Anzeige:
Ergebnis 1 bis 5 von 5

Thema: Samba und die Firewall-Einstellungen ohne Wirkung

  1. #1
    linuxnoob
    Registriert seit
    Nov 2004
    Beiträge
    229

    Samba und die Firewall-Einstellungen ohne Wirkung

    Hallo, liebe Linuxprofis.

    Habe mir ein Fileserver aufgesetzt mit Suse 9.2, nun hab ich das Problem, wenn ich von einer Windowsklitsche auf den Samba-Server connecten will, das ich die Meldung bekomme das ich keine Rechte besitze.

    Schalte ich die Firewall jedoch aus, funzt es, nun hab ich mal laut diesem Thread
    das ganze gehandhabt, allerdings ohne Gewinn.

    Bin der Meinung, das ich einstellen kann was ich will, die Firewall ignoriert dies einfach.

    smb.conf
    Code:
    # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE
    # Date: 2004-10-05
    [global]
    	workgroup = msheimnetz
    	printing = cups
    	printcap name = cups
    	printcap cache time = 750
    	cups options = raw
    	printer admin = @ntadmin, root, administrator
    	username map = /etc/samba/smbusers
    	map to guest = Bad User
    	include = /etc/samba/dhcp.conf
    	logon path = \\%L\profiles\.msprofile
    	logon home = \\%L\%U\.9xprofile
    	logon drive = P:
    	security = user
    	encrypt passwords = yes
    	ldap idmap suffix = ou=Idmap
    	ldap machine suffix = ou=Computers
    	load printers = no
    	ldap suffix = dc=example,dc=com
    ## Share disabled by YaST
    # [homes]
    #	comment = Home Directories
    #	valid users = %S
    #	browseable = no
    #	read only = no
    #	inherit acls = yes
    
    ## Share disabled by YaST
    # [profiles]
    #	comment = Network Profiles Service
    #	path = %H
    #	read only = no
    #	store dos attributes = yes
    #	create mask = 0600
    #	directory mask = 0700
    
    ## Share disabled by YaST
    # [users]
    #	comment = All users
    #	path = /home
    #	read only = no
    #	inherit acls = yes
    #	veto files = /aquota.user/groups/shares/
    ## Share disabled by YaST
    # [groups]
    #	comment = All groups
    #	path = /home/groups
    #	read only = no
    #	inherit acls = yes
    ## Share disabled by YaST
    # [pdf]
    #	comment = PDF creator
    #	path = /var/tmp
    #	printable = yes
    #	print command = /usr/bin/smbprngenpdf -J '%J' -c %c -s %s -u '%u' -z %z
    #	create mask = 0600
    ## Share disabled by YaST
    # [printers]
    #	comment = All Printers
    #	path = /var/tmp
    #	printable = yes
    #	create mask = 0600
    #	browseable = no
    ## Share disabled by YaST
    # [print$]
    #	comment = Printer Drivers
    #	path = /var/lib/samba/drivers
    #	write list = @ntadmin root
    #	force group = ntadmin
    #	create mask = 0664
    #	directory mask = 0775
    
    [data2]
    	comment = Filme
    	path = /data2/
    	writeable = yes
    
    [data3]
    	comment = Filme, Musik, Programme, Spiele
    	path = /data3/
    	writeable = yes
    
    [overnet]
    	comment = aktuelles
    	path = /data3/overnet/incoming/
    	writeable = yes
    Vieleicht habt Ihr ja eine Ahnung oder Lösung

    Würde euch ja auch noch gern mal die Firewalleinstellungen posten, allerdings weis ich nicht wo man die .conf dafür findet.
    Mein Root:
    2x Dual Core AMD Opteron(tm) Processor 280 mit Suse 9.3, 4GB-Ram 300GB Speicher.
    PHP Version 4.3.10-18 MySQL Version 4.0.24 Confixx v. s4y

  2. #2
    linuxnoob
    Registriert seit
    Nov 2004
    Beiträge
    229
    Kann mir den keiner weiter helfen??????
    Mein Root:
    2x Dual Core AMD Opteron(tm) Processor 280 mit Suse 9.3, 4GB-Ram 300GB Speicher.
    PHP Version 4.3.10-18 MySQL Version 4.0.24 Confixx v. s4y

  3. #3
    Registrierter Benutzer Avatar von ThorstenHirsch
    Registriert seit
    Nov 2002
    Beiträge
    6.556
    Ja, du musst der Firewall noch sagen, dass sie den Port (139 oder 445, bitte nochmal nachschauen!) für die Windows-Dateifreigabe, also Samba, öffnen soll. Könnte auch "File-Server" heißen oder so.
    ¡Nuestro amigo... el Computador!

  4. #4
    linuxnoob
    Registriert seit
    Nov 2004
    Beiträge
    229
    Zitat Zitat von ThorstenHirsch
    Ja, du musst der Firewall noch sagen, dass sie den Port (139 oder 445, bitte nochmal nachschauen!) für die Windows-Dateifreigabe, also Samba, öffnen soll. Könnte auch "File-Server" heißen oder so.

    Die Ports hab ich über Yast ja freigegeben, jeweils UDP und TCP.
    Dies ist ja das Übel, ich kann einstellen was ich will, die Firewall übernimmt es einfach nicht, die hat wohl Ihren eigenen Kopf.

