#1  
Old 14th March 2006, 11:19
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default SuseFirewall expert pls help

Hi

I am new to suse firewall setup and I do need help pls advise if anyone know how to thank you.

I am currently using Suse9 with Squid/Dansguardian/Webmin and it is acting as a gateway for me.

The problem is I am not sure how to set suse firewall for securing the network.

Pls anyone pls advise me on how to do and pls email me if you can @ tan.sebastian@gmail.com pls and thank you so much

I am noobie in this so pls bear with me for a while thank you.
Reply With Quote
Sponsored Links
  #2  
Old 14th March 2006, 18:31
falko falko is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

Have you tried to use yast to configure the firewall?
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 15th March 2006, 03:36
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi

Thank you for your reply

Yes I have try using Yast to config the Firewall, but somehow there is abt 159 connection going and I don't understand why......my ISP call me up to tell me that...

pls advise
Reply With Quote
  #4  
Old 15th March 2006, 07:00
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi
I have manage to extract out the iptables-save to iptables.txt
I will pas them here pls advise me what to do I have no idea what are all this too many of them don't know which one is important

Pls advise TQ in advance!

<INTERNET> -- <building> ------ <firewall> --------------------- <LAN>
ext NIC:172.x.x.x / int NIC:10.1.x.x LAN : 10.1.x.x

will post the iptables file in a few parts

# Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
*mangle
:PREROUTING ACCEPT [27204:15872792]
:INPUT ACCEPT [4691:896244]
:FORWARD ACCEPT [22513:14976548]
:OUTPUT ACCEPT [3552:828728]
:POSTROUTING ACCEPT [26031:15793591]
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
-A PREROUTING -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
-A PREROUTING -p udp -m udp --dport 514 -j TOS --set-tos 0x04
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 161 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -m udp --dport 162 -j TOS --set-tos 0x04
-A OUTPUT -p udp -m udp --dport 514 -j TOS --set-tos 0x04
COMMIT
# Completed on Wed Mar 15 13:42:01 2006
# Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
*filter
:INPUT DROP [0:0]
:FORWARD DROP [2:166]
:OUTPUT ACCEPT [0:0]
:forward_dmz - [0:0]
:forward_ext - [0:0]
:forward_int - [0:0]
:input_dmz - [0:0]
:input_ext - [0:0]
:input_int - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -s 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A INPUT -d 127.0.0.0/255.0.0.0 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A INPUT -s 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -d 127.0.0.0/255.0.0.0 -j DROP
-A INPUT -s 10.1.0.254 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A INPUT -s 10.1.0.254 -j DROP
-A INPUT -s 172.17.17.20 -j LOG --log-prefix "SFW2-IN-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A INPUT -s 172.17.17.20 -j DROP
-A INPUT -d 255.255.255.255 -i eth0 -j DROP
-A INPUT -d 172.17.17.255 -i eth0 -j DROP
-A INPUT -d 255.255.255.255 -i eth1 -j DROP
-A INPUT -d 10.1.255.255 -i eth1 -j DROP
-A INPUT -i eth0 -j input_ext
-A INPUT -i eth1 -j input_int
-A INPUT -d 172.17.17.20 -i eth1 -j LOG --log-prefix "SFW2-IN-ACC_DENIED_INT " --log-tcp-options --log-ip-options
-A INPUT -d 172.17.17.20 -i eth1 -j DROP
-A INPUT -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -i eth1 -o eth1 -j ACCEPT
-A FORWARD -i eth0 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -j forward_ext
-A FORWARD -i eth1 -j forward_int
-A FORWARD -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A FORWARD -j DROP
-A FORWARD -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j LOG --log-prefix "SFW2-FORWARD-ERROR " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j LOG --log-prefix "SFW2-OUT-TRACERT-ATTEMPT " --log-tcp-options --log-ip-options
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/4 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/9 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/10 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3/13 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j DROP
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -j LOG --log-prefix "SFW2-OUTPUT-ERROR " --log-tcp-options --log-ip-options
-A forward_dmz -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A forward_dmz -s 172.17.17.0/255.255.255.0 -j DROP
-A forward_dmz -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-FWDdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A forward_dmz -s 10.1.0.0/255.255.0.0 -j DROP
-A forward_dmz -d 10.1.0.254 -j LOG --log-prefix "SFW2-FWDdmz-DROP-CIRCUMV " --log-tcp-options --log-ip-options
-A forward_dmz -d 10.1.0.254 -j DROP
-A forward_dmz -d 172.17.17.20 -j LOG --log-prefix "SFW2-FWDdmz-DROP-CIRCUMV " --log-tcp-options --log-ip-options
-A forward_dmz -d 172.17.17.20 -j DROP
-A forward_dmz -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_dmz -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_dmz -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -p udp -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_dmz -m state --state INVALID -j LOG --log-prefix "SFW2-FWDdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_dmz -j DROP
-A forward_ext -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-FWDext-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
Reply With Quote
  #5  
Old 15th March 2006, 07:01
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

-A forward_ext -s 10.1.0.0/255.255.0.0 -j DROP
-A forward_ext -d 10.1.0.254 -j LOG --log-prefix "SFW2-FWDext-DROP-CIRCUMV " --log-tcp-options --log-ip-options
-A forward_ext -d 10.1.0.254 -j DROP
-A forward_ext -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_ext -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -p udp -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_ext -m state --state INVALID -j LOG --log-prefix "SFW2-FWDext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_ext -j DROP
-A forward_int -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-FWDint-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A forward_int -s 172.17.17.0/255.255.255.0 -j DROP
-A forward_int -d 172.17.17.20 -j LOG --log-prefix "SFW2-FWDint-DROP-CIRCUMV " --log-tcp-options --log-ip-options
-A forward_int -d 172.17.17.20 -j DROP
-A forward_int -p icmp -m state --state RELATED -m icmp --icmp-type 3 -j ACCEPT
-A forward_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A forward_int -o eth0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A forward_int -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A forward_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -p udp -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A forward_int -m state --state INVALID -j LOG --log-prefix "SFW2-FWDint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A forward_int -j DROP
-A input_dmz -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-INdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A input_dmz -s 172.17.17.0/255.255.255.0 -j DROP
-A input_dmz -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-INdmz-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A input_dmz -s 10.1.0.0/255.255.0.0 -j DROP
-A input_dmz -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_dmz -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INdmz-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -j DROP
-A input_dmz -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-ACC-HiTCP " --log-tcp-options --log-ip-options
-A input_dmz -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_dmz -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_dmz -p udp -m udp --dport 22 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 80 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 111 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 111 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 631 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 631 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 1024 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 1025 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 1026 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 3128 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 3130 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 3401 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 8080 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 10000 -m state --state NEW -j DROP
-A input_dmz -p udp -m udp --dport 10000 -m state --state NEW -j DROP
-A input_dmz -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_dmz -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -p udp -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_dmz -m state --state INVALID -j LOG --log-prefix "SFW2-INdmz-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_dmz -j DROP
-A input_ext -s 10.1.0.0/255.255.0.0 -j LOG --log-prefix "SFW2-INext-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A input_ext -s 10.1.0.0/255.255.0.0 -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-ACC-SOURCEQUENCH " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
Reply With Quote
  #6  
Old 15th March 2006, 07:02
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INext-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -j DROP
-A input_ext -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 111 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 427 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 427 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 631 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 3128 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 8080 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 10000 --tcp-flags SYN,RST,ACK SYN -j DROP
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-HiTCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_ext -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_ext -p udp -m udp --dport 22 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 80 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 111 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 111 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 427 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 427 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 631 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 631 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 1024 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 1025 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 1026 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 3128 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 3130 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 3401 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 5353 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 8080 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 10000 -m state --state NEW -j DROP
-A input_ext -p udp -m udp --dport 10000 -m state --state NEW -j DROP
-A input_ext -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_ext -p udp -m state --state ESTABLISHED -m udp --dport 61000:65095 -j ACCEPT
-A input_ext -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A input_int -s 172.17.17.0/255.255.255.0 -j LOG --log-prefix "SFW2-INint-DROP-ANTISPOOF " --log-tcp-options --log-ip-options
-A input_int -s 172.17.17.0/255.255.255.0 -j DROP
-A input_int -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
-A input_int -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 2 -j LOG --log-prefix "SFW2-INint-DROP-ICMP-CRIT " --log-tcp-options --log-ip-options
-A input_int -p icmp -j DROP
-A input_int -p tcp -m tcp --dport 113 --tcp-flags SYN,RST,ACK SYN -j reject_func
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-ACC-HiTCP " --log-tcp-options --log-ip-options
-A input_int -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_int -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A input_int -p udp -m state --state NEW -m udp --dport 1024:65535 -j ACCEPT
-A input_int -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 4 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 5 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 8 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 13 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p icmp -m icmp --icmp-type 17 -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -p udp -j LOG --log-prefix "SFW2-INint-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_int -m state --state INVALID -j LOG --log-prefix "SFW2-INint-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
-A input_int -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Wed Mar 15 13:42:01 2006
# Generated by iptables-save v1.2.9 on Wed Mar 15 13:42:01 2006
*nat
:PREROUTING ACCEPT [1647:189000]
:POSTROUTING ACCEPT [100:6439]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Mar 15 13:42:01 2006
Reply With Quote
  #7  
Old 15th March 2006, 07:04
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

The above mention is a example of after I have config which ...oh my god....

As you can see the above is too many of them and I am blur abt it

use Yast to config it but seems too many line i guess

Pls advise me how and what I should do abt it as I am newbie to SuseFirewall or iptables thank you.
Reply With Quote
  #8  
Old 15th March 2006, 12:50
falko falko is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,735 Times in 2,571 Posts
Default

If your server is behind a router (with a firewall). I'd simply switch off the SuSE firewall and try to configure it again from scratch.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #9  
Old 16th March 2006, 05:26
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Hi

Thank you for your reply

I think i will do what you have told me to, but one thing is I am not good with iptables and I do not think I will use SuSEFirewall2 again lol

I might be using iptables only without Yast Configuring SuSEFirewall2

So there is a few question that I need to ask and to be guided pls?

Here is one of them for ICMP to ping

#ICMP Rules
#For Me to Ping Outside
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 12 -j ACCEPT
#For Outside To Ping Me
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT

As you can see this is the setting of ICMP rules I have set and somehow other PC in the LAN can ping me but whereas I cannot ping them,

I try to do a ping yahoo.com but it seems not able to go out from my pc

pls advise thank you
Reply With Quote
  #10  
Old 16th March 2006, 09:18
zacch zacch is offline
Junior Member
 
Join Date: Mar 2006
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I have try this and it works

#For Outside to Ping Intside
#ICMP Rules
#For Outside To Ping Inside
#-A INPUT -s 127.0.0.1 -p icmp -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#For Inside To Ping Outside
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

For DNS
#Accept DNS
-A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT

anyway still building up the iptables thing pls advise if there is anyting wrong thank you
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +2. The time now is 10:08.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.