domain netbios-ns ntp"
FW_SERVICES_EXT_IP=""
FW_SERVICES_EXT_RPC=""
FW_SERVICES_DMZ_TCP="ipp ssh"
FW_SERVICES_DMZ_UDP="bootpc bootps"
FW_SERVICES_DMZ_IP=""
FW_SERVICES_DMZ_RPC=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_SERVICES_INT_RPC=""
FW_SERVICES_DROP_EXT=""
FW_SERVICES_REJECT_EXT="0/0,tcp,113"
FW_SERVICES_ACCEPT_EXT=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="yes"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG_LIMIT=""
FW_LOG=""
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_SOURCEQUENCH=""
FW_ALLOW_FW_BROADCAST_EXT="netbios-ns ntp"
FW_ALLOW_FW_BROADCAST_INT=""
FW_ALLOW_FW_BROADCAST_DMZ=""
FW_IGNORE_FW_BROADCAST_EXT="yes"
FW_IGNORE_FW_BROADCAST_INT="no"
FW_IGNORE_FW_BROADCAST_DMZ="no"
FW_ALLOW_CLASS_ROUTING=""
FW_CUSTOMRULES=""
FW_REJECT=""
FW_HTB_TUNE_DEV=""
FW_IPv6=""
FW_IPv6_REJECT_OUTGOING=""
FW_IPSEC_TRUST="no"
FW_ZONES=""
# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state
NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-OUT-ERROR '
Chain forward_ext (0 references)
target prot opt source destination
Chain input_ext (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere PKTTYPE =
broadcast udp dpt:netbios-ns
ACCEPT udp -- anywhere anywhere PKTTYPE =
broadcast udp dpt:ntp
DROP all -- anywhere anywhere PKTTYPE =
broadcast
ACCEPT icmp -- anywhere anywhere icmp
source-quench
ACCEPT icmp -- anywhere anywhere icmp
echo-request
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state
RELATED,ESTABLISHED icmp redirect
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:domain flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:domain
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ipp flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ipp
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:microsoft-ds flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:microsoft-ds
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:netbios-dgm flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:netbios-dgm
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:netbios-ns flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:netbios-ns
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level
warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:netbios-ssn
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:ssh
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:bootpc flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootpc
LOG tcp -- anywhere anywhere limit: avg
3/min burst 5 tcp dpt:bootps flags:SYN,RST,ACK/SYN LOG level warning
tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
ACCEPT tcp -- anywhere anywhere tcp
dpt:bootps
LOG tcp -- anywhere anywhere tcp
dpt:ident state NEW limit: avg 3/min burst 5 LOG level warning
tcp-options ip-options prefix `SFW2-INext-REJECT '
reject_func tcp -- anywhere anywhere tcp
dpt:ident state NEW
ACCEPT udp -- anywhere anywhere udp
dpt:bootpc
ACCEPT udp -- anywhere anywhere udp
dpt:bootps
ACCEPT udp -- anywhere anywhere udp
dpt:domain
ACCEPT udp -- anywhere anywhere udp
dpt:netbios-ns
ACCEPT udp -- anywhere anywhere udp
dpt:ntp
LOG all -- anywhere anywhere limit: avg
3/min burst 5 LOG level warning tcp-options ip-options prefix
`SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere
Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere
reject-with tcp-reset
REJECT udp -- anywhere anywhere
reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere
reject-with icmp-proto-unreachable
# egrep "^[^#]" /etc/sysconfig/network/dhcp
DHCLIENT_BIN=""
DHCLIENT_DEBUG="no"
DHCLIENT_SET_HOSTNAME="no"
DHCLIENT_MODIFY_RESOLV_CONF="no"
DHCLIENT_SET_DEFAULT_ROUTE="yes"
DHCLIENT_MODIFY_NTP_CONF="no"
DHCLIENT_MODIFY_NIS_CONF="yes"
DHCLIENT_SET_DOMAINNAME="yes"
DHCLIENT_KEEP_SEARCHLIST="yes"
DHCLIENT_LEASE_TIME=""
DHCLIENT_TIMEOUT="999999"
DHCLIENT_REBOOT_TIMEOUT=""
DHCLIENT_HOSTNAME_OPTION="AUTO"
DHCLIENT_CLIENT_ID=""
DHCLIENT_VENDOR_CLASS_ID=""
DHCLIENT_RELEASE_BEFORE_QUIT="no"
DHCLIENT_SCRIPT_EXE=""
DHCLIENT_UDP_CHECKSUM="yes"
DHCLIENT_ADDITIONAL_OPTIONS=""
DHCLIENT_SLEEP="0"
DHCLIENT_WAIT_AT_BOOT="5"
DHCLIENT_MODIFY_SMB_CONF="yes"
--- Darryl Gregorash
Root control to Major Tom... OOps, sorry, getting distracted.
I have a somwhat odd situation with the SuSE resident firewall (and/or perhaps the Yast tool that configures it).
I run a few servers on my system, including DHCP, DNS, Samba. I configured the firewall to allow access to these, and for a while all was well. Recently, however, DHCP "just stopped." I traced the
On 11/11/2005 01:20 PM, Simon Roberts wrote: problem
to the firewall blocking the DHCP port. I've tried restarting the firewall, and a number of other ways to kick it from Yast, but the only way my DHCP works right now is if I turn the firewall off.
Any suggestions? Should I resort to manual (file-based) configuration, and if so, where do I start finding out how to do that? You should not need to dispense with DHCP; where do you need the DHCP service available, the internal network, or the DMZ? Wherever it is needed, ensure you open port 67 for INPUT on that interface; I cannot recall if it is TCP or UDP, so make sure to open both protocols. These are the variables that may need to be set in the firewall configuration:
FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" and FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP=""
If you are still having problems, please post the outputs of the following:
iptables -L cat /etc/sysconfig/SuSEfirewall2 | egrep "^[^#]" cat /etc/sysconfig/network/dhcp | egrep "^[^#]"
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
"You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." Naguib Mahfouz __________________________________ Start your day with Yahoo! - Make it your home page! http://www.yahoo.com/r/hs