Ich habe nun die SuSEfirewall2 auf meinem SuSE7.3-Server laufen. Führe ich im Internet einen Test durch (z.B. Shields Up!!), so sickert immer noch folgende Info durch:

User Name
Computer's Name
Workgroup

Wo können diese Infos durchkommen? Es sind nur drei Posts offen: FTP, HTTP, POP3. Und alle High_Ports. Gibt es einen Trick diese Infos auch zu verbergen?

Hallo,

Du bist höchst wahrscheinlich über die Ports 137/udp bzw. 137/tcp durch Deine Firewall zusätzlich erreichbar. Die Daten schauen ziemlich eindeutig nach einer NetBIOS-NameService-Response aus und da hängt entweder ein Win-Rechner oder ein Samba dahinter, der aus dem Internet erreichbar ist.

Überprüfe unbedingt Deine Firewall-Konfiguration.

Harry

Original geschrieben von Harry
Hallo,

Du bist höchst wahrscheinlich über die Ports 137/udp bzw. 137/tcp durch Deine Firewall zusätzlich erreichbar. Die Daten schauen ziemlich eindeutig nach einer NetBIOS-NameService-Response aus und da hängt entweder ein Win-Rechner oder ein Samba dahinter, der aus dem Internet erreichbar ist.

Überprüfe unbedingt Deine Firewall-Konfiguration.

Harry

Ok, ich habe Samba auf dem Linux-Server laufen. Aber eigentlich gebe ich in der SuSEfirewall2 nur folgende Dienste nach außen hin frei:
www ftp pop3 20000 ssh smtp

Zudem habe ich natürlich die Frage, ob Samba läuft bejat. Kann es sein, dass hier die Ports auch nach außen freigegeben werden? Wäre ja wohl ziemlich dumm, eigentlich schon fast ein Bugg, oder? Oder gibt es Anwendungen, bei denen man von außen zugreifen muss?

ob bug oder feature, du solltest auf jeden fall den samba nur über das LAN-interface freigeben.

pudding

Also, Port 139 ist auf jeden Fall mal nicht erreichbar bei mir. Wie kann ich denn bestimmte Ports mit SuSEfirewall2 schließen. Öffnen wüßte ich.

hi

bei der susefirewall ist imho alles was du nicht geöffnet hast, eigentlich geschlossen.

Gruß HangLoose

also von suse FW2 hab ich nicht die ahnug,
da hier erstens debiam läuft und zweitens schreib ich mir die FW-scripte selber.

vielleicht kann ich oder jemand helfen wenn du dein FW-script postest

pudding

Na, Ihr wolltet es so. Vielleicht sieht ja jemand eine Option. Ich gebe zu, ich kenne mich nicht sehr gut aus. Bin froh, dass die Firewall überhaupt schon so gut läuft.

# 1.)
# Should the Firewall be started?
#
# This setting is done in /etc/rc.config (START_FW2="yes")

#
# 2.)
# Which is the interface that points to the internet/untrusted networks?
#
# Enter all the network devices here which are untrusted.
#
# Choice: any number of devices, seperated by a space
# e.g. "eth0", "ippp0 ippp1 eth0:1"
#
FW_DEV_EXT="ppp0"

#
# 3.)
# Which is the interface that points to the internal network?
#
# Enter all the network devices here which are trusted.
# If you are not connected to a trusted network (e.g. you have just a
# dialup) leave this empty.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_INT="eth1"

#
# 4.)
# Which is the interface that points to the dmz or dialup network?
#
# Enter all the network devices here which point to the dmz/dialups.
# A "dmz" is a special, seperated network, which is only connected to the
# firewall, and should be reachable from the internet to provide services,
# e.g. WWW, Mail, etc. and hence are at risk from attacks.
# See /usr/share/doc/packages/SuSEfirewall2/EXAMPLES for an example.
#
# Special note: You have to configure FW_FORWARD to define the services
# which should be available to the internet and set FW_ROUTE to yes.
#
# Choice: leave empty or any number of devices, seperated by a space
# e.g. "tr0", "eth0 eth1 eth1:1" or ""
#
FW_DEV_DMZ=""

#
# 5.)
# Should routing between the internet, dmz and internal network be activated?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ
#
# You need only set this to yes, if you either want to masquerade internal
# machines or allow access to the dmz (or internal machines, but this is not
# a good idea). This option supersedes IP_FORWARD from /etc/rc.config!
#
# Setting this option one alone doesn't do anything. Either activate
# massquerading with FW_MASQUERADE below if you want to masquerade your
# internal network to the internet, or configure FW_FORWARD to define
# what is allowed to be forwarded!
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ROUTE="yes"

#
# 6.)
# Do you want to masquerade internal networks to the outside?
# REQUIRES: FW_DEV_INT or FW_DEV_DMZ, FW_ROUTE
#
# "Masquerading" means that all your internal machines which use services on
# the internet seem to come from your firewall.
# Please note that it is more secure to communicate via proxies to the
# internet than masquerading. This option is required for FW_MASQ_NETS and
# FW_FORWARD_MASQ.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_MASQUERADE="yes"
#
# You must also define on which interface(s) to masquerade on. This is
# normally your external device(s) to the internet.
# Most users can leave the default below.
#
# e.g. "ippp0" or "$FW_DEV_EXT"
FW_MASQ_DEV="$FW_DEV_EXT"
#
# Which internal computers/networks are allowed to access the internet
# directly (not via proxys on the firewall)?
# Only these networks will be allowed access and will be masqueraded!
#
# Choice: leave empty or any number of hosts/networks seperated by a space.
# Every host/network may get a list of allowed services, otherwise everything
# is allowed. A target network, protocol and service is appended by a comma to
# the host/network. e.g. "10.0.0.0/8" allows the whole 10.0.0.0 network with
# unrestricted access. "10.0.1.0/24,0/0,tcp,80 10.0.1.0/24,0/0tcp,21" allows
# the 10.0.1.0 network to use www/ftp to the internet.
# "10.0.1.0/24,tcp,1024:65535 10.0.2.0/24" is OK too.
# Set this variable to "0/0" to allow unrestricted access to the internet.
#
FW_MASQ_NETS="192.168.100.0/24"

#
# 7.)
# Do you want to protect the firewall from the internal network?
# REQUIRES: FW_DEV_INT
#
# If you set this to "yes", internal machines may only access services on
# the machine you explicitly allow. They will be also affected from the
# FW_AUTOPROTECT_SERVICES option.
# If you set this to "no", any user can connect (and attack) any service on
# the firewall.
#
# Choice: "yes" or "no", defaults to "yes"
#
# "yes" is a good choice
FW_PROTECT_FROM_INTERNAL="yes"

#
# 8.)
# Do you want to autoprotect all running network services on the firewall?
#
# If set to "yes", all network access to services TCP and UDP on this machine
# will be prevented (except to those which you explicitly allow, see below:
# FW_SERVICES_{EXT,DMZ,INT}_{TCP,UDP})
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_AUTOPROTECT_SERVICES="yes"

#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP="www ftp pop3 20000 ssh smtp"
# Common: domain
FW_SERVICES_EXT_UDP="" # Common: domain
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP="ssh smtp pop3 netbios-ssn http 20000"
# Common: domain syslog
FW_SERVICES_INT_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""

#
# 10.)
# Which services should be accessible from trusted hosts/nets?
#
# Define trusted hosts/networks (doesnt matter if they are internal or
# external) and the TCP and/or UDP services they are allowed to use.
#
# Choice: leave FW_TRUSTED_NETS empty or any number of computers and/or
# networks, seperated by a space. e.g. "172.20.1.1 172.20.0.0/16"
# Optional, enter a protocol after a comman, e.g. "1.1.1.1,icmp"
# Optional, enter a port after a protocol, e.g. "2.2.2.2,tcp,22"
#
FW_TRUSTED_NETS=""

#
# 11.)
# How is access allowed to high (unpriviliged [above 1023]) ports?
#
# You may either allow everyone from anyport access to your highports ("yes"),
# disallow anyone ("no"), anyone who comes from a defined port (portnumber or
# known portname) [note that this is easy to circumvent!], or just your
# defined nameservers ("DNS").
# Note that if you want to use normal (active) ftp, you have to set the TCP
# option to ftp-data. If you use passive ftp, you don't need that.
# Note that you can't use rpc requests (e.g. rpcinfo, showmount) as root
# from a firewall using this script (well, you can if you include range
# 600:1023 in FW_SERVICES_EXT_UDP ...).
#
# Choice: "yes", "no", "DNS", portnumber or known portname, defaults to "no"
# if not set
#
# Common: "ftp-data", better is "yes" to be sure that everything else works :-(
FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes"
# Common: "DNS" or "domain ntp", better is "yes" to be sure ...
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"

#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
#
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="no"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="yes"

#
# 13.)
# Which services accessed from the internet should be allowed to the
# dmz (or internal network - if it is not masqueraded)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must have valid, non-private, IP addresses which were assigned to
# you by your ISP. This opens a direct link to your network, so only use
# this option for access to your dmz!!!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forwarding rules, seperated each by a space.
# A forwarding rule consists of 1) source IP/net and 2) destination IP
# seperated by a comma. e.g. "1.1.1.1,2.2.2.2 3.3.3.3/16,4.4.4.4/24"
# Optional is a protocol, seperated by a comma, e.g. "5.5.5.5,6.6.6.6,igmp"
# Optional is a port after the protocol with a comma, e.g. "0/0,0/0,udp,514"
#
FW_FORWARD="" # Beware to use this!

#
# 14.)
# Which services accessed from the internet should be allowed to masqueraded
# servers (on the internal network or dmz)?
# REQUIRES: FW_ROUTE
#
# With this option you may allow access to e.g. your mailserver. The
# machines must be in a masqueraded segment and may not have public IP addesses!
# Hint: if FW_DEV_MASQ is set to the external interface you have to set
# FW_FORWARD from internal to DMZ for the service as well to allow access
# from internal!
#
# Please note that this should *not* be used for security reasons! You are
# opening a hole to your precious internal network. If e.g. the webserver there
# is compromised - your full internal network is compromised!!
#
# Choice: leave empty (good choice!) or use the following explained syntax
# of forward masquerade rules, seperated each by a space.
# A forward masquerade rule consists of 1) source IP/net, 2) destination IP
# (dmz/intern), 3) a protocol (tcp/udp only!) and 4) destination port,
# seperated by a comma (","), e.g. "4.0.0.0/8,1.1.1.1,tcp,80"
# Optional is a port after the destination port, to redirect the request to
# a different destination port on the destination IP, e.g.
# "4.0.0.0/8,1.1.1.1,tcp,80,81"
#
FW_FORWARD_MASQ="" # Beware to use this!

#
# 15.)
# Which accesses to services should be redirected to a localport on the
# firewall machine?
#
# This can be used to force all internal users to surf via your squid proxy,
# or transparently redirect incoming webtraffic to a secure webserver.
#
# Choice: leave empty or use the following explained syntax of redirecting
# rules, seperated by a space.
# A redirecting rule consists of 1) source IP/net, 2) destination IP/net,
# 3) protocol (tcp or udp) 3) original destination port and 4) local port to
# redirect the traffic to, seperated by a colon. e.g.:
# "10.0.0.0/8,0/0,tcp,80,3128 0/0,172.20.1.1,tcp,80,8080"
#
FW_REDIRECT=""

#
# 16.)
# Which logging level should be enforced?
# You can define to log packets which were accepted or denied.
# You can also the set log level, the critical stuff or everything.
# Note that logging *_ALL is only for debugging purpose ...
#
# Choice: "yes" or "no", FW_LOG_*_CRIT defaults to "yes",
# FW_LOG_*_ALL defaults to "no"
#
FW_LOG_DROP_CRIT="yes"
#
FW_LOG_DROP_ALL="no"
#
FW_LOG_ACCEPT_CRIT="yes"
#
FW_LOG_ACCEPT_ALL="no"
#
# only change/activate this if you know what you are doing!
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"

