Network traffic is being blocked by... ?

Hi guys… can anyone direct me to what I need to be looking at? Here’s the scenario:

I have 3 nics, 2 of which are bridged, and the third is for standard usage, for updates, etc. I use the bridge in front of a router as a firewall with broad, hard core packet filtering. I was severely hacked some time ago which led me to this setup. I now use multiple firewalls… the front invisible bridge (no IP’s so it can’t be hacked, for packet inspection), a second firewall at the proxy server, and software firewalls on each machine. I’ve used this setup very successfully for years. In fact, my service provider called me and asked if I had internet!! rotfl! That was awesome!!

I started doing this when I packet sniffed my own network and saw 2 people at the same time inside my lan hammering away. They were different personalities… using different techniques and hitting different ports. They were professional. I was able to setup a bridge like this very easily with 10.3… maybe even 9.3, I don’t recall at the moment.

Recently, I began upgrading my hardware to gigabit network cards, newer servers, and up to the most current SuSe 12.1. SuSe 12.1 is awesome, in that you can setup a bridge with a few click of the mouse in Yast. Everything I used to have to hardcode was done immediately! The files are exactly the same as I wrote a few years ago!!

There is, however, one difference that i see now… that I need some help with. Do you know how SuSe firewall 2 blocks all network traffic when the firewall is disabled, by chance? I used it while I built a bridge and iptables, but when I turn it off it blocks all network traffic (so I can’t reboot w/out flushing iptables & running a script). In other words, It stops all network traffic on all network interfaces when the firewall is disabled, to protect you, when you disable SFW2 in Yast… it tells you that it is doing this…

“No network traffic is permitted through these interfaces.”… the ones not protected by SFW2… which is all of them, when you disable the firewall!

I have custom logging features written into the ip tables where I can observe traffic in and out of the network, as well as all iptable blocking activity. You can achieve the protection of the bridge with SFW2, but lose the custom logging features. When I use my iptables (currently), I can get my logging features, but can’t reboot without manually jumping thru hoops to remove SFW2 manually, and re-installing my iptables… leaving SFW2 up, just clearing it’s iptable rules.

So, when I turn it off, and start/install my own iptables everything works fine, except that something somewhere initiated by SFW2’s being disabled is preventing any network traffic at all. it’s a security feature. I’ve tried everything I can think of, EXCEPT stopping which file is disabling the network…

Can anyone help me… lead me in the right direction?

traditional ifup (It’s a bridge)

Thanks in advance for your help!

I can clarify a little by saying that it isn’t SFW2 that is inhibiting network traffic, but that it is calling another function to do so. It’s just that you can go into the SFW2 GUI, disable it, click next, and on the last screen will be displayed
“No network traffic is permitted through these interfaces.”

SFW@ is calling another function, because if I uninstall SFW2, it still occurs. Had I not ever started SFW2, this activity would likely have never been initiated. It inhibits the internal connection, because the proxy server sounds off when it connects to the nic… this process just stops the internal transfer of data, not the connection to the nick, or external communication by the nic.

Are any of you good and quick at single stepping, and could figure out what process is disabling the network cards? (like look at the process, click disable on the firewall, and see what is being called?) The process is active (network traffic stops) if SFW2 is disabled or uninstalled… the process is inactive (network traffic flows) only if SFW2 is active. But, it didn’t do this until I activated SFW2.

I noticed the sticky about systemmd. This is a new file for 12.1… would it have anything to do with this, you think?

Did You try looking at firewall logs ? :slight_smile: You need to enable them first IIRC with YaST for example.

Best regards,
Greg

Hi Guys… just wanted to let everyone know the issues I addressed in my setup, how I got around them, what I found, and I guess what could potentially point to areas that may need to be looked at by the developers of SuSE 12.1 In my setup I actually encountered several pre-existing problems. Although some may be from different areas of the forum, they are all involved here. Hopefully if someone searches for the others by name, they will end up here and find workarounds. Additionally, I have a couple requests for inclusions into future SuSE releasses.

First off, as I stated above I built and am using a bridge for some of my security. I will try to be brief, but state steps for clarity, as well as issues I had.

I’m running this bridged firewall in front of IPCop, with admin to the bridge looped back behind and serviced by IPCop transparent proxy firewall. I took the opportunity to post a How To Bridged Firewall, with present, current 12.1 issues I encountered.

  1. Get 2 network cards. YOU CANNOT USE A MOTHERBOARD ETHERNET CARD IN A BRIDGE. They can’t be controlled (motherboad can’t be controlled), and will not work. LOL Trust me! However, you can use the on-board adapter for administration (suggested, so you can keep track of them better, or third card is fine too).

Install a fresh, shiny, new copy of SuSE 12.1. The cards will be recognised and drivers installed for them. only plug in the onboard ehternet adapter. Hopefully your internet will be automaticall setup for you. If not, don’t worry.

*** I am using the notorious REAKTEK 'RTL-8169 Gigabit Ethernet’that everyone seems to have problems with. I believe the problem is elsewhere… THE r8169 DRIVER IS FINE! I believe the issue may be triggered by these cards, and may be tied to whatever is bypassed with the sysinit-init install. But if you can’t access the internet, after setting your admin card as stated above, simply switch to KNetworkManager and connect for your downloads & patches. Then switch back to Traditional Ifup… it will continue to work perfectly!!!

If it is setup and working, update the system with all necessary updates, BUT NOT SuSE FIREWALL 2’s UPDATE. This update enables package control, and will disable all cards when the firewall is disabled! (read file the description in Yast).

*** Requested inclusion in future additions… a way to disable this feature in Firewall & Network settings GUI’s (or at least in network area), so that you may use custom iptables for the bridge. The message displayed when you disable SFW2 is “No network traffic is permitted through these interfaces.”

  1. In Yast… install bridge-utils, sysinit-init (in exchange for removing systemmd), & gcc (needed for some printer driver installation support).

  2. Go into Yast > Network Devices > Network Settings

Select your admin card > edit:

Global Options - Traditional Method with ‘ifup’ & Uncheck the Enable IPV6
Hostname/DNS - Insert hostname
Routing - Enable IP Fowarding
Make sure your admin card is setup as eth2…
General - Activate at boot time & Set MTU 1500 (Ethernet)
Address - IP /24 hostnane,
**** Traditional ifup (which I love, and is necessary for the bridge) seems to be having issues at the moment, and doesn’t like DHCP. So, if possible, give this card an IP address. I speculate this is tied to the systemmd vs. sysinit-init known issue already posted elsewhere on the forum.

  1. As usual the driver for your other gigabit ethernet (bridge) cards are installed. The setup selection in Yast WOULD BE as follows (READ FIRST):

Network Devices > Network Settings

eth0 & eth1
Global Options - Traditional Method with ‘ifup’ & Uncheck the Enable IPV6
Hostname/DNS - Insert hostname
Routing - Enable IP Fowarding
Make sure your admin card is setup as eth2…
General - Activate at boot time & Set MTU 1500 (Ethernet)
Address - no ip for bonding devices

However, it worked perfectly by simply creating the following file…

Right click to make a new txt document and name it ‘ifcfg-br0’ and also save in ‘/etc/sysconfig/network’ Here is my sample:

ifcfg-br0
STARTMODE=‘auto’
BOOTPROTO=‘none’
BRIDGE=‘yes’
BRIDGE_PORTS=‘eth0 eth1’

Also in ‘/etc/sysconfig/network’ and look at ‘ifcfg-eth0’ and ‘ifcfg-eth1’ and make sure they look like this:

ifcfg-eth0

BOOTPROTO=‘none’
BROADCAST=’’
ETHTOOL_OPTIONS=’’
IPADDR=’’
MTU=’’
NAME=‘RTL-8169 Gigabit Ethernet’
NETMASK=’’
NETWORK=’’
REMOTE_IPADDR=’’
STARTMODE=‘auto’
USERCONTROL=‘no’

ifcfg-eth1

BOOTPROTO=‘none’
BROADCAST=’’
ETHTOOL_OPTIONS=’’
IPADDR=’’
MTU=’’
NAME=‘RTL-8169 Gigabit Ethernet’
NETMASK=’’
NETWORK=’’
REMOTE_IPADDR=’’
STARTMODE=‘auto’
USERCONTROL=‘no’

ifcfg-eth2

BOOTPROTO=‘static’
BROADCAST=’’
ETHTOOL_OPTIONS=’’
IPADDR=‘192.168.1.100/24’
MTU=‘1500’
NAME=‘3c905C-TX/TX-M [Tornado]’
NETMASK=’’
NETWORK=’’
REMOTE_IPADDR=’’
STARTMODE=‘auto’
USERCONTROL=‘no’

Now, at the terminal enter:

$> service network restart

Take another look at your cards now:

$> ifconfig

#> brctl show

bridge name bridge id STP enabled interfaces
br0 8000.0030843e5aa2 no eth0
eth1

reboot system

  1. Copy the script and save as ‘firewall’. Right click to get the properties, and make sure root owns the file (which it should), and check the box to make the file executable. Then place a copy in /etc/init.d/ so that it lookes like ‘/etc/init.d.d/firewall’

Once you run it with the terminal by typing ‘/etc/init.d/firewall’ and hitting [enter],
you can watch the terminal for feedback, and also find out whether it has worked by
displaying your current iptables rules with:

iptables -F

/etc/init.d/firewall

#> iptables -L -v

[Code starts below with the ‘#!/bin/bash’ down to the boxed footer labeled
‘End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy’]

#!/bin/bash
##########################################################################

SuSE 12.1 Bridged IPTables NetFiltering Made Easy

~

This starts the Bridge Portion of the code

##########################################################################

Save as a txt file named ‘firewall’

Add the bridge, associate the ethernet cards, and activate the bridge

I actually left these commands here, even though you don’t need them

with SuSE 10.3. Although you can tweek the bridge with the ‘STP’

commands included in this section.

#ifconfig br0 down
#brctl addbr br0
#brctl addif br0 eth0
#brctl addif br0 eth1
#ifconfig br0 up

This will set the host up as a pure bridge, it will not have an IP

address for itself, so it can not be remotely accessed (or hacked)

via TCP/IP. If an ip address is used you will need to comment out

the last line above and use the one below instead.

#ifconfig br0 192.168.1.X netmask 255.255.255.0 up

The corresponding command to take an interface out of the bridge is:

#brctl delif br0 ethX

############################

Test your Bridge Filter as-is before changing anything between here

and where it is labeled End of Bridge header. The values added to

each command line are good, and there may be a need to uncomment all

of them, changing the first one below from off to on, if you are

unable to connect to you ISP with the basic setup supplied above.

Test the basic first, but remember there will be a 30 second delay

before it starts passing packets the first time it is connected.

OPTIONAL, NON-Basic Bridge Rules:

################################

Spanning Tree Protocol - STP

If you are running multiple or redundant bridges, then you need to

enable the Spanning Tree Protocol (STP) to handle multiple hops and

avoid cyclic routes. The code autodetects the speed of the link and

other parameters, so these usually don’t need to be changed.

#brctl stp br0 on
#brctl stp br0 off

Aging Time - Part of STP

The Aging Time is the number of seconds a MAC address will be kept in

the forwarding database after having received a packet from this MAC

address. The entries in the forwarding database are periodically timed

out to ensure they won’t stay around forever. Normally there should be

no need to modify this parameter, but it can be changed with (time is

in seconds). Setting ageing time to zero makes all entries permanent.

#brctl setageing br0 20

Forwarding Delay Time - Part of STP

Forwarding Delay time is the time spent in each of the Listening and

Learning states before the Forwarding state is entered. This delay is

so that when a new bridge comes onto a busy network it looks at some

traffic before participating. Default is 30 seconds - set to 0 here

#brctl setfd br0 0

Hello Time - Part of STP

Periodically, a hello packet is sent out by the Root Bridge and the

Designated Bridges. Hello packets are used to communicate information

about the topology throughout the entire Bridged Local Area Network.

#brctl sethello br0 2

Max Age - Part of STP

If a another bridge in the spanning tree does not send out a hello

packet for a long period of time, it is assumed to be dead. This

timeout is set with:

#brctl maxage br0 20

Path Costs - Part of STP

Each interface in a bridge could have a different speed and this value

is used when deciding which link to use. Faster interfaces should have

lower costs.

#brctl setpathcost br0 eth0 3

##########################################################################

End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy

This starts the IPTable code

##########################################################################

################################

Load all required EBTables modules

Needed to initially load modules

#depmod

Adds some iptables targets like LOG, REJECT

modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_multiport

Support for connection tracking of FTP and IRC.

IPTABLES_BIN="/usr/sbin/iptables"

#/proc/net/stat/nf_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc

################################

Enable IP forwarding

echo 1 > /proc/sys/net/ipv4/ip_forward

Drop ICMP echo-request messages sent to broadcast or multicast addresses

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

Drop source routed packets

echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

Enable TCP SYN cookie protection from SYN floods

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

Don’t accept ICMP redirect messages

echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

Don’t send ICMP redirect messages

echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

Enable source address spoofing protection

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Log packets with impossible source addresses

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

################################

flush all chains

/usr/sbin/iptables -F
/usr/sbin/iptables -X

################################

The 2.6 standard kernel contains an iptables match module called physdev which has to be used to match the bridge’s

physical in and out ports. Its basic usage is simple (see the iptables man page for more details):

#############################################

Begin actual iptables

#############################################

1

Set default policies

/usr/sbin/iptables --policy INPUT DROP
/usr/sbin/iptables --policy OUTPUT DROP
/usr/sbin/iptables --policy FORWARD DROP

############################

2

Block obvious spoofs

#/usr/sbin/iptables -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
/usr/sbin/iptables -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
/usr/sbin/iptables -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP

############################

3

Allow unlimited traffic on the loopback interface

/usr/sbin/iptables -A INPUT -i lo -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o lo -j ACCEPT

############################

4

Create a LOGDROP chain to log and drop packets

/usr/sbin/iptables -N LOGDROP
/usr/sbin/iptables -A LOGDROP -j LOG --log-level warning --log-prefix '==HACKERS== ’
/usr/sbin/iptables -A LOGDROP -j DROP

############################

Additional logging tools

(and Blocking if needed)

############################

log everything which comes in from the WLan. remember, we’re paranoid :slight_smile:

if you want to look ath the traffic coming in or going out

Log IN from internet to network - just uncomment and view /var/log/ipt_ob/observing

#/usr/sbin/iptables -t filter -A FORWARD -i br0 -o br0 -m physdev --physdev-is-bridged --physdev-in eth0\

–physdev-out eth1 -j LOG --log-level warning --log-prefix '==OBSERVING== ’

Log OUT from network to internet - just uncomment and view /var/log/ipt_ob/observing

#/usr/sbin/iptables -t filter -A FORWARD -o br0 -i br0 -m physdev --physdev-is-bridged --physdev-in eth1\

–physdev-out eth0 -j LOG --log-level warning --log-prefix '==OBSERVING== ’

If you have observed some traffic and you didn’t like what you’ve seen, you can prevent

the communication from occurring, reducing the damage, until you are able to address

the compromised machine.

Additional - you will probably like this!

drop anything from this incoming IP (or going out to them too) because I dislike this person :stuck_out_tongue:

Uncomment both lines below to drop all communication, in and out, to that source

with, of course, the ip address with which you need to prevent communication.

IN-coming packets from an unrecognized source = potential compromise

And to be prepared to stop the communication after listeneing some with a more specific target,

I’ve also included a listen feature here too:

#iptables -t filter -A FORWARD --in-interface eth0 --out-interface eth1 -s 66.235.133.3 -j LOG --log-level warning --log-prefix '==OBSERVING== ’
#iptables -A FORWARD --in-interface eth0 --out-interface eth1 -s 66.235.133.3 -j LOGDROP

OUT-going packets from a box on the network to an unrecognized source = potential compromise

#iptables -t filter -A FORWARD --in-interface eth1 --out-interface eth0 -d 66.235.133.3 -j LOG --log-level warning --log-prefix '==OBSERVING== ’
#iptables -A FORWARD --in-interface eth1 --out-interface eth0 -d 66.235.133.3 -j LOGDROP

############################

5 & 6

Previously initiated and accepted exchanges bypass rule checking

Allow unlimited outbound traffic

/usr/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

############################

7

If you need to allow packets from any outside source to reach a certain port,

uncomment and edit to your port destination.

