[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] suse-security list



-----BEGIN PGP SIGNED MESSAGE-----

Hi Chris!

> What you should definitly do is open port 5678 on FW_SERVICES_EXT_TCP,
> otherwise the firewall won't allow clients to connect. And you can get rid
> of port 80 on EXT because you use the other port for it.

> FW_SERVICES_EXT_TCP="25 53 5678"

That's not necessary for SuSE-FW2 (at least in 8.0), because the
forwarding code will create the needed ACCEPT rules independently of
the settings in FW_SERVICES_EXT_TCP.  However, if the destination host
is itself not masqueraded, e.g., not listed in FW_MASQ_NETS, the reply
packets won't get back through the firewall.  I found that out while
setting up a Windows web server that should only accept incoming
connections on port 80 and have no other Internet access.

Regards, Andy

- --
Andreas J. Mueller                            email: <andy@xxxxxxxxxx>
PGP RSA Public Key ID 0x3D41D941 FP: ED261973D51D3D20 C840B0542E69F602
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (MingW32)

iQC9AwUBPbgj8PobN5o9QdlBAQES7AU/XglTmJHdo+Ca8v0hzsD8cUsIuc/3nEBI
9RJJgaA6JCqxg3d8ONxgxwA4sSJ9tzYzNBboCQDvFtWNo2ABFfPnW0h6+0lyD9F+
ZkZ5a97jXZMM8b85XVkeezxI9JFXABrf6TEYdO2stkF+gknvc4LGZ6mcrrGYgTwo
UO1EarVvV28uk2cyZa8G6X21NR8vPHTAogK4OqWBfexnzWjTaxXNzyY+94fHHNpA
=2Oq3
-----END PGP SIGNATURE-----


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here