#
# 17.)
# Do you want to enable additional kernel TCP/IP security features?
# If set to yes, some obscure kernel options are set.
# (icmp_ignore_bogus_error_responses, icmp_echoreply_rate,
# icmp_destunreach_rate, icmp_paramprob_rate, icmp_timeexeed_rate,
# ip_local_port_range, log_martians, mc_forwarding, mc_forwarding,
# rp_filter, routing flush)
# Tip: Set this to "no" until you have verified that you have got a
# configuration which works for you. Then set this to "yes" and keep it
# if everything still works. (It should!) ;-)
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_KERNEL_SECURITY="yes"

#
# 18.)
# Keep the routing set on, if the firewall rules are unloaded?
# REQUIRES: FW_ROUTE
#
# If you are using diald, or automatic dialing via ISDN, if packets need
# to be sent to the internet, you need to turn this on. The script will then
# not turn off routing and masquerading when stopped.
# You *might* also need this if you have got a DMZ.
# Please note that this is *insecure*! If you unload the rules, but are still
# connected, you might your internal network open to attacks!
# The better solution is to remove "/sbin/SuSEfirewall2 stop" or
# "/sbin/init.d/firewall stop" from the ip-down script!
#
#
# Choices "yes" or "no", defaults to "no"
#
FW_STOP_KEEP_ROUTING_STATE="no"

#
# 19.)
# Allow (or don't) ICMP echo pings on either the firewall or the dmz from
# the internet? The internet option is for allowing the DMZ and the internal
# network to ping the internet.
# REQUIRES: FW_ROUTE for FW_ALLOW_PING_DMZ and FW_ALLOW_PING_INTERNET
#
# Choice: "yes" or "no", defaults to "no" if not set
#
FW_ALLOW_PING_FW="yes"
#
FW_ALLOW_PING_DMZ="no"
#
FW_ALLOW_PING_EXT="no"

##
# END of rc.firewall
##

# #
#-------------------------------------------------------------------------#
# #
# EXPERT OPTIONS - all others please don't change these! #
# #
#-------------------------------------------------------------------------#
# #

#
# 20.)
# Allow (or don't) ICMP time-to-live-exceeded to be send from your firewall.
# This is used for traceroutes to your firewall (or traceroute like tools).
#
# Please note that the unix traceroute only works if you say "yes" to
# FW_ALLOW_INCOMING_HIGHPORTS_UDP, and windows traceroutes only if you say
# additionally "yes" to FW_ALLOW_PING_FW
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_TRACEROUTE="yes"

#
# 21.)
# Allow ICMP sourcequench from your ISP?
#
# If set to yes, the firewall will notice when connection is choking, however
# this opens yourself to a denial of service attack. Choose your poison.
#
# Choice: "yes" or "no", defaults to "yes"
#
FW_ALLOW_FW_SOURCEQUENCH="yes"

#
# 22.)
# Allow/Ignore IP Broadcasts?
#
# If set to yes, the firewall will not filter broadcasts by default.
# This is needed e.g. for Netbios/Samba, RIP, OSPF where the broadcast
# option is used.
# If you do not want to allow them however ignore the annoying log entries,
# set FW_IGNORE_FW_BROADCAST to yes.
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_FW_BROADCAST="no"
#
FW_IGNORE_FW_BROADCAST="yes"

#
# 23.)
# Allow same class routing per default?
# REQUIRES: FW_ROUTE
#
# Do you want to allow routing between interfaces of the same class
# (e.g. between all internet interfaces, or all internal network interfaces)
# be default (so without the need setting up FW_FORWARD definitions)?
#
# Choice: "yes" or "no", defaults to "no"
#
FW_ALLOW_CLASS_ROUTING="no"

#
# 25.)
# Do you want to load customary rules from a file?
#
# This is really an expert option. NO HELP WILL BE GIVEN FOR THIS!
# READ THE EXAMPLE CUSTOMARY FILE AT /etc/rc.config.d/firewall2-custom.rc.config
#
#FW_CUSTOMRULES="/etc/rc.config.d/firewall2-custom.rc.config"

uff, so auf die schnelle nix zu erkennen - sieht ok aus auf den ersten blick
hast du auf ppp0 gescannt?

pudding

hi

seh ich auch so. was *machst* du eigentlich über port 20000? könnte da was durchsickern?

