[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Re: [suse-security] iptables SuSEfirewall2

Hash: SHA1
Boyan Tabakov schrieb:
> On 9.11.2006 23:07, Wade Grant wrote:
>> I know that SuSefirewall uses iptables but for example I want to make an
>> entry for
>> iptables -I INPUT -s -j DROP
>> Basically I want to drop any connections from the
>> network coming to a sendmail server.
>> With the Yast and SuSefirewall scripts managing the iptables
>> where will I put my entry in and how do I make iptables read the new
>> entry?
>> I tried issuing the above from the command line but I don't know how
>> Suse likes to restart to read the new entry.
>> Help would be appreciated.
> By the way - your rule is incorrect for what you want to do. You should
> specify netmask /16 and not /32. /32 means 'host' and not entire subnet.
Therefore you should tel the unknow what that means ... - all IP's - - all IP's - - all IP's - - the whole subnet 123.123.1230 - - only the host with IP

a.b.c.d/x means:

adressrange =32-x bits of the subnet.

If there is a half subnet (some use this for routing the limited
number of real IP's):

123.123.123.x = IP of one of the half subnets clients
( = subnetmask)
therefore is the whole subnet -
and is the second subnet -

You can do this further on (this are only some examples)!

There are two/three possible positions of clients:

internet (dev_ext), intranet (dev_int) and the servers unprotected
side (dev_dmz).
Where your clients belong you must know.

I think you mean external clients (whoohaa the bad client numbers), so
place them in /etc/sysconfig/scripts/SuSEfirewall2-custom.
put them here:


Don't overwrite the { or }-signs otherwise it won't work!

Don't forget to activate this in /etc/sysconfig/SuSEfirewall2 (don't
overwrite the ' -signs here otherwise it won't work!)!

To restart it has shown to do so:

/etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start

instead of:

/etc/init.d/SuSEfirewall2 restart

A simple restart sometimes doesn't work from my experience (some
chains still remain)!



P.S.: HTH! Nice that the lists now will work again (I always get
strange ideas if there is no mail for a while in this list)!

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx