I recently upgraded our firewall out in Denver to 11.1 (it was running 10.3). We had a HUGE list of iptables rules that included MAC address filtering (if your MAC wasn’t in the list, you got no Internet access). We built a new firewall server with 11.1 and used Yast to set up the networking. We couldn’t find any easy way to do MAC filtering, so we left that disabled.
Here’s my problem.
We have a very large list of NAT port/destination assignments (about 30). Yast keeps truncating the list and even worse, corrupting the file /etc/sysconfig/SuSEfirewall2; at the end of the displayed “masqueraded” network addresses and ports, there will be gibberish such as “IP_FOR” – and that’s it. When I open /etc/sysconfig/SuSEfirewall2 with an editor, I’ll see that the trailing quotation mark (") at the end of the NAT list is missing – in fact, the last entry will be gone, as will the tail of the next-to-last.
Is there a limit to how large this section can be?
What’s frustrating is that, even once I get it working (I did an “iptables-save” just to keep a known-good config), it will mysteriously drop all the NAT rules after a few hours. Right after I reboot the machine, I can do an “iptables --list” and see my “DNATs” in there, lined up and pretty. By that evening, the same list will show no rules!!!
Any ideas? Is there a bug in this thing?