Habe unter https://grc.com/x/ne.dll?bh0bkyd2 meine Ports gescannt. Irgendwoher bekommt diese Internet-Seite eben auch z.B. die Workgroup.
Eigentlich sollte somit ppp0 gescannt werden.
Habe gerade nochmals gescannt. Ja, ppp0 wird gescannt.

Original geschrieben von HangLoose
hi

seh ich auch so. was *machst* du eigentlich über port 20000? könnte da was durchsickern?

Ich denk nicht, dass hier etwas durchkommt. Das ist der mtG-capriserver. Damit kann ich z.B. mit Fritz-Anwendungen die ISDN-Karte des Servers nutzen. Das macht bei mir Sinn, wenn ich z.B. im Hotel bin, kann ich mich über meine 0800er-Nummer einwählen, Mails vom Server holen, oder eben auch darüber faxen. Sprich, im Hotel lass ich nix für Telefon liegen. Das bringt einen ja sonst um.

Gib mal deine iptables -Ln hier an

Original geschrieben von Jinto
Gib mal deine iptables -Ln hier an



iptables: Table does not exist (do you need to insmod?)
:ugly: :confused:

Sorry:
iptables -L -n

Original geschrieben von Peace-on-earth
Ich denk nicht, dass hier etwas durchkommt. Das ist der mtG-capriserver. Damit kann ich z.B. mit Fritz-Anwendungen die ISDN-Karte des Servers nutzen. Das macht bei mir Sinn, wenn ich z.B. im Hotel bin, kann ich mich über meine 0800er-Nummer einwählen, Mails vom Server holen, oder eben auch darüber faxen. Sprich, im Hotel lass ich nix für Telefon liegen. Das bringt einen ja sonst um.

das is ja ne feine sache :).

ansonsten ist, bis auf den erlaubeten ping von außen auf deine firewall, bei mir alles identisch konfiguriert. zumindest auf den ersten blick. ich muß jetzt nochmal weg. aber ich kann das ja heute abend nochmal mit meiner genauer vergleichen.

Gruß HangLoose

Original geschrieben von Jinto
Sorry:
iptables -L -n

Ähm, :rolleyes: vielleicht dumme Newbie-Frage: Ich mache alles über meinen Windows-Rechner und Putty (ssh). 'iptables -L -n' bringt soviel, dass ich es gar nicht kopieren kann. Zumindest das erste Stück fehlt. Wie kann ich denn das vorbeifliegen an Informationen anhalten?

Original geschrieben von HangLoose
das is ja ne feine sache :).

ansonsten ist, bis auf den erlaubeten ping von außen auf deine firewall, bei mir alles identisch konfiguriert. zumindest auf den ersten blick. ich muß jetzt nochmal weg. aber ich kann das ja heute abend nochmal mit meiner genauer vergleichen.

Gruß HangLoose

Schön, dass Ihr mir alle helft, bzw. helfen wollt! Einfach schon mal ein Dankeschön in die Runde!

Hochscrollen :D
Falls es nicht ausreicht einfach den Puffer vergrößern (Eisntellung bei Putty), oder du leitest die Ausgabe einfach um z. B.:
iptables -L -n > DATEINAME

Danach öffnest du die Datei DATEINAME mit einem Editor deiner Wahl.

HTH

iptables -L -n | grep <= edit quatsch muss natürlich more sein

Nochmals so was langes:


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:137:138
LOG all -- 127.0.0.0/8 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING'
LOG all -- 0.0.0.0/0 127.0.0.0/8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING'
DROP all -- 127.0.0.0/8 0.0.0.0/0
DROP all -- 0.0.0.0/0 127.0.0.0/8
LOG all -- 192.168.100.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING'
DROP all -- 192.168.100.1 0.0.0.0/0
LOG all -- 217.230.85.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOFING'
DROP all -- 217.230.85.1 0.0.0.0/0
input_ext all -- 0.0.0.0/0 217.230.85.1
input_int all -- 0.0.0.0/0 192.168.100.1
DROP all -- 0.0.0.0/0 192.168.100.255
DROP all -- 0.0.0.0/0 255.255.255.255
LOG all -- 0.0.0.0/0 217.230.85.1 LOG flags 6 level 4 prefix `SuSE-FW-ACCESS_DENIED_FOR_INT'
DROP all -- 0.0.0.0/0 217.230.85.1
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-UNALLOWED-TARGET'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
forward_ext all -- 0.0.0.0/0 0.0.0.0/0
forward_int all -- 0.0.0.0/0 0.0.0.0/0
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-UNALLOWED-ROUTING'
DROP all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-FORWARD-ERROR'

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 LOG flags 6 level 4 prefix `SuSE-FW-TRACEROUTE-ATTEMPT'
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 9
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 10
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 13
DROP icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-OUTPUT-ERROR'

Chain forward_dmz (0 references)
target prot opt source destination
LOG all -- 217.230.85.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 217.230.85.1 0.0.0.0/0
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
LOG all -- 0.0.0.0/0 192.168.100.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION'
DROP all -- 0.0.0.0/0 192.168.100.1
LOG all -- 0.0.0.0/0 217.230.85.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION'
DROP all -- 0.0.0.0/0 217.230.85.1
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT all -- 192.168.100.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.100.0/24 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain forward_ext (1 references)
target prot opt source destination
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
LOG all -- 0.0.0.0/0 192.168.100.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION'
DROP all -- 0.0.0.0/0 192.168.100.1
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT all -- 192.168.100.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.100.0/24 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain forward_int (1 references)
target prot opt source destination
LOG all -- 217.230.85.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 217.230.85.1 0.0.0.0/0
LOG all -- 0.0.0.0/0 217.230.85.1 LOG flags 6 level 4 prefix `SuSE-FW-DROP-CIRCUMVENTION'
DROP all -- 0.0.0.0/0 217.230.85.1
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT all -- 192.168.100.0/24 0.0.0.0/0 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 0.0.0.0/0 192.168.100.0/24 state RELATED,ESTABLISHED
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_dmz (0 references)
target prot opt source destination
LOG all -- 217.230.85.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 217.230.85.1 0.0.0.0/0
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 2 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x16/0x02 reject-with tcp-reset
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x16/0x02
ACCEPT udp -- 194.25.2.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
ACCEPT udp -- 217.5.100.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:23
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:79
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:517
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:518
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20011
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_ext (1 references)
target prot opt source destination
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
LOG all -- 192.168.100.0/24 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 192.168.100.0/24 0.0.0.0/0
LOG icmp -- 217.230.85.1 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT-SOURCEQUENCH'
ACCEPT icmp -- 217.230.85.1 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 2 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:80
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:21
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:110
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:20000
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:22
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:25
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x16/0x02 reject-with tcp-reset
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x16/0x02
ACCEPT udp -- 194.25.2.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
ACCEPT udp -- 217.5.100.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:23
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:79
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:517
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:518
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20011
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED udp dpts:61000:65095
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Chain input_int (1 references)
target prot opt source destination
LOG all -- 217.230.85.1 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ANTI-SPOOF'
DROP all -- 217.230.85.1 0.0.0.0/0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 12
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 14
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED icmp type 18
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 2 LOG flags 6 level 4 prefix `SuSE-FW-DROP-ICMP-CRIT'
DROP icmp -- 0.0.0.0/0 0.0.0.0/0
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:22
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:25
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:110
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:139
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:80
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:20000
REJECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 flags:0x16/0x02 reject-with tcp-reset
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:37 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:79 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:513 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP'
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20011 flags:0x16/0x02
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1024:65535 flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-ACCEPT'
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpts:1024:65535
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpts:600:65535 flags:!0x16/0x02
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED tcp dpt:20 flags:!0x16/0x02
ACCEPT udp -- 194.25.2.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
ACCEPT udp -- 217.5.100.129 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp spt:53 dpts:1024:65535
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:21
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:22
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:23
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:25
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:37
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:79
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:123
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:138
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:139
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:513
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:517
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:518
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20000
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:20011
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
LOG tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 5 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 13 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 17 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG udp -- 0.0.0.0/0 0.0.0.0/0 LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT'
LOG all -- 0.0.0.0/0 0.0.0.0/0 state INVALID LOG flags 6 level 4 prefix `SuSE-FW-DROP-DEFAULT-INVALID'
DROP all -- 0.0.0.0/0 0.0.0.0/0

Hi,


Original geschrieben von Peace-on-earth
Nochmals so was langes:


Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:137:138

bis dahin reicht es schon um zu sehen, dass NetBIOS-NameService und NetBIOS-DatagramService über UDP bei Dir randürfen.
Und genau dort kommen die Infos durch. Ich schau' mir gleich mal das Skript weiter oben an ... bin gerade erst reingekommen.

Harry

Hallo nochmal,

schreib mal Deine Konfig in den Abschnitten 9 und 12 wie folgt um:

Original geschrieben von Peace-on-earth
#
# 9.)
# Which services ON THE FIREWALL should be accessible from either the internet
# (or other untrusted networks), the dmz or internal (trusted networks)?
# (see no.13 & 14 if you want to route traffic through the firewall) XXX
#
# Enter all ports or known portnames below, seperated by a space.
# TCP services (e.g. SMTP, WWW) must be set in FW_SERVICES_*_TCP, and
# UDP services (e.g. syslog) must be set in FW_SERVICES_*_UDP.
# e.g. if a webserver on the firewall should be accessible from the internet:
# FW_SERVICES_EXT_TCP="www"
# e.g. if the firewall should receive syslog messages from the dmz:
# FW_SERVICES_DMZ_UDP="syslog"
# For IP protocols (like GRE for PPTP, or OSPF for routing) you need to set
# FW_SERVICES_*_IP with the protocol name or number (see /etc/protocols)
#
# Choice: leave empty or any number of ports, known portnames (from
# /etc/services) and port ranges seperated by a space. Port ranges are
# written like this: allow port 1 to 10 -> "1:10"
# e.g. "", "smtp", "123 514", "3200:3299", "ftp 22 telnet 512:514"
# For FW_SERVICES_*_IP enter the protocol name (like "igmp") or number ("2")
#
# Common: smtp domain
FW_SERVICES_EXT_TCP="www ftp pop3 20000 ssh smtp"
# Common: domain
FW_SERVICES_EXT_UDP="" # Common: domain
# For VPN/Routing which END at the firewall!!
FW_SERVICES_EXT_IP=""
#
# Common: smtp domain
FW_SERVICES_DMZ_TCP=""
# Common: domain
FW_SERVICES_DMZ_UDP=""
# For VPN/Routing which END at the firewall!!
FW_SERVICES_DMZ_IP=""
#
# Common: ssh smtp domain
FW_SERVICES_INT_TCP="ssh smtp pop3 netbios-ns netbios-dgm netbios-ssn http 20000"
# Common: domain syslog
FW_SERVICES_INT_UDP="netbios-ns netbios-dgm netbios-ssn"
# For VPN/Routing which END at the firewall!!
FW_SERVICES_INT_IP=""

...

#
# 12.)
# Are you running some of the services below?
# They need special attention - otherwise they won´t work!
#
# Set services you are running to "yes", all others to "no", defaults to "no"
#
FW_SERVICE_AUTODETECT="yes" # Autodetect the services below when starting
#
# If you are running bind/named set to yes. Remember that you have to open
# port 53 (or "domain") as udp/tcp to allow incoming queries.
# Also FW_ALLOW_INCOMING_HIGHPORTS_UDP needs to be "yes"
FW_SERVICE_DNS="no"
#
# if you use dhclient to get an ip address you have to set this to "yes" !
FW_SERVICE_DHCLIENT="no"
#
# set to "yes" if this server is a DHCP server
FW_SERVICE_DHCPD="no"
#
# set to "yes" if this server is running squid. You still have to open the
# tcp port 3128 to allow remote access to the squid proxy service.
FW_SERVICE_SQUID="no"
#
# set to "yes" if this server is running a samba server. You still have to open
# the tcp port 139 to allow remote access to SAMBA.
FW_SERVICE_SAMBA="no"

Danach ein "rcSuSEfirewall reload" und dann scanne nochmals und poste bitte das Ergebnis.

Harry

So, der Tip war schon mal nicht schlecht. Allerdings, wenn ich nun die Firewall neu starte kommt folgende Meldung:
server:~ # SuSEfirewall2 start
Warning: detected START_SMB=yes in /etc/rc.config, enabling FW_SERVICE_SMB!
You still have to allow tcp port 139 on internal, dmz and/or external.

Die Firewall startet trotzdem. Dafür werden wieder die Ports freigegeben und die Infos sickern durch.
"Schalte" ich nun in /etc/rc.config auf START_SMB=no, kommt keine Fehlermeldung beim Start der Firewall. Die Ports werden auch nicht mehr freigegeben, es kommen keine Infos durch. So wie es sein sollte. Nur startet Samba jetzt natürlich nicht mehr beim Systemstart. Wenn ich das richtig sehe, benötige ich nun eine andere Möglichkeit Samba zu starten,oder? Ist ja eigentlich ganz schön dumm.

Hallo,

autsch ... ja was macht denn die SFW2 dort?
Hab's gerade mal auf der 8.0 gecheckt ... ist dort das gleiche Verhalten.

Du kannst jetzt folgende Maßnahmen ergreifen, um das zu lösen:
1. In der /sbin/SuSEfirewall2 nach dem Eintrag "FW_SERVICE_SAMBA=yes" suchen und auf "no" setzen.
oder
2. In der /etc/smb.conf die folgenden Parameter setzen:


[global]
interfaces = <LAN-Interface>
bind interfaces only = Yes


Beide Lösungen sind leider nur suboptimal ... irgendwie kann man sicherlich die SFW2 auch so konfigurieren, dass sie das automatisch macht. :eek:

Harry

Original geschrieben von Harry
Hallo,

autsch ... ja was macht denn die SFW2 dort?
Hab's gerade mal auf der 8.0 gecheckt ... ist dort das gleiche Verhalten.

Du kannst jetzt folgende Maßnahmen ergreifen, um das zu lösen:
1. In der /sbin/SuSEfirewall2 nach dem Eintrag "FW_SERVICE_SAMBA=yes" suchen und auf "no" setzen.
oder
2. In der /etc/smb.conf die folgenden Parameter setzen:


[global]
interfaces = <LAN-Interface>
bind interfaces only = Yes


Beide Lösungen sind leider nur suboptimal ... irgendwie kann man sicherlich die SFW2 auch so konfigurieren, dass sie das automatisch macht. :eek:

Harry

Was geschieht denn bei der 2. Lösung? Wieso ist diese denn nur 'suboptimal'?

In der 2. Lösung teilst Du Deinem Samba mit, dass er gefälligst nur auf dem LAN-Interface seinen Dienst anbieten soll und nicht auf dem externen Internet-Interface. Zwar gibt es dann keinen NetBIOS-Dienst mehr nach außen, aber Dein IP-Stack ist nach wie vor von außen auf den Ports 137/udp und 138/udp erreichbar.

Harry

Samba sollte IMHO immer wie in Lösung 2 konfiguriert sein (es sei denn, mann will es übers Internet freigeben).

@Peace-on-earth
Damit wird Samba angewiesen nur die lokale Netzwerkschnittstelle zu verwenden. Ein Zugriff über eine andere Schnittstelle ist danach nicht mehr möglich. IMHO sollten alle Dienste entsprechend konfiguriert werden, dass spart auch einigen Ärger mit den falschen Paketfilterregeln.

hi

eine möglichkeit diese sicherheitslücke zu schließen, findest du hier

http://www.robidu.de/linux/news/index.html#sicherheitsloch

dort findest du ein modifiziertes firewallscript zum download.


Gruß HangLoose

So, habe nun gerade nach Anweisung die Sicherheitslücke geschlossen. Die Fehlermeldung kommt beim Start der Firewall immer noch. Es werden nun zwar keine Informationen mehr preisgegeben, aber wie kann ich mir sicher sein, dass Port 137 und 138 nun nicht mehr geöffnet sind? Da gibt's bestimmt doch einen Befehl zum schauen.