Keine Services am Gateway
Keine Services am Gateway
Hallo,
vielleicht ist die Antwort ja einfach, aber ich habe folgendes Problem:
.)Linux-Rechner dient (via ADSL) als Gateway für dahinterliegende Win98-Rechner
der Teil funktioniert auch; man kann problemlos (mit Masquerading on) alles erreichen
Aber:
auf dem Gateway laufen auch httpd, smtpd usw
Funktionieren zwar, aber nur von extern!! Von intern sind sie nicht zu erreichen. Es funktioniert zwar DNS, aber dann läuft alles in ein Timeout. Interessant dazu: ping auf interne Schnittstelle des Gateway funktioniert, ein Ping externe Schnittstelle funktioniert nicht.
Hab ich da was bei der FW übersehen/missverstanden? Oder wo ist das Problem?
Danke für jede Hilfe!
vielleicht ist die Antwort ja einfach, aber ich habe folgendes Problem:
.)Linux-Rechner dient (via ADSL) als Gateway für dahinterliegende Win98-Rechner
der Teil funktioniert auch; man kann problemlos (mit Masquerading on) alles erreichen
Aber:
auf dem Gateway laufen auch httpd, smtpd usw
Funktionieren zwar, aber nur von extern!! Von intern sind sie nicht zu erreichen. Es funktioniert zwar DNS, aber dann läuft alles in ein Timeout. Interessant dazu: ping auf interne Schnittstelle des Gateway funktioniert, ein Ping externe Schnittstelle funktioniert nicht.
Hab ich da was bei der FW übersehen/missverstanden? Oder wo ist das Problem?
Danke für jede Hilfe!
Also mal angenommen du nutzt den Apache2, der verwendet die Datei /etc/apache2/listen.conf um zu regeln, mit welcher IP auf welchem Port man ihn ansprechen kann:
Man sollte es näher spezifizieren (die Standard-Einstellung wird wohl für die externe Adresse verwendet...):
bzw. die obige Adresse durch deine lokale Adresse ersetzt, wie immer die ist.
Code: Select all
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive.
#
# http://httpd.apache.org/docs-2.0/mod/mpm_common.html#listen
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
#Listen 12.34.56.78:80
#Listen 80
#Listen 443
Listen 80
<IfDefine SSL>
<IfDefine !NOSSL>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
</IfDefine>
</IfDefine>
# Use name-based virtual hosting
#
# - on a specified address / port:
#
#NameVirtualHost 12.34.56.78:80
#
# - name-based virtual hosting:
#
#NameVirtualHost *:80
#
# - on all addresses and ports. This is your best bet when you are on
# dynamically assigned IP addresses:
#
#NameVirtualHost *
Code: Select all
Listen 192.168.0.1:80
Nö, danke, das wars leider nicht.
Zum einen deshalb weil DNS ja funktioniert. D.h. bei Aufruf einer Seite am Gateway wird die externe IP gesucht, und nicht die interne. ('Versuche Verbindung herzustellen mit [i]ext. IP[/i]").
Zum anderen, weil ja nicht nur der Apache, sondern alle Dienste ssh, ftp, smtpd nicht erreichbar sind. Hat eher was auf Ebene des Netzes was zu tun denk ich. Nur weiß ich leider nicht wo und was.
Zum einen deshalb weil DNS ja funktioniert. D.h. bei Aufruf einer Seite am Gateway wird die externe IP gesucht, und nicht die interne. ('Versuche Verbindung herzustellen mit [i]ext. IP[/i]").
Zum anderen, weil ja nicht nur der Apache, sondern alle Dienste ssh, ftp, smtpd nicht erreichbar sind. Hat eher was auf Ebene des Netzes was zu tun denk ich. Nur weiß ich leider nicht wo und was.
Firewall?
Habt Ihr (netfilter) iptables laufen?
Benutzt mal den ethereal, da könnt Ihr schön sehen was mit den Paketen passiert.
Benutzt mal den ethereal, da könnt Ihr schön sehen was mit den Paketen passiert.
Gruß Jürgen
_______________________
Rechner: P4 mit Suse 9.2
_______________________
Und versammeln unsere eigene Armee, um diese Massenvernichtungswaffe zu entschärfen, die wir heute noch unseren Präsidenten nennen...
_______________________
Rechner: P4 mit Suse 9.2
_______________________
Und versammeln unsere eigene Armee, um diese Massenvernichtungswaffe zu entschärfen, die wir heute noch unseren Präsidenten nennen...
Also ich hab mir das Gateway durch die Susefirewall2 erstellen bzw. konfigueren lassen.Hab mal auf den Rat hin ethereal zur Anlayse benutzt und dabei diesen meiner Meinung relevanten Eintrag rausgefiltiert, bei der Netzwerkkarte für das LAN.Dieser Eintrag erschien aber dreimal und sah oberflächlich identisch aus.
Bei der eth1 also der externe Karte(ist das eigentlich standart?)konnte ich keine Einträge ausmachen die revelant sind, da nirgends meine interne IP als Quelle oder als Ankunft in Kombination mit meiner externen IP zu sehn war.
Bei der eth1 also der externe Karte(ist das eigentlich standart?)konnte ich keine Einträge ausmachen die revelant sind, da nirgends meine interne IP als Quelle oder als Ankunft in Kombination mit meiner externen IP zu sehn war.
Code: Select all
Frame 391 (66 bytes on wire, 66 bytes captured)
Arrival Time: Oct 21, 2004 17:05:21.568207000
Time delta from previous packet: 4.559556000 seconds
Time relative to first packet: 4.559556000 seconds
Frame Number: 391
Packet Length: 66 bytes
Capture Length: 66 bytes
Ethernet II, Src: 00:02:44:37:6a:94, Dst: 00:02:44:25:65:f9
Destination: 00:02:44:25:65:f9 (00:02:44:25:65:f9)
Source: 00:02:44:37:6a:94 (00:02:44:37:6a:94)
Type: IP (0x0800)
Internet Protocol, Src Addr: 192.168.1.15 (192.168.1.15), Dst Addr: 62.143.9.78 (62.143.9.78)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 52
Identification: 0x66d8 (26328)
Flags: 0x04
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 128
Protocol: TCP (0x06)
Header checksum: 0x8a57 (correct)
Source: 192.168.1.15 (192.168.1.15)
Destination: 62.143.9.78 (62.143.9.78)
Transmission Control Protocol, Src Port: uma (1797), Dst Port: http (80), Seq: 268326326, Ack: 0, Len: 0
Source port: uma (1797)
Destination port: http (80)
Sequence number: 268326326
Header length: 32 bytes
Flags: 0x0002 (SYN)
0... .... = Congestion Window Reduced (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...0 .... = Acknowledgment: Not set
.... 0... = Push: Not set
.... .0.. = Reset: Not set
.... ..1. = Syn: Set
.... ...0 = Fin: Not set
Window size: 65535
Checksum: 0xf879 (correct)
Options: (12 bytes)
Maximum segment size: 1460 bytes
NOP
Window scale: 1 (multiply by 2)
NOP
NOP
SACK permitted
Hier das Script
Code: Select all
fw_custom_before_antispoofing() {
true
}
true
}
fw_custom_before_port_handling() {
true
}
fw_custom_before_masq() { # could also be named "after_port_handling()"
true
}
fw_custom_before_denyall() { # could also be named "after_forwardmasq()"
true
}
Am besten liefer ich auch mal die config file der FW.
Und wo wir grad dabei sind die iptable auch noch.
Code: Select all
FW_QUICKMODE="no"
FW_DEV_EXT="eth1"
FW_DEV_INT="eth0"
FW_DEV_DMZ="yes"
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="$FW_DEV_EXT"
FW_MASQ_NETS="0/0"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="10000:20000 21 4000:5000 http smtp ssh"
FW_SERVICES_EXT_UDP="123"
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP="80"
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="80 ssh smtp http domain"
FW_SERVICES_INT_UDP="domain"
FW_SERVICES_INT_IP=""
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS=""
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="yes"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="yes"
FW_SERVICE_SQUID="no"
FW_SERVICE_SAMBA="no"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT=""
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="yes"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"
FW_HTB_TUNE_DEV=""
Code: Select all
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT udp -- anywhere 255.255.255.255 state NEW,ESTABLISHED udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpts:netbios-ns:netbios-dgm
LOG all -- loopback/8 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
LOG all -- anywhere loopback/8 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- loopback/8 anywhere
DROP all -- anywhere loopback/8
LOG all -- linux.local anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- linux.local anywhere
LOG all -- ip78.9.1411M-CUD12K-01.ish.de anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOFING '
DROP all -- ip78.9.1411M-CUD12K-01.ish.de anywhere
input_ext all -- anywhere ip78.9.1411M-CUD12K-01.ish.de
input_int all -- anywhere linux.local
DROP all -- anywhere 62.143.9.255
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 192.168.1.255
DROP all -- anywhere 255.255.255.255
LOG all -- anywhere ip78.9.1411M-CUD12K-01.ish.deLOG level warning tcp-options ip-options prefix `SuSE-FW-ACCESS_DENIED_INT '
DROP all -- anywhere ip78.9.1411M-CUD12K-01.ish.de
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-ILLEGAL-TARGET '
DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_int all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-ILLEGAL-ROUTING '
DROP all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-FORWARD-ERROR '
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
LOG icmp -- anywhere anywhere icmp time-exceeded LOG level warning tcp-options ip-options prefix `SuSE-FW-TRACEROUTE-ATTEMPT '
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
ACCEPT icmp -- anywhere anywhere icmp port-unreachable
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp network-prohibited
ACCEPT icmp -- anywhere anywhere icmp host-prohibited
ACCEPT icmp -- anywhere anywhere icmp communication-prohibited
DROP icmp -- anywhere anywhere icmp destination-unreachable
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-OUTPUT-ERROR '
Chain forward_dmz (0 references)
target prot opt source destination
LOG all -- 62.143.9.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 62.143.9.0/24 anywhere
LOG all -- 192.168.1.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.1.0/24 anywhere
LOG all -- anywhere linux.local LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere linux.local
LOG all -- anywhere ip78.9.1411M-CUD12K-01.ish.deLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere ip78.9.1411M-CUD12K-01.ish.de
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain forward_ext (1 references)
target prot opt source destination
LOG all -- 192.168.1.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 192.168.1.0/24 anywhere
LOG all -- anywhere linux.local LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere linux.local
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain forward_int (1 references)
target prot opt source destination
LOG all -- 62.143.9.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF '
DROP all -- 62.143.9.0/24 anywhere
LOG all -- anywhere ip78.9.1411M-CUD12K-01.ish.deLOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-CIRCUMVENTION '
DROP all -- anywhere ip78.9.1411M-CUD12K-01.ish.de
ACCEPT icmp -- anywhere anywhere state RELATED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain input_dmz (0 references)
target prot opt source destination
LOG all -- 62.143.9.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF-idmz '
DROP all -- 62.143.9.0/24 anywhere
LOG all -- 192.168.1.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF-idmz '
DROP all -- 192.168.1.0/24 anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
reject_func tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ipp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ipp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:mpc-lifenet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:mpc-lifenet flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:mysql flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:mysql flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:terabase flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:terabase flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:newoak flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:newoak flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:pxc-spvr-ft flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:pxc-spvr-ft flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:4080 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:4080 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:krb524 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:krb524 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:4662 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:4662 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:5804 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:5804 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:5904 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:5904 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:6881 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:6881 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:6882 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:6882 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:19287 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:19287 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535
LOG tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp spt:ftp-data dpts:1024:65535
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- ns1.ish.de anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- resolver1.eu.level3.net anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:fsp
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:ntp
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP udp -- anywhere anywhere udp dpt:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:printer
DROP udp -- anywhere anywhere udp dpt:ipp
DROP udp -- anywhere anywhere udp dpt:ipp
DROP udp -- anywhere anywhere udp dpt:nimreg
DROP udp -- anywhere anywhere udp dpt:mpc-lifenet
DROP udp -- anywhere anywhere udp dpt:mysql
DROP udp -- anywhere anywhere udp dpt:terabase
DROP udp -- anywhere anywhere udp dpt:newoak
DROP udp -- anywhere anywhere udp dpt:pxc-spvr-ft
DROP udp -- anywhere anywhere udp dpt:4080
DROP udp -- anywhere anywhere udp dpt:krb524
DROP udp -- anywhere anywhere udp dpt:4662
DROP udp -- anywhere anywhere udp dpt:4666
DROP udp -- anywhere anywhere udp dpt:5804
DROP udp -- anywhere anywhere udp dpt:5904
DROP udp -- anywhere anywhere udp dpt:x11
DROP udp -- anywhere anywhere udp dpt:6881
DROP udp -- anywhere anywhere udp dpt:6882
DROP udp -- anywhere anywhere udp dpt:19287
DROP udp -- anywhere anywhere udp dpt:19287
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain input_ext (1 references)
target prot opt source destination
LOG all -- 192.168.1.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF-iext '
DROP all -- 192.168.1.0/24 anywhere
LOG icmp -- 62.143.9.0/24 anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT-SOURCEQUENCH '
ACCEPT icmp -- 62.143.9.0/24 anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpts:ndmp:dnp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpts:ndmp:dnp
LOG tcp -- anywhere anywhere tcp dpt:ftp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ftp
LOG tcp -- anywhere anywhere tcp dpts:terabase:commplex-main flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpts:terabase:commplex-main
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:smtp
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh
reject_func tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:sunrpc flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:netbios-ssn flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:printer flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:ipp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:ipp flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:mpc-lifenet flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:mpc-lifenet flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:mysql flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:mysql flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:terabase flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:terabase flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:newoak flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:newoak flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:pxc-spvr-ft flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:pxc-spvr-ft flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:4080 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:4080 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:krb524 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:krb524 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:4662 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:4662 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:5804 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:5804 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:5904 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:5904 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:x11 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:6881 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:6881 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:6882 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:6882 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:9859 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:9859 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:19287 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:19287 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:30877 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:30877 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere tcp dpt:44281 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP '
DROP tcp -- anywhere anywhere tcp dpt:44281 flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535
LOG tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp spt:ftp-data dpts:1024:65535
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:ntp
ACCEPT udp -- ns1.ish.de anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- resolver1.eu.level3.net anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
DROP udp -- anywhere anywhere udp dpt:ssh
DROP udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:domain
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootps
DROP udp -- anywhere anywhere udp dpt:bootpc
DROP udp -- anywhere anywhere udp dpt:http
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:sunrpc
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
DROP udp -- anywhere anywhere udp dpt:netbios-ssn
DROP udp -- anywhere anywhere udp dpt:printer
DROP udp -- anywhere anywhere udp dpt:ipp
DROP udp -- anywhere anywhere udp dpt:ipp
DROP udp -- anywhere anywhere udp dpt:nimreg
DROP udp -- anywhere anywhere udp dpt:mpc-lifenet
DROP udp -- anywhere anywhere udp dpt:mysql
DROP udp -- anywhere anywhere udp dpt:terabase
DROP udp -- anywhere anywhere udp dpt:newoak
DROP udp -- anywhere anywhere udp dpt:pxc-spvr-ft
DROP udp -- anywhere anywhere udp dpt:4080
DROP udp -- anywhere anywhere udp dpt:krb524
DROP udp -- anywhere anywhere udp dpt:4662
DROP udp -- anywhere anywhere udp dpt:4666
DROP udp -- anywhere anywhere udp dpt:5804
DROP udp -- anywhere anywhere udp dpt:5904
DROP udp -- anywhere anywhere udp dpt:x11
DROP udp -- anywhere anywhere udp dpt:6881
DROP udp -- anywhere anywhere udp dpt:6882
DROP udp -- anywhere anywhere udp dpt:9859
DROP udp -- anywhere anywhere udp dpt:19287
DROP udp -- anywhere anywhere udp dpt:19287
DROP udp -- anywhere anywhere udp dpt:30877
DROP udp -- anywhere anywhere udp dpt:44281
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
ACCEPT udp -- anywhere anywhere state ESTABLISHED udp dpts:61000:65095
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain input_int (1 references)
target prot opt source destination
LOG all -- 62.143.9.0/24 anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ANTI-SPOOF-iint '
DROP all -- 62.143.9.0/24 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
LOG icmp -- anywhere anywhere icmp type 2 LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-ICMP-CRIT '
DROP icmp -- anywhere anywhere
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
LOG tcp -- anywhere anywhere tcp dpt:ssh flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:ssh
LOG tcp -- anywhere anywhere tcp dpt:smtp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:smtp
LOG tcp -- anywhere anywhere tcp dpt:http flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:http
LOG tcp -- anywhere anywhere tcp dpt:domain flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp dpt:domain
reject_func tcp -- anywhere anywhere tcp dpt:ident flags:SYN,RST,ACK/SYN
LOG tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED tcp dpts:1024:65535
LOG tcp -- anywhere anywhere tcp spt:ftp-data dpts:1024:65535 flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-ACCEPT '
ACCEPT tcp -- anywhere anywhere state NEW,RELATED,ESTABLISHED tcp spt:ftp-data dpts:1024:65535
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpts:ipcserver:65535 flags:!SYN,RST,ACK/SYN
ACCEPT tcp -- anywhere anywhere state ESTABLISHED tcp dpt:ftp-data flags:!SYN,RST,ACK/SYN
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:domain
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:filenet-rpc
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpt:filenet-nch
ACCEPT udp -- ns1.ish.de anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- resolver1.eu.level3.net anywhere state NEW,RELATED,ESTABLISHED udp spt:domain dpts:1024:65535
ACCEPT udp -- anywhere anywhere state NEW,RELATED,ESTABLISHED udp dpts:1024:65535
LOG tcp -- anywhere anywhere tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp source-quench LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp redirect LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp echo-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp timestamp-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG icmp -- anywhere anywhere icmp address-mask-request LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG udp -- anywhere anywhere LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT '
LOG all -- anywhere anywhere state INVALID LOG level warning tcp-options ip-options prefix `SuSE-FW-DROP-DEFAULT-INVALID '
DROP all -- anywhere anywhere
Chain reject_func (3 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable