[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] SuSEFirewall 2 / SuSE 8.1 accepting packets it should not



Hi List,

checking my logs today I found that my firewall accepts some (not all!) 
packets to TCP high ports, although I thought I had them all closed. 
The firewall script is the latest update for 8.1, the system is SuSE 
8.1 with all current patches installed. Any ideas?

Here is my firewall configuration:

FW_DEV_EXT="ppp0 ippp0"
FW_DEV_INT="eth0 ippp1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="192.168.0.0/16"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP=""
FW_SERVICES_EXT_UDP=""	# Common: domain
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP=""
FW_SERVICES_INT_UDP=""
FW_SERVICES_INT_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"  # <<<<< !!!!!
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"	# Autodetect the services below when 
starting
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="yes"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""		# Beware to use this!
FW_FORWARD_MASQ=""		# Beware to use this!
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="yes"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="yes"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="yes"
FW_IGNORE_FW_BROADCAST="no"
FW_ALLOW_CLASS_ROUTING="yes"
FW_QUICKMODE="no"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_CUSTOMRULES=""
FW_REJECT="no"

Here is an excerpt from the logs:

Oct 23 19:58:03 akira kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC=217.82.120.18
6 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63058 DF 
PROTO=TCP SPT=3
822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT 
(020405AC010303030101080A00000
0000000000001010402)
Oct 23 19:58:03 akira kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC=217.82.
120.186 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63058 DF 
PROTO=TCP
 SPT=3822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT 
(020405AC010303030101080
A000000000000000001010402)
Oct 23 19:58:05 akira kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC=217.82.120.18
6 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63258 DF 
PROTO=TCP SPT=3
822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT 
(020405AC010303030101080A00000
0000000000001010402)
Oct 23 19:58:05 akira kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC=217.82.
120.186 DST=80.134.29.51 LEN=64 TOS=0x00 PREC=0x00 TTL=124 ID=63258 DF 
PROTO=TCP
 SPT=3822 DPT=4662 WINDOW=44032 RES=0x00 SYN URGP=0 OPT 
(020405AC010303030101080
A000000000000000001010402)
Oct 23 19:58:11 akira kernel: SuSE-FW-ACCEPT IN=ppp0 OUT= MAC= 
SRC=217.0.221.1 D
ST=80.134.29.51 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=48006 DF PROTO=TCP 
SPT=4351
 DPT=4662 WINDOW=32767 RES=0x00 SYN URGP=0 OPT 
(020405AC0103030001010402)
Oct 23 19:58:11 akira kernel: SuSE-FW-DROP-DEFAULT IN=ppp0 OUT= MAC= 
SRC=217.0.2
21.1 DST=80.134.29.51 LEN=52 TOS=0x00 PREC=0x00 TTL=124 ID=48006 DF 
PROTO=TCP SP
T=4351 DPT=4662 WINDOW=32767 RES=0x00 SYN URGP=0 OPT 
(020405AC0103030001010402)

Bye,

        Jürgen



--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here