#/usr/sbin/iptables -A FORWARD -p udp --dport 5060 -i br0 -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j ACCEPT #sip phone

############################

8

Forward established connections that originate inside from lan - bypassing rules check

/usr/sbin/iptables -A FORWARD -m physdev --physdev-is-bridged -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A FORWARD -m eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT

############################

9

################ ~ It is this particular line that allows you to surf the web ~ #################

/usr/sbin/iptables -t filter -A FORWARD -i br0 -o br0 -m physdev --physdev-is-bridged --physdev-in eth1 --physdev-out eth0 -j ACCEPT

############################

10

Allow VOIP phone registaration and incoming initialization - from specific ip range

(much safer that just open)

/usr/sbin/iptables -A INPUT -p udp --dport 80 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT

############################

11

Note: you technically don’t need 11 & 12 because once initialization occurs on port 80

(in number 10.) the rest of the packets should be considered ‘ESTABLISHED,RELATED’ but

just to insure you don’t miss any incoming phone calls, I chose to leave it for now.

Allow VOIP phone communication - from specific ip range

(much safer that just open)

/usr/sbin/iptables -A INPUT -p udp --dport 5060 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT

############################

12

Allow VOIP phone conversations - from specific ip range

and a port-range (much safer that just open)

/usr/sbin/iptables -I INPUT -p udp --dport 16384:65535 -m iprange --src-range 67.133.234.77-67.133.234.78 -j ACCEPT

############################

13

drop invalid packets

/usr/sbin/iptables -I FORWARD -m state --state INVALID -j LOGDROP

############################

14

Drop and log all other connections from the net

/usr/sbin/iptables -A FORWARD -p tcp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP
/usr/sbin/iptables -A FORWARD -p udp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP
/usr/sbin/iptables -A FORWARD -p icmp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP
/usr/sbin/iptables -A FORWARD -p igmp -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth1 -j LOGDROP

############################

15

Drop and log all other traffic - fail-safe - drop everything!

/usr/sbin/iptables -A INPUT -j LOGDROP

##########################################################################

This ends the IPTable portion of the code

~

End of SuSE 12.1 Bridged IPTables NetFiltering Made Easy

##########################################################################

  1. Ok, before we get carried away, we need to change a few system settings, in order to allow the script
    to run properly (when you aren’t manually initiating it). Thanks to SuSE, we have at our disposal ‘YaST’,
    and ‘System Services’ = ‘Runlevel’:

YaST - If you are used to a different flavor of Linux, you’re really going to appreciate this!

click YaST > System Services (Runlevel)

You can (and should) toggle between Simple and Expert Modes:

We need to click to highlight ‘firewall’ and switch to Expert Mode. Here we will start ‘firewall’ and
set runlevels 2, 3, & 5… then toggle back to ‘Simple Mode’ and enable it.

You should follow the same principle and Disable ‘SSH’ ( and leave no path for hacker entry)

Note: if you see ‘Acpid’ Errors in the ‘Messages’ log (because you have an older processor, and Acpid wasn’t
installed automatically during the SuSE OS installation), and had to install the rpm, ‘acpid-******.i586.rpm’
then you need to also

‘Enable Acpid’ here as well.

  1. If you need to tweek you iptable rules, you can do so and reload them without having to reboot your box:

$> /etc/init.d/firewall
/etc/init.d/boot.local reload [enter]

iptables -L -v

****** No traffic gets through (except ARP and STP)

Your kernel might have ethernet filtering (ebtables, bridge-nf, arptables) enabled, and traffic gets filtered.
The easiest way to disable this is to go to /proc/sys/net/bridge. Check if the bridge-nf-* entries in there are
set to 1; in that case, set them to zero and try again.

cd /proc/sys/net/bridge

ls

bridge-nf-call-arptables bridge-nf-call-iptables
bridge-nf-call-ip6tables bridge-nf-filter-vlan-tagged

for f in bridge-nf-*; do echo 0 > $f; done

  1. Now, this is cool. Install syslog-ng & uninstall rsyslog in Yast. Let’s setup a cron job to rotate the firewall log so it doesn’t present a problem
    some day in the future.

You could do it by vi with (since no tab has been created yet)

$> crontab -e

Press [insert] key then copy and paste all 6 lines (from below). Press [esc] key, then type ‘:wq’ [enter].

Let’s set a crontab that has this line in it, set to run every 4 hours. The cron line is defined like
this… 30=mins, 3=hour, *=day, *=month, *=year, then the process, followed by the file to process.

59 3 * * * /usr/sbin/logrotate
59 7 * * * /usr/sbin/logrotate
59 12 * * * /usr/sbin/logrotate
59 16 * * * /usr/sbin/logrotate
59 19 * * * /usr/sbin/logrotate
59 23 * * * /usr/sbin/logrotate

Alternatively, you could go to ‘/var/spool/cron/’ and create a text file named ‘root’…

And copy them into ‘/var/spool/cron/root’:

  1. Copy the code below and put it in /etc/logrotate.d/syslog at the top. We want to rotate our log
    files when they reach 1 meg in size. The code:

/var/log/ipt/firewall_ipt {
rotate 365
missingok
nomail
notifempty
copytruncate
noolddir
create 640 root root
dateext
maxage 365
prerotate
size=1M
endscript
postrotate
/etc/init.d/syslog reload
endscript
}

/var/log/ipt/firewall {
rotate 365
missingok
nomail
notifempty
copytruncate
noolddir
create 640 root root
dateext
maxage 365
prerotate
size=1M
endscript
postrotate
/etc/init.d/syslog reload
endscript
}

/var/log/firewall {
rotate 365
missingok
nomail
notifempty
copytruncate
noolddir
create 640 root root
dateext
maxage 365
prerotate
size=1M
endscript
postrotate
/etc/init.d/syslog reload
endscript
}

/var/log/firewall_swf2 {
rotate 365
missingok
nomail
notifempty
copytruncate
noolddir
create 640 root root
dateext
maxage 365
prerotate
size=1M
endscript
postrotate
/etc/init.d/syslog reload
endscript
}

And limiting ‘observing’ to 50 1M files, which beyond that will

be deleted, in the event you forget to turn it off!

/var/log/ipt_ob/observing {
rotate 50
missingok
nomail
notifempty
copytruncate
noolddir
create 640 root root
dateext
prerotate
size=1M
endscript
postrotate
/etc/init.d/syslog reload
endscript
}

########################### above at top of file

Now, go ito /var/log and make a folder named ‘ipt’ and ‘ipt_ob’ …at the prompt /etc/init.d/syslog reload [enter]

/etc/init.d/firewall reload

/etc/init.d/syslog reload

  1. Go to /etc/syslog-ng/syslog-ng.conf (3.3.1-7.6.2 in Yast) and change the following:

First, lets redefine the filter. The bridge and iptables already define the ‘in’ and ‘out’
for us, and we want to occassionally use straight logging to observe packets transversing,
an immediate way to determine a compromised network or system, so we want to match ‘HACKERS’,
for normal protection, and also match ‘OBSERVING’ for inspecting packets destinations.

++++++++++++++++++++++++++++++++++++++

Comment out:

#file ("/proc/kmsg" program_override("kernel"));

Find ‘DEFINITIONS’ at the top (adding 2 definitions and commenting out the original):

Filter definitions

#filter f_iptables { facility(kern) and match(“IN=”) and match(“OUT=”); };

Filter definitions SFW2

#filter f_iptables { facility(kern) and message(“IN=”) and message(“OUT=”); };
#filter f_iptables { level(warn) and facility(kern) and message(“IN=”) and message(“OUT=”)and message(“HACKERS”); };
filter f_iptables_sfw2 { level(warn) and facility(kern) and message(“SFW2”); };
filter f_iptables_ipt { level(warn) and facility(kern) and message(“HACKERS”); };
filter f_iptables_ob { level(warn) and facility(kern) and message(“OBSERVING”); };

Then continue down to this filter definition, commenting out the top line ‘f_messages’, and adding the 2nd one,
to prevent the logs from ending up in the default ‘messages’ file:

#filter f_messages { not facility(news, mail) and not filter(f_iptables); };
filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_iptables_ob); };

Now find this ‘SOURCE’ line (second from bottom):

Firewall (iptables) messages in one file:

destination firewall { file("/var/log/firewall" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables); destination(firewall); };

And change it to look like this (adding 2 sources and commenting out the original):

Firewall (iptables) messages in one file:

destination firewall_ipt { file("/var/log/ipt/firewall_ipt" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_ipt); destination(firewall_ipt); };

destination observing { file("/var/log/ipt_ob/observing" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_ob); destination(observing); };

destination firewall_swf2 { file("/var/firewall_swf2" suppress(30)); };
log { source(src); source(chroots); filter(f_iptables_sfw2); destination(firewall_swf2); };

#destination firewall { file("/var/firewall" suppress(30)); };
#log { source(src); source(chroots); filter(f_iptables); destination(firewall); };

Warnings (except iptables) in one file:

destination warn { file("/var/log/warn" suppress(30) fsync(yes)); };
log { source(src); source(chroots); filter(f_warn); destination(warn); };

All messages except iptables and the facilities news and mail:

destination messages { file("/var/log/messages" suppress(30) owner(-1) group(-1) perm(-1)); };
log { source(src); source(chroots); filter(f_messages); destination(messages); };

++++++++++++++++++++++++++++++++++++++

  1. SuSe 12.1 Host files:

/etc/hosts.deny

See ‘man tcpd’ and ‘man 5 hosts_access’ as well as /etc/hosts.allow

for a detailed description.

#http-rman : ALL EXCEPT LOCAL

ALL: ALL

/etc/hosts.allow

See ‘man tcpd’ and ‘man 5 hosts_access’ for a detailed description

of /etc/hosts.allow and /etc/hosts.deny.

ALL: 127.0.0.1 0.0.0.0 xxxxxxxx.site xxxxxxxxx localhost #<-- copied from your ‘/etc/hosts’ file

And finally, since were not using an IP address, and risking being hacked!!

Cheers!

Thanks a lot for the posts and good job solving the problem :slight_smile: In the future if You want your posts to be even more useful than they already are use code tags for the config files You’ve posted here and commands like like

# service network restart

You can find the “hidden” button in advanced post editing. If You want the devs to know about this You should use bugzilla (the same login as for these forum works) openSUSE:Submitting bug reports - openSUSE or You can use openFATE (again the same login works): https://features.opensuse.org/ And give us back the link to your request here so we can vote for it :slight_smile: Unfortunately most of the devs don’t read anything here so your IMHO great ideas will reach only us regular openSUSE users.

Best regards,
Greg

PS. In the “Go Advanced” post edition options You will also find a check box to disable interpreting strings as smilies (Disable smilies in text)

Thank you very much for your reply. I realized how correct you are, and re-submitted in the cleaner “code included” format. You can see it in a "HOW TO: 12.1 Bridge Firewall’

Very best regards!

On 2012-01-29 22:26, surgie2 wrote:
> Additionally, I have a couple requests for inclusions into future SuSE
> releasses.
>

Please remember that no devs nor packagers will read this.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2012-01-27 16:26, surgie2 wrote:
> So, when I turn it off, and start/install my own iptables everything
> works fine, except that something somewhere initiated by SFW2’s being
> disabled is preventing any network traffic at all. it’s a security
> feature. I’ve tried everything I can think of, EXCEPT stopping which
> file is disabling the network…

Did you try stopping the firewall from the CLI? I have not seen the
behaviour you describe.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)