[suse-security] Bug in SuSEfirewall2 when blocking a range of ports with custom rules ?

[malte_gell@xxxxxxxxxxx (Malte Gell)]

Hello,

I just blocked a range of ports via firewall2-custom.rc.config, just as 
an example:

for target in DROP; do
    for chain in input_ext input_dmz input_int forward_int forward_ext 
forward_dmz; do

        iptables -A $chain -j $target -p tcp --dport 4000:6000
    
    done
done

the used section is fw_custom_before_port_handling. The iptables syntax 
seem to be okay, but if I do this and connect to the ISP SuSEfirewall2 
seem to block every incoming connection, so the connections seems to be 
"dead", though establishing the connection is okay.

When blocking a single port e.g. with

iptables -A $chain -j $target -p tcp --dport 4001

it works fine and no problems occur.

So, is there a known problem when blocking a whole range of ports with 
the "X:Y" syntax of iptables and SuSEfirewall2 ? The used version is 
SuSEfirewall2 2.1.

Thanx
Malte


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here