    Wie kann ich es trotzdem der Firewall beibringen???

    hier mal die SuSEfirewall2.conf
    Code:
    # Copyright (c) 2000-2002 SuSE GmbH Nuernberg, Germany.  All rights reserved.
    # Copyright (c) 2003,2004 SuSE Linux AG Nuernberg, Germany.  All rights reserved.
    #
    # Author: Marc Heuse, 2002
    #
    # If you have problems getting this tool configures, please read this file
    # carefuly and take also a look into
    #  -> /usr/share/doc/packages/SuSEfirewall2/EXAMPLES !
    #  -> /usr/share/doc/packages/SuSEfirewall2/FAQ !
    #
    # /etc/sysconfig/SuSEfirewall2
    #
    # for use with /sbin/SuSEfirewall2 version 3.2
    #
    # ------------------------------------------------------------------------     #
    # PLEASE NOTE THE FOLLOWING:
    #
    # Just by configuring these settings and using the SuSEfirewall2 you are
    # not secure per se! There is *not* such a thing you install and hence you
    # are safed from all (security) hazards.
    #
    # To ensure your security, you need also:
    #
    #   * Secure all services you are offering to untrusted networks (internet)
    #     You can do this by using software which has been designed with
    #     security in mind (like postfix, apop3d, ssh), setting these up without
    #     misconfiguration and praying, that they have got really no holes.
    #     SuSEcompartment can help in most circumstances to reduce the risk.
    #   * Do not run untrusted software. (philosophical question, can you trust
    #     SuSE or any other software distributor?)
    #   * Harden your server(s) with the harden_suse package/script
    #   * Recompile your kernel with the openwall-linux kernel patch
    #     (former secure-linux patch, from Solar Designer) www.openwall.com
    #   * Check the security of your server(s) regulary
    #   * If you are using this server as a firewall/bastion host to the internet
    #     for an internal network, try to run proxy services for everything and
    #     disable routing on this machine.
    #   * If you run DNS on the firewall: disable untrusted zone transfers and
    #     either don't allow access to it from the internet or run it split-brained.
    #
    # Good luck!
    #
    # Yours,
    #	SuSE Security Team
    #
    # ------------------------------------------------------------------------
    #
    # Configuration HELP:
    #
    # If you have got any problems configuring this file, take a look at
    # /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
    #
    #
    # All types have to set enable SuSEfirewall2 in the runlevel editor
    #
    # If you are a end-user who is NOT connected to two networks (read: you have
    # got a single user system and are using a dialup to the internet) you just
    # have to configure (all other settings are OK): 2) and maybe 9).
    #
    # If this server is a firewall, which should act like a proxy (no direct
    # routing between both networks), or you are an end-user connected to the
    # internet and to an internal network, you have to setup your proxys and
    # reconfigure (all other settings are OK): 2), 3), 9) and maybe 7), 11), 14)
    #
    # If this server is a firewall, and should do routing/masquerading between
    # the untrusted and the trusted network, you have to reconfigure (all other
    # settings are OK): 2), 3), 5), 6), 9), and maybe 7), 10), 11), 12), 13),
    # 14), 20)
    #
    # If you want to run a DMZ in either of the above three standard setups, you
    # just have to configure *additionally* 4), 9), 12), 13), 17), 19).
    #
    # If you know what you are doing, you may also change 8), 11), 15), 16)
    # and the expert options 19), 20), 21), 22) and 23) at the far end, but you
    # should NOT.
    #
    # If you use diald or ISDN autodialing, you might want to set 17).
    #
    # To get programs like traceroutes to your firewall to work is a bit tricky,
    # you have to set the following options to "yes" : 11 (UDP only), 18 and 19.
    #
    # Please note that if you use service names, that they exist in /etc/services.
    # There is no service "dns", it's called "domain"; email is called "smtp" etc.
    #
    # *Any* routing between interfaces except masquerading requires to set FW_ROUTE
    # to "yes" and use FW_FORWARD or FW_ALLOW_CLASS_ROUTING !
    #
    # If you just want to do masquerading without filtering, ignore this script
    # and run this line (exchange "ippp0" "ppp0" if you use a modem, not isdn):
    #   iptables -A POSTROUTING -t nat -j MASQUERADE -o ippp0
    #   echo 1 > /proc/sys/net/ipv4/ip_forward
    # and additionally the following lines to get at least a minimum of security:
    #   iptables -A INPUT -j DROP -m state --state NEW,INVALID -i ippp0
    #   iptables -A FORWARD -j DROP -m state --state NEW,INVALID -i ippp0
    # ------------------------------------------------------------------------
    
    ## Path:	Network/Firewall/SuSEfirewall2
    ## Description:	SuSEfirewall2 configuration
    ## Type:	yesno
    ## Default:	no
    ## ServiceRestart: SuSEfirewall2_setup
    #
    # 1.)
    # Should the Firewall run in quickmode?
    #
    # "Quickmode" means that only the interfaces pointing to external
    # networks are secured, and no other. all interfaces not in the list
    # of FW_DEV_EXT are allowed full network access! Additionally,
    # masquerading is automatically activated for FW_MASQ_DEV devices.
    # and last but not least: all incoming connection via external
    # interfaces are REJECTED. You will only need to configure 2.) and
    # FW_MASQ_DEV in 6.) Optionally, you may add entries to section 9a.)
    #
    # defaults to "no" if not set
    #
    FW_QUICKMODE="no"
    
