[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] Re: [suse-security] iptables SuSEfirewall2



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Boyan Tabakov schrieb:
> On 9.11.2006 23:07, Wade Grant wrote:
>> I know that SuSefirewall uses iptables but for example I want to make an
>> entry for
>> iptables -I INPUT -s 172.16.0.0/32 -j DROP
>> Basically I want to drop any connections from the
>> 172.16.0.0-172.16.255.255 network coming to a sendmail server.
>> With the Yast and SuSefirewall scripts managing the iptables
>> where will I put my entry in and how do I make iptables read the new
>> entry?
>> I tried issuing the above from the command line but I don't know how
>> Suse likes to restart to read the new entry.
>> Help would be appreciated.
>
> By the way - your rule is incorrect for what you want to do. You should
> specify netmask /16 and not /32. /32 means 'host' and not entire subnet.
>
Therefore you should tel the unknow what that means ...

0.0.0.0/0 - all IP's 0.0.0.0 - 255.255.255.255
123.0.0.0/8 - all IP's 123.0.0.0 - 123.255.255.255
123.123.0.0/16 - all IP's 123.123.0.0 - 123.123.255.255
123.123.123.0/24 - the whole subnet 123.123.1230 - 123.123.123.255
123.123.123.123/32 - only the host with IP 123.123.123.123

a.b.c.d/x means:

adressrange =32-x bits of the subnet.

If there is a half subnet (some use this for routing the limited
number of real IP's):

123.123.123.x = IP of one of the half subnets clients
(255.255.255.128 = subnetmask)
therefore 123.123.123.0/25 is the whole subnet 123.123.123.0 -
123.123.123.127
and 123.123.123.128/25 is the second subnet 123.123.123.128 -
123.123.123.255

You can do this further on (this are only some examples)!

There are two/three possible positions of clients:

internet (dev_ext), intranet (dev_int) and the servers unprotected
side (dev_dmz).
Where your clients belong you must know.

I think you mean external clients (whoohaa the bad client numbers), so
place them in /etc/sysconfig/scripts/SuSEfirewall2-custom.
put them here:

fw_custom_before_antispoofing

Don't overwrite the { or }-signs otherwise it won't work!

Don't forget to activate this in /etc/sysconfig/SuSEfirewall2 (don't
overwrite the ' -signs here otherwise it won't work!)!

To restart it has shown to do so:

/etc/init.d/SuSEfirewall2 stop && /etc/init.d/SuSEfirewall2 start

instead of:

/etc/init.d/SuSEfirewall2 restart

A simple restart sometimes doesn't work from my experience (some
chains still remain)!

Regards

Philippe

P.S.: HTH! Nice that the lists now will work again (I always get
strange ideas if there is no mail for a while in this list)!

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
 
iQD1AwUBRVXO9ENg1DRVIGjBAQLshAb+KqoiDqCDR8Nn31DazEZ0EEqAimzlEXD9
DhJurFh/gslprDRyDiPjU7e8O4QZp6lYxtrV0d8meH9oN3xNpJDmexwML1mr9/4R
NlyBS+1yhAit6fL9rYS00iAxe3XfWS5FU2TKxlPCQyUYErMZyRfXdc/wN7HjrKyy
nzBDs6n7t9ldB6R8NiwIXPvEbykTEVrqMbc23qAB6gg/OepklhO8h3XUY3bIDbEF
o5OGmSkIPvqgyRDFfSInhUG/xEu9EWuWpsWmXyd73DLhBML4/OVyaVr6sLvPdbU+
LWgfSQP5dRY=
=zRWo
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx