Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Rep:
Firewall for mobile / USB stick working?
I noticed that in the menus (in YAST) there is mentioning of interfaces like wlan or eth0 but never for mobile connections. Are those protected by the firewall, too? How can I make sure?
I did not really master iptables by a log way. Am I right in assuming that the reference to "ppp0" in the 6th line means that a modem (USB-stick) is referred to? And thus the mobile connection is protected too?
Last edited by win32sux; 07-06-2011 at 11:28 PM.
Reason: Changed QUOTE tags to CODE tags.
The rule with the ppp0 match just sends the packet to the input_ext chain. Said rule could be eliminated for all practical intents and purposes, as the packet would get sent to input_ext by the following rule regardless. So, basically, all inbound packets are being sent to input_ext (which is where the main stuff takes place), therefore the answer to your question is YES (all your interfaces are firewalled).
In other words, your firewall rules are non-specific when it comes to interfaces (with the exception of loopback and the aforementioned redundancy), so they apply to all of them. For example, those two UDP ports (54925 and 54926) are being allowed on all your interfaces.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Aha, that's a relief, thank you very much. As an explanation: these are the default rules openSuSE comes with. I opened those UDP-ports at the request of Brother , their printer driver wants those two opened. Thanks again for your help.
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Quote:
Originally Posted by win32sux
Shouldn't they be allowed only on the local network interface? Otherwise, they're open to the world...
I don't exactly understand the reason for their having to be open. My setup is a single PC with a local printer, no local network and a mobile connection to the internet.
After reading your last post I closed the external ports and opened (?) them internally. With openSuSE that means first ticking a checkbox "Protect Firewall from Internal Zone". That activates access to the ports of the internal zone, which I then opened (UDP ports 54925 and 54926). But I can't see that in the new listing of "iptables -nvL":
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
72 4928 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
0 0 input_ext all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-IN-ILL-TARGET '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-FWD-ILL-ROUTING '
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
72 4928 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
Chain forward_ext (0 references)
pkts bytes target prot opt in out source destination
Chain input_ext (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = broadcast
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 tcp flags:0x17/0x02 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 3/min burst 5 ctstate NEW LOG flags 6 level 4 prefix `SFW2-INext-DROP-DEFLT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain reject_func (0 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT udp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-proto-unreachable
Distribution: openSuSE Tumbleweed-KDE, Mint 21, MX-21, Manjaro
Posts: 4,629
Original Poster
Rep:
Quote:
Originally Posted by win32sux
...
Perhaps it's time to drop the GUI and enter the exciting world of iptables shell scripts?
If I truly understood what I do ... I once even made my own script based on Alien Bob's artwork. In my zeal to truly and really close each and any hole I made my box unusable . Thus I rely on openSuSE's template, checked by many eyes, and hope for the best.
When I really do have the time to delve into this, I'll have a second go and go through with it, hopefully without tripping up myself.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.