    ## Type:	string
    ## Default:	any
    #
    # 2.)
    # Which are the interfaces that point to the internet/untrusted
    # networks?
    #
    # Enter all untrusted network devices here
    #
    # Format: space separated list of interface or configuration names
    #
    # The special keyword "auto" means to use the device of the default
    # route. "auto" cannot be mixed with other interface names.
    #
    # The special keyword "any" means that packets arriving on interfaces not
    # explicitly configured as int, ext or dmz will be considered external. Note:
    # this setting only works for packets destined for the local machine. If you
    # want forwarding or masquerading you still have to add the external interfaces
    # individually. "any" can be mixed with other interface names.
    #
    # Examples: "eth-id-00:e0:4c:9f:61:9a", "ippp0 ippp1", "auto", "any ppp0"
    #
    # Note: alias interfaces (like eth0:1) are ignored
    #
    FW_DEV_EXT="eth-id-00:c1:26:0e:fa:4c"
    
    ## Type:	string
    #
    # 3.)
    # Which are the interfaces that point to the internal network?
    #
    # Enter all trusted network interfaces here. If you are not
    # connected to a trusted network (e.g. you have just a dialup) leave
    # this empty.
    #
    # Format: space separated list of interface or configuration names
    #
    # Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
    #
    FW_DEV_INT=""
    
    ## Type:	string
    #
    # 4.)
    # Which are the interfaces that point to the dmz or dialup network?
    #
    # Enter all the network devices here which point to the dmz/dialups.
    # A "dmz" is a special, seperated network, which is only connected
    # to the firewall, and should be reachable from the internet to
    # provide services, e.g. WWW, Mail, etc. and hence is at risk from
    # attacks. See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an
    # example.
    #
    # Note: You have to configure FW_FORWARD to define the services
    # which should be available to the internet and set FW_ROUTE to yes.
    #
    # Format: space separated list of interface or configuration names
    #
    # Examples: "eth-id-00:e0:4c:9f:61:9a", "tr0", "eth0 eth1"
    #
    FW_DEV_DMZ=""
    
    ## Type:	yesno
    ## Default:	no
    #
    # 5.)
    # Should routing between the internet, dmz and internal network be
    # activated?
    #
    # Set this to "yes" if you either want to masquerade internal
    # machines or allow access to the dmz (or internal machines, but
    # this is not a good idea).
    # 
    # This option overrides IP_FORWARD from
    # /etc/sysconfig/network/options
    #
    # Setting this option one alone doesn't do anything. Either activate
    # masquerading with FW_MASQUERADE below if you want to masquerade
    # your internal network to the internet, or configure FW_FORWARD to
    # define what is allowed to be forwarded. You also need to define
    # internal or dmz interfaces in FW_DEV_INT or FW_DEV_DMZ.
    #
    # defaults to "no" if not set
    #
    FW_ROUTE="no"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 6.)
    # Do you want to masquerade internal networks to the outside?
    #
    # Requires: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE, FW_MASQ_DEV
    #
    # "Masquerading" means that all your internal machines which use
    # services on the internet seem to come from your firewall. Please
    # note that it is more secure to communicate via proxies to the
    # internet than to use masquerading.
    # 
    # This option is required for FW_MASQ_NETS and FW_FORWARD_MASQ.
    #
    # defaults to "no" if not set
    #
    FW_MASQUERADE="no"
    
    ## Type:	string
    ## Default:     $FW_DEV_EXT
    #
    # 6a.)
    # You must also define on which interfaces to masquerade on. Those
    # are usually the same as the external interfaces. Most users can
    # leave the default.
    #
    # Examples: "ippp0", "$FW_DEV_EXT"
    #
    FW_MASQ_DEV="$FW_DEV_EXT"
    
    ## Type:	string
    ## Default:	0/0
    #
    # Which internal computers/networks are allowed to access the
    # internet via masquerading (not via proxys on the firewall)?
    #
    # Format: space separated list of
    #  <source network>[,<destination network>,<protocol>[,port[:port]]
    #  
    #  If the protocol is icmp then port is interpreted as icmp type
    #
    # Examples: - "0/0" unrestricted access to the internet
    #           - "10.0.0.0/8" allows the whole 10.0.0.0 network with
    #             unrestricted access.
    #           - "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0,tcp,21" allows
    #             the 10.0.1.0 network to use www/ftp to the internet. -
    #           - "10.0.1.0/24,0/0,tcp,1024:65535 10.0.2.0/24" the
    #             10.0.1.0/24 network is allowed to access unprivileged
    #             ports whereas 10.0.2.0/24 is granted unrestricted
    #             access.
    #           
    FW_MASQ_NETS=""
    
    ## Type:	yesno
    ## Default:	no
    #
    # 7.)
    # Do you want to protect the firewall from the internal network?
    # Requires: FW_DEV_INT
    #
    # If you set this to "yes", internal machines may only access services on
    # the firewall you explicitly allow. They will be also affected from the
    # FW_AUTOPROTECT_SERVICES option. If you set this to "no", any
    # internal user can connect (and attack) any service on the
    # firewall.
    #
    # defaults to "yes" if not set
    # 
    FW_PROTECT_FROM_INTERNAL="no"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 8.)
    # Do you want to create explicit drop rules for all running network
    # services on the firewall?
    #
    # If set to "yes", all network access to services TCP and UDP on this machine
    # will be explicitely prevented (except to those which you
    # explicitly allow, see below: FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
    #
    # defaults to "yes" if not set
    #
    FW_AUTOPROTECT_SERVICES="no"
    
    ## Type:	string
    #
    # 9.)
    # Which TCP services _on the firewall_ should be accessible from
    # untrusted networks?
    #
    # Enter all ports or known portnames below, seperated by a space.
    # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
    # UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
    # e.g. if a webserver on the firewall should be accessible from the internet:
    # FW_SERVICES_EXT_TCP="www"
    # e.g. if the firewall should receive syslog messages from the dmz:
    # FW_SERVICES_DMZ_UDP="syslog"
    # For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
    # FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
    #
    # Format: space separated list of ports, port ranges or well known
    #         service names (see /etc/services)
    #
    # Examples: "ssh", "123 514", "3200:3299", "ftp 22 telnet 512:514"
    #
    FW_SERVICES_EXT_TCP="http microsoft-ds netbios-dgm netbios-ns netbios-ssn ssh 20:24"
    
    ## Type:	string
    #
    # Which UDP services _on the firewall_ should be accessible from
    # untrusted networks?
    #
    # see comments for FW_SERVICES_EXT_TCP
    #
    # Example: "53"
    #
    FW_SERVICES_EXT_UDP="20:24"
    
    ## Type:	string
    # 
    # Which UDP services _on the firewall_ should be accessible from
    # untrusted networks?
    #
    # Usually for VPN/Routing which END at the firewall
    #
    # Example: "esp"
    #
    FW_SERVICES_EXT_IP=""
    
    ## Type:        string
    #
    # Which RPC services _on the firewall_ should be accessible from
    # untrusted networks?
    #
    # Port numbers of RPC services are dynamically assigned by the
    # portmapper. Therefore "rpcinfo -p localhost" has to be used to
    # automatically determine the currently assigned port for the
    # services specified here.
    #
    # USE WITH CAUTION!
    # regular users can register rpc services and therefore could have
    # SuSEfirewall2 open arbitrary ports
    #
    # Example: "mountd nfs"
    FW_SERVICES_EXT_RPC=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_TCP
    FW_SERVICES_DMZ_TCP=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_UDP
    FW_SERVICES_DMZ_UDP=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_IP
    FW_SERVICES_DMZ_IP=""
    
    ## Type:        string
    #
    # see comments for FW_SERVICES_EXT_RPC
    FW_SERVICES_DMZ_RPC=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_TCP
    FW_SERVICES_INT_TCP=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_UDP
    FW_SERVICES_INT_UDP=""
    
    ## Type:	string
    #
    # see comments for FW_SERVICES_EXT_IP
    FW_SERVICES_INT_IP=""
    
    ## Type:        string
    #
    # see comments for FW_SERVICES_EXT_RPC
    FW_SERVICES_INT_RPC=""
    
    ## Type: string
    #
    # Packets to silently drop without log message
    #
    # Format: space separated list of net,protocol[,port]
    # Example: "0/0,tcp,445 0/0,udp,4662"
    #
    FW_SERVICES_DROP_EXT=""
    
    ## Type: string
    ## Default: 0/0,tcp,113
    #
    # Packets to silently reject without log message. Common usage is
    # TCP port 113 which if dropped would cause long timeouts when
    # sending mail or connecting to IRC servers.
    #
    # Format: space separated list of net,protocol[,port]
    # Example: "0/0,tcp,113"
    #
    FW_SERVICES_REJECT_EXT="0/0,tcp,113"
    
    ## Type:	string
    #
    # WARNING: Quickmode is DEPRECATED and will be removed in the future!
    # 
    # 9a.)
    # External services in QUICKMODE.
    # This is only used for QUICKMODE (see 1.)!
    # (The settings here are similar to section 9.)
    # Which services ON THE FIREWALL should be accessible from either the 
    # internet (or other untrusted networks), i.e. the external interface(s)
    # $FW_DEV_EXT
    #
    # Enter all ports or known portnames below, seperated by a space.
    # TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_QUICK_TCP, and
    # UDP services (e.g. syslog) must be set in FW_SERVICES_QUICK_UDP.
    # e.g. if a secure shell daemon on the firewall should be accessible from
    # the internet: 
    # FW_SERVICES_QUICK_TCP="ssh"
    # e.g. if the firewall should receive isakmp (IPsec) internet:
    # FW_SERVICES_QUICK_UDP="isakmp"
    # For IP protocols (like IPsec) you need to set
    # FW_SERVICES_QUICK_IP="50"
    #
    # Choice: leave empty or any number of ports, known portnames (from
    # /etc/services) and port ranges seperated by a space. Port ranges are
    # written like this: allow port 1 to 10 -> "1:10"
    # e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
    # For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
    #
    # QUICKMODE: TCP services open to external networks (InterNet)
    # (Common: ssh smtp)
    FW_SERVICES_QUICK_TCP=""
    
    ## Type:	string
    # QUICKMODE: UDP services open to external networks (InterNet)
    # (Common: isakmp)
    FW_SERVICES_QUICK_UDP=""
    
    ## Type:	string
    # QUICKMODE: IP protocols unconditionally open to external networks (InterNet)
    # (For VPN firewall that is VPN gateway: 50)
    FW_SERVICES_QUICK_IP=""
    
    ## Type:	string
    #
    # 10.)
    # Which services should be accessible from 'trusted' hosts or nets?
    #
    # Define trusted hosts or networks (doesn't matter whether they are internal or
    # external) and the services (tcp,udp,icmp) they are allowed to use. This can
    # be used instead of FW_SERVICES_* for further access restriction. Please note
    # that this is no replacement for authentication since IP addresses can be
    # spoofed. Also note that trusted hosts/nets are not allowed to ping the
    # firewall until you also permit icmp.
    #
    # Format: space separated list of network[,protocol[,port]]
    # in case of icmp, port means the icmp type
    #
    # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
    #
    FW_TRUSTED_NETS=""
    
    ## Type:	string
    ## Default:
    #
    # 11.)
    # Specify which ports are allowed to access unprivileged ports (>1023)
    #
    # Format: yes, no or space separated list of ports
    #
    # You may either allow everyone from anyport access to your highports ("yes"),
    # disallow anyone ("no"), anyone who comes from a defined port (portnumber or
    # known portname). Note that this is easy to circumvent! The best choice is to
    # keep this option unset or set to 'no'
    #
    # defaults to "no" if not set (good choice)
    #
    FW_ALLOW_INCOMING_HIGHPORTS_TCP=""
    
    ## Type:	string
    ## Default:
    #
    # See FW_ALLOW_INCOMING_HIGHPORTS_TCP
    #
    # defaults to "no" if not set (good choice)
    FW_ALLOW_INCOMING_HIGHPORTS_UDP=""
    
    ## Type:	string
    #
    # 13.)
    # Which services or networks are allowed to be routed through the
    # firewall, no matter which zone they are in?
    # Requires: FW_ROUTE
    #
    # With this option you may allow access to e.g. your mailserver. The
    # machines must have valid, non-private, IP addresses which were
    # assigned to you by your ISP. This opens a direct link to the
    # specified network, so please think twice befor using this option!
    #
    # Format: space separated list of
    #    <source network>,<destination network>[,protocol[,port[,flags]]]
    #
    #  If the protocol is icmp then port is interpreted as icmp type
    #
    #  The only flag currently supported is 'ipsec' which means to only
    #  match packets that originate from an IPsec tunnel
    #
    # Examples: - "1.1.1.1,2.2.2.2" allow the host 1.1.1.1 to access any
    #             service on the host 2.2.2.2
    #           - "3.3.3.3/16,4.4.4.4/24" allow the network 3.3.3.3/16
    #             to access any service in the network 4.4.4.4/24
    #           - "5.5.5.5,6.6.6.6,igmp" allow routing of IGMP messages
    #              from 5.5.5.5 to 6.6.6.6
    #           - "0/0,0/0,udp,514" always permit udp port 514 to pass
    #             the firewall
    #           - "192.168.1.0/24,10.10.0.0/16,,,ipsec \
    #              10.10.0.0/16,192.168.1.0/24,,,ipsec" permit traffic
    #              from 192.168.1.0/24 to 10.10.0.0/16 and vice versa
    #              provided that both networks are connected via an
    #              IPsec tunnel.
    FW_FORWARD=""
    
    ## Type:	string
    #
    # 14.)
    # Which services accessed from the internet should be allowed to masqueraded
    # servers (on the internal network or dmz)?
    # Requires: FW_ROUTE
    #
    # With this option you may allow access to e.g. your mailserver. The
    # machines must be in a masqueraded segment and may not have public
    # IP addesses! Hint: if FW_DEV_MASQ is set to the external interface
    # you have to set FW_FORWARD from internal to DMZ for the service as
    # well to allow access from internal!
    #
    # Please note that this should *not* be used for security reasons!
    # You are opening a hole to your precious internal network. If e.g.
    # the webserver there is compromised - your full internal network is
    # compromised!
    #
    # Format: space separated list of
    #    <source network>,<ip to forward to>,<protocol>,<port>[,redirect port,[destination ip]]
    #
    #  Protocol must be either tcp or udp
    #
    # Examples: - "4.0.0.0/8,10.0.0.10,tcp,80" forward all tcp request on
    #             port 80 coming from the 4.0.0.0/8 network to the
    #             internal server 1.1.1.1
    #           - "4.0.0.0/8,10.0.0.10,tcp,80,81" forward all tcp request on
    #             port 80 coming from the 4.0.0.0/8 network to the
    #             internal server 1.1.1.1 on port 81
    #           - "200.200.200.0/24,10.0.0.10,tcp,80,81,202.202.202.202"
    #             the network 200.200.200.0/24 trying to access the
    #             address 202.202.202.202 on port 80 will be forwarded
    #             to the internal server 10.0.0.10 on port 81
    #
    FW_FORWARD_MASQ=""
    
