[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [opensuse-security] SuSefirewall - protect sshd



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The Tuesday 2008-03-11 at 08:52 +0100, Ludwig Nussel wrote:

Carlos E. R. wrote:
Maybe the trick is to define "FW_SERVICES_ACCEPT_EXT" and undefine any
other "accept" rule. That is not documented if so!

FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP etc are processed first. So if those
install rules that accept packets that are also matched by
FW_SERVICES_ACCEPT_EXT the latter rules will never be hit.

I use FW_TRUSTED_NETS. Like this:

FW_TRUSTED_NETS=" ....
        192.168.1.11,tcp,ssh        \
        192.168.1.33,tcp,ssh        \
.... etc


I think that you should document this in the comments of FW_SERVICES_ACCEPT_EXT in the /etc/sysconfig/SuSEfirewall2 file. There is no way we could know that, not being iptables experts.

Specially as this is not the behaviour we got from using the custom rules file, which this new token replaces.


- -- Cheers,
       Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFH1okktTMYHG2NR9URAv7vAJ4xiF0KINMTFwyB5IPSXfds6EAnwwCfVMwy
BqKFEA95S9/s0xetQO7hHt0=
=i9N4
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx