Re: [SLE] SuSEfirewall2 logging

From: David Krider (david_at_davidkrider.com)
Date: 09/14/03

  • Next message: Sid Boyce: "Re: [SLE] Black screen after NVidia update - 2nd posting"
    To: suse-linux-e@suse.com
    Date: 13 Sep 2003 17:26:18 -0500
    
    

    On Fri, 2003-09-12 at 18:40, Carlos E. R. wrote:
    > The 03.09.12 at 13:53, David Krider wrote:
    >
    > > > FW_LOG_ACCEPT_CRIT="yes"
    > > > FW_LOG_ACCEPT_ALL="no"
    > >
    > > I was afraid of this. Both of these entries are set to no in my config
    > > file, yet I continue to get the reports in my log. Any other ideas?
    >
    > On a machine I set up for a friend, I discovered I was adjusting
    > susefirewall2, and he was using the other one, because it was setup
    > automatically by yast after changing something on the network setup.

    I have stopped and restarted this thing many times in trying to sort
    this out. That alleviates one response. I haven't run SuSEconfig in any
    of this, so that should rule out the /etc/sysconfig/SuSEfirewall2 script
    getting rewritten on the fly.

    I use the following two rules in FW_FORWARD to get NFS passed between my
    DMZ and my internal network:

    192.168.1.0/24,192.168.1.2,udp,1:65535
    192.168.1.2,192.168.4.0/24,udp,800

    The interesting thing to me is that the only thing that I keep getting
    FW-ACCEPT messages for are the responses from port 800 in my DMZ back to
    my internal network. They always look like this:

    Sep 13 17:21:39 reliant kernel: SuSE-FW-ACCEPT IN=eth1 OUT=eth0
    SRC=192.168.1.2 DST=192.168.4.200 LEN=148 TOS=0x00 PREC=0x00 TTL=63
    ID=30811 DF PROTO=UDP SPT=2049 DPT=800 LEN=128

    My guess is that this has something to do with the fact that it's UDP
    traffic, or that it's a low port, but I also have this rule for printing
    from Samba:

    192.168.1.2,192.168.4.0/24,udp,137

    And I never get any messages about that one. I also do NOT get the
    messages when I access the NFS share from the firewall. This is being
    taken care of here:

    FW_SERVICES_DMZ_UDP="domain 600:1023"

    Again, anyone know why I'd get those messages for that one rule, and not
    the others? Perhaps I should send this to the maintainer of
    SuSEfirewall2?

    Regards,
    dk

    -- 
    Check the headers for your unsubscription address
    For additional commands send e-mail to suse-linux-e-help@suse.com
    Also check the archives at http://lists.suse.com
    Please read the FAQs: suse-linux-e-faq@suse.com
    

  • Next message: Sid Boyce: "Re: [SLE] Black screen after NVidia update - 2nd posting"

    Relevant Pages

    • Re: Where do I put Exchange Server?
      ... Again, thanks for the response. ... Those AD queries would be between the DMZ ... and the internal network. ... > you have to open many ports to allow AD query, client access mail server, ...
      (microsoft.public.isa.configuration)
    • Re: New to ISA2004 and FE Exchange 2003
      ... You should have read the scenario guide before posting a response. ... Exchange in a DMZ requires a number of ports open between the DMZ and ... The options are to simply put the FE on the internal network and only ...
      (microsoft.public.exchange.setup)
    • Re: Unable to join AD domain from DMZ network
      ... > the captured traffic between the server in DMZ to the DC from internal ... >> unless you lock it down to a specific port. ... >>> authentication from DMZ to 2003 AD internal network. ...
      (microsoft.public.windows.server.active_directory)
    • Re: Near and far dmz (is this model secure)
      ... I think that your boss is right, the Exchange servers should be on the ... in a DMZ via VPN tunnel. ... connections from the DMZ to the internal network, ...
      (comp.security.firewalls)
    • Re: Unable to join AD domain from DMZ network
      ... To me that points to something outside the machine (Firewall most likely culprit) ... > the captured traffic between the server in DMZ to the DC from internal ... >>> authentication from DMZ to 2003 AD internal network. ...
      (microsoft.public.windows.server.active_directory)