    ## Type:	string
    #
    # 15.)
    # Which accesses to services should be redirected to a local port on
    # the firewall machine?
    #
    # This option can be used to force all internal users to surf via
    # your squid proxy, or transparently redirect incoming webtraffic to
    # a secure webserver.
    # 
    # Format: list of <source network>[,<destination network>,<protocol>[,dport[:lport]]
    # Where protocol is either tcp or udp. dport is the original
    # destination port and lport the port on the local machine to
    # redirect the traffic to
    #
    # An exclamation mark in front of source or destination network
    # means everything EXCEPT the specified network
    #
    # Example: "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
    #
    # Please note that you still have to open the local port in
    # FW_SERVICES_* or FW_TRUSTED_NETS to actually permit access
    FW_REDIRECT=""
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 16.)
    # Which kind of packets should be logged?
    #
    # When set to "yes", packages that got dropped and are considered
    # 'critical' will be logged. Such packets include for example
    # spoofed packets, tcp connection requests and certain icmp types.
    #
    # defaults to "yes" if not set
    #
    FW_LOG_DROP_CRIT="yes"
    
    ## Type:	yesno
    ## Default:	no
    #
    # whether all dropped packets should be logged
    #
    # Note: for broadcasts to be logged you also need to set
    # FW_IGNORE_BROADCAST_* to 'no'
    #
    # defaults to "no" if not set
    #
    FW_LOG_DROP_ALL="no"
    
    ## Type:	yesno
    ## Default:	yes
    #
    # When set to "yes", packages that got accepted and are considered
    # 'critical' will be logged. Such packets include for example tcp
    # connection requests, rpc connection requests, access to high
    # udp/tcp port and forwarded pakets.
    #
    # defaults to "yes" if not set
    #
    FW_LOG_ACCEPT_CRIT="yes"
    
    ## Type:	yesno
    ## Default:	no
    #
    # whether all accepted packets should be logged
    #
    # Note: setting this to 'yes' causes _LOTS_ of log entries and may
    # fill your disk quickly. It also disables FW_LOG_LIMIT
    #
    # defaults to "no" if not set
    #
    FW_LOG_ACCEPT_ALL="no"
    
    ## Type:	string
    #
    # How many packets per time unit get logged for each logging rule.
    # When empty a default of 3/minute is used to prevent port scans
    # flooding your log files. For desktop usage it's a good idea to
    # have the limit, if you are using logfile analysis tools however
    # you might want to disable it.
    #
    # Set to 'no' to disable the rate limit. Setting FW_LOG_ACCEPT_ALL
    # to 'yes' disables this option as well.
    # 
    # Format: a digit and suffix /second, /minute, /hour or /day
    FW_LOG_LIMIT=""
    
    ## Type:	string
    #
    # iptables logging option. Must end with --log-prefix and some prefix
    # characters
    #
    # only change this if you know what you are doing!
    FW_LOG=""
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 17.)
    # Do you want to enable additional kernel TCP/IP security features?
    # If set to yes, some obscure kernel options are set.
    # (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
    #  icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
    #  ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
    #  rp_filter, routing flush)
    # Tip: Set this to "no" until you have verified that you have got a
    # configuration which works for you. Then set this to "yes" and keep it
    # if everything still works. (It should!) ;-)
    #
    # Warning: do not set FW_KERNEL_SECURITY and FW_ANTISPOOF to "no" at the same
    # time, otherwise you won't have any spoof protection!
    #
    # Choice: "yes" or "no", if not set defaults to "yes"
    #
    FW_KERNEL_SECURITY="yes"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 17a.)
    #
    # Setup anti-spoofing rules?
    # Anti-Spoofing rules shouldn't be necessary with rp_filter set. They only
    # cause headaches with dynamic interfaces.
    #
    # Warning: do not set FW_KERNEL_SECURITY and FW_ANTISPOOF to "no" at the same
    # time, otherwise you won't have any spoof protection!
    #
    FW_ANTISPOOF="no"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 18.)
    # Keep the routing set on, if the firewall rules are unloaded?
    # REQUIRES: FW_ROUTE
    #
    # If you are using diald, or automatic dialing via ISDN, if packets need
    # to be sent to the internet, you need to turn this on. The script will then
    # not turn off routing and masquerading when stopped.
    # You *might* also need this if you have got a DMZ.
    # Please note that this is *insecure*! If you unload the rules, but are still
    # connected, you might your internal network open to attacks!
    # The better solution is to remove "/sbin/SuSEfirewall2 stop" or
    # "/sbin/init.d/firewall stop" from the ip-down script!
    #
    #
    # Choices "yes" or "no", if not set defaults to "no"
    #
    FW_STOP_KEEP_ROUTING_STATE="no"
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 19.)
    # Allow the firewall to reply to icmp echo requests
    #
    # defaults to "no" if not set
    #
    FW_ALLOW_PING_FW="yes"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 19a.)
    # Allow hosts in the dmz to be pinged by internal and external hosts
    # REQUIRES: FW_ROUTE
    #
    # defaults to "no" if not set
    #
    FW_ALLOW_PING_DMZ="no"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 19b.)
    # Allow external hosts to be pinged from internal or dmz hosts
    # REQUIRES: FW_ROUTE
    #
    # defaults to "no" if not set
    #
    FW_ALLOW_PING_EXT="no"
    
    ##
    # END of /etc/sysconfig/SuSEfirewall2
    ##
    
    #                                                                         #
    #-------------------------------------------------------------------------#
    #                                                                         #
    # EXPERT OPTIONS - all others please don't change these!                  #
    #                                                                         #
    #-------------------------------------------------------------------------#
    #                                                                         #
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 20.)
    # Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
    # This is used for traceroutes (or traceroute like tools) through your
    # firewall.
    #
    # Please note that setting this option is not sufficient if your firewall is
    # the destination of the traceroute. The Un*x traceroute only works if you also
    # open about 100 UDP ports starting from 33434. Windows(TM) traceroutes needs
    # FW_ALLOW_PING_FW set to "yes"
    #
    # defaults to "no" if not set
    #
    FW_ALLOW_FW_TRACEROUTE="yes"
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 21.)
    # Allow ICMP sourcequench from your ISP?
    #
    # If set to yes, the firewall will notice when connection is choking, however
    # this opens yourself to a denial of service attack. Choose your poison.
    #
    # defaults to "yes" if not set
    #
    FW_ALLOW_FW_SOURCEQUENCH="yes"
    
    ## Type:	string(yes,no,int,ext,dmz)
    ## Default:	int
    #
    # 22.)
    # Allow IP Broadcasts?
    #
    # If set to yes, the firewall will not filter broadcasts by default.
    # This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
    # option is used.
    # If you do not want to allow them however ignore the annoying log entries,
    # set FW_IGNORE_FW_BROADCAST to yes.
    #
    # Format: "yes" or "no", any combination of "int", "ext" and "dmz" and/or list
    #         of udp ports
    #
    # Example: "int 631"
    #
    # set defaults to "no" if not set
    #
    FW_ALLOW_FW_BROADCAST="int"
    
    ## Type:	string(yes,no,int,ext,dmz)
    ## Default:	ext
    #
    # set to yes to suppress log messages for dropped broadcast packets
    #
    FW_IGNORE_FW_BROADCAST="no"
    
    ## Type:	yesno
    ## Default:	no
    #
    # 23.)
    # Allow same class routing per default?
    # REQUIRES: FW_ROUTE
    #
    # Do you want to allow routing between interfaces of the same class
    # (e.g. between all internet interfaces, or all internal network interfaces)
    # be default (so without the need setting up FW_FORWARD definitions)?
    #
    # Choice: "yes" or "no", if not set defaults to "no"
    #
    FW_ALLOW_CLASS_ROUTING="no"
    
    ## Type:	string
    #
    # 25.)
    # Do you want to load customary rules from a file?
    #
    # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
    # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom
    #
    #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
    FW_CUSTOMRULES=""
    
    ## Type:	yesno
    ## Default:	no
    #
    # 26.)
    # Do you want to REJECT packets instead of DROPing?
    #
    # DROPing (which is the default) will make portscans and attacks much
    # slower, as no replies to the packets will be sent. REJECTing means, that
    # for every illegal packet, a connection reject packet is sent to the
    # sender.
    #
    # Choice: "yes" or "no", if not set defaults to "no"
    #
    FW_REJECT="no"
    
    ## Type:	string
    #
    # 27.)
    # Tuning your upstream a little bit via HTB (Hierarchical Token Bucket)
    # for more information about HTB see http://www.lartc.org
    #
    # If your download collapses while you have a parallel upload,
    # this parameter might be an option for you. It manages your
    # upload stream and reserves bandwidth for special packets like
    # TCP ACK packets or interactive SSH.
    # It's a list of devices and maximum bandwidth in kbit.
    # For example, the german TDSL account, provides 128kbit/s upstream
    # and 768kbit/s downstream. We can only tune the upstream.
    #
    # Example:
    # If you want to tune a 128kbit/s upstream DSL device like german TDSL set
    # the following values:
    # FW_HTB_TUNE_DEV="ppp0,125"
    # where ppp0 is your pppoe device and 125 stands for 125kbit/s upstream
    #
    # you might wonder why 125kbit/s and not 128kbit/s. Well practically you'll
    # get a better performance if you keep the value a few percent under your
    # real maximum upload bandwidth, to prevent the DSL modem from queuing traffic in
    # it's own buffers because queing is done by us now.
    # So for a 256kbit upstream
    #   FW_HTB_TUNE_DEV="ppp0,250"
    # might be a better value than "ppp0,256". There is no perfect value for a
    # special kind of modem. The perfect value depends on what kind of traffic you
    # have on your line but 5% under your maximum upstream might be a good start.
    # Everthing else is special fine tuning.
    # If you want to know more about the technical background,
    # http://tldp.org/HOWTO/ADSL-Bandwidth-Management-HOWTO/
    # is a good start
    #
    FW_HTB_TUNE_DEV=""
    
    ## Type:	list(no,drop,reject)
    ## Default:	drop
    #
    # 28.)
    # What to do with IPv6 Packets?
    #
    # ip6tables is currently not stateful so it's not possible to implement the
    # same features as for IPv4. We currently offer three choices:
    # 
    # - no: do not set any IPv6 rules at all. Your Host will allow any IPv6
    #   traffic unless you setup your own rules.
    #
    # - drop: drop all IPv6 packets. This is the default.
    #
    # - reject: reject all IPv6 packets
    #
    # Disallowing IPv6 packets may lead to long timeouts when connecting to IPv6
    # Adresses. See FW_IPv6_REJECT_OUTGOING to avoid this.
    #
    FW_IPv6=""
    
    ## Type:	yesno
    ## Default:	yes
    #
    # 28a.)
    # Reject outgoing IPv6 Packets?
    #
    # Set to yes to avoid timeouts because of dropped IPv6 Packets. This Option
    # does only make sense with FW_IPv6 != no
    #
    FW_IPv6_REJECT_OUTGOING="yes"
    
    ## Type:	list(yes,no,int,ext,dmz)
    ## Default:	no
    #
    # 29.)
    # Trust level of IPsec packets.
    #
    # The value specifies how much IPsec packets are trusted. 'int', 'ext' or 'dmz'
    # are the respective zones. 'yes' is the same as 'int. 'no' means that IPsec
    # packets belong to the same zone as the interface they arrive on.
    #
    # Note: you still need to explicitely allow IPsec traffic.
    # Example:
    #   FW_IPSEC_TRUST="int"
    #   FW_SERVICES_INT_IP="esp"
    #   FW_SERVICES_EXT_UDP="isakmp"
    #   FW_PROTECT_FROM_INTERNAL="no"
    #
    FW_IPSEC_TRUST="no"
    Geändert von TheLastOne (02.09.05 um 12:58 Uhr)
    Mein Root:
    2x Dual Core AMD Opteron(tm) Processor 280 mit Suse 9.3, 4GB-Ram 300GB Speicher.
    PHP Version 4.3.10-18 MySQL Version 4.0.24 Confixx v. s4y

  5. #5
    linuxnoob
    Registriert seit
    Nov 2004
    Beiträge
    229
    Hier mal noch die Ausgabe von iptables -L

    Code:
    linux:~ # iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     tcp  --  anywhere             anywhere            state RELATED,ESTABLISHED
    ACCEPT     udp  --  anywhere             anywhere            state RELATED,ESTABLISHED
    input_ext  all  --  anywhere             anywhere
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
    DROP       all  --  anywhere             anywhere
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp time-exceeded LOG level warning tcp-options ip-options prefix `SFW2-OUT-TRACERT-ATTEMPT '
    ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            icmp port-unreachable
    ACCEPT     icmp --  anywhere             anywhere            icmp fragmentation-needed
    ACCEPT     icmp --  anywhere             anywhere            icmp network-prohibited
    ACCEPT     icmp --  anywhere             anywhere            icmp host-prohibited
    ACCEPT     icmp --  anywhere             anywhere            icmp communication-prohibited
    DROP       icmp --  anywhere             anywhere            icmp destination-unreachable
    ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '
    
    Chain forward_dmz (0 references)
    target     prot opt source               destination
    
    Chain forward_ext (0 references)
    target     prot opt source               destination
    
    Chain forward_int (0 references)
    target     prot opt source               destination
    
    Chain input_dmz (0 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT-INV '
    DROP       all  --  anywhere             anywhere            state INVALID
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-ICMP-CRIT '
    LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INdmz-DROP-DEFLT '
    DROP       all  --  anywhere             anywhere
    
    Chain input_ext (1 references)
    target     prot opt source               destination
    DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
    DROP       all  --  anywhere             anywhere            state INVALID
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:http
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:microsoft-ds flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:microsoft-ds
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-dgm flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-dgm
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-ns flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ns
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:netbios-ssn
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp dpts:ftp-data:24 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-ACC-TCP '
    ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:ftp-data:24
    reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW
    ACCEPT     udp  --  anywhere             anywhere            udp dpts:ftp-data:24
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-ICMP-CRIT '
    LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
    DROP       all  --  anywhere             anywhere
    
    Chain input_int (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  anywhere             anywhere
    ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
    ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
    ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
    LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT-INV '
    DROP       all  --  anywhere             anywhere            state INVALID
    LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp source-quench LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp redirect LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp echo-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp timestamp-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp address-mask-request LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 icmp type 2 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-ICMP-CRIT '
    LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INint-DROP-DEFLT '
    DROP       all  --  anywhere             anywhere
    
    Chain reject_func (1 references)
    target     prot opt source               destination
    REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
    REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
    REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable
    linux:~ #
    Mein Root:
    2x Dual Core AMD Opteron(tm) Processor 280 mit Suse 9.3, 4GB-Ram 300GB Speicher.
    PHP Version 4.3.10-18 MySQL Version 4.0.24 Confixx v. s4y

Ähnliche Themen

  1. Samba, Gateway und Firewall
    Von Cygor im Forum Router und Netzaufbau
    Antworten: 6
    Letzter Beitrag: 13.08.04, 09:50
  2. Plötzliche hohe Uploadrate
    Von McCoRmIcK im Forum Router und Netzaufbau
    Antworten: 12
    Letzter Beitrag: 11.06.03, 23:31
  3. firewall einstellungen
    Von jochenjjj im Forum Sicherheit
    Antworten: 3
    Letzter Beitrag: 04.10.02, 16:23
  4. Problem mit Firewall IPCHAINS
    Von Zambo im Forum Router und Netzaufbau
    Antworten: 4
    Letzter Beitrag: 31.10.01, 22:37

Lesezeichen

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •