trouble with opensuse susefirewall 2 and my own rules
hello, i'm beginner and i have trouble with opensuse susefirewall 2 and my own rules.
since i have installed a suspicious download manager, i detect outgoing traffic in the monitor and i want to block ougoing traffic except some apps like firefox, jinchess ... 1) i had to modify FW_CUSTOMRULES="" with FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" in /etc/sysconfig/SuSefirewall2 2) i had to add my own rules in /etc/sysconfig/scripts/SuSEfirewall2-custom in the appropriate hook 3) i don't know if rules are good.. they seem to work because for example jinchess can't access his server with the DROP rule until i add the ACCEPT rule BUT in fact the download manager still access internet and amarok too when it searches for songs lyrics ! i have discovered it's because the others apps use port 80 i give here the file /etc/sysconfig/scripts/SuSEfirewall2-custom fw_custom_after_chain_creation() { # these rules will be loaded after the various input_* and forward_* chains # are created. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. #example: always filter backorifice/netbus trojan connect requests and log them. #for target in LOG DROP; do # for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j $target -p tcp --dport 31337 # iptables -A $chain -j $target -p udp --dport 31337 # iptables -A $chain -j $target -p tcp --dport 12345:12346 # iptables -A $chain -j $target -p udp --dport 12345:12346 # done #done # # ########### MY CUSTOM RULES # block all outgoing traffic ? iptables -t filter -I OUTPUT -j DROP # allow DNS iptables -t filter -I OUTPUT -p tcp --dport 53 -j ACCEPT iptables -t filter -I OUTPUT -p udp --dport 53 -j ACCEPT # allow FTP iptables -t filter -I OUTPUT -p tcp --dport 21 -j ACCEPT # allow HTTP iptables -t filter -I OUTPUT -p tcp --dport 80 -j ACCEPT # allow HTTPS iptables -t filter -I OUTPUT -p tcp --dport 443 -j ACCEPT # allow PRIVOXY iptables -t filter -I OUTPUT -p tcp --dport 9050 -j ACCEPT # allow SPOTIFY iptables -t filter -I OUTPUT -p tcp --dport 4070 -j ACCEPT # allow JIN FREECHESS iptables -t filter -I OUTPUT -p tcp --dport 5000 -j ACCEPT # allow LOCALHOST iptables -t filter -I OUTPUT -o lo -j ACCEPT ########### # true } fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. true } fw_custom_before_masq() { # could also be named "after_port_handling()" # these rules will be loaded after the IP protocol and TCP/UDP port # handling, but before any IP forwarding (routing), masquerading # will be done. # NOTE: reverse masquerading is before directly after # fw_custom_before_port_handling !!!! # You can use this hook to ... hmmm ... I'm sure you'll find a use for # this ... true } fw_custom_before_denyall() { # could also be named "after_forwardmasq()" # these are the rules to be loaded after IP forwarding and masquerading # but before the logging and deny all section is set by SuSEfirewall2. # You can use this hook to prevent the logging of annoying packets. #example: prevent logging of talk requests from anywhere #for chain in input_ext input_dmz input_int forward_int forward_ext forward_dmz; do # iptables -A $chain -j DROP -p udp --dport 517:518 #done true } well thank you in advance if anybody could help me to find a solution to make firefox use another specified port ? i wanted to use privoxy with tor but it doesn't work .. is there input/output controler on linux (something like zonealarm on XP) ? the trouble is that all outgoing traffic is permitted by default !! |
All times are GMT -5. The time now is 03:01 AM. |