strange firewall behaviour

cheesus · 03-04-2007, 09:54 AM

Hello,

I have a fresh new SuSE 10.2 install.
I configured the firewall using control center and allowed only HTTPS.

Now when I do a port scan (e.g. http://probe.hackerwatch.org), I am
getting 443 open alright, but also 80 as open and many more
"This port is not being blocked, but there is no program currently accepting connections on this port."

Now when I telnet to my machine port 80 from internal, I get connected
to the apache. When I do that from the outside, I get a

Code:

Connected to xx.xx.xx.xx.
Escape character is '^]'.
Connection closed by foreign host.

So, is this 10.2 firewall accepting and closing connections instead
of just blocking/dropping them ?

I also checked the file /etc/sysconfig/SuSEfirewall2 and there really is
only 443 opened.

How can one explain that ? And yes, the firewall is working, because
I could not connect in on 443 before I opened that...

Any ideas anyone ? Cheers, Tom.

anomie · 03-04-2007, 11:47 AM

First, I'm sure the URL you specified for port scanning is fine, but when I visited just now they were down for maintenance... Instead try something that is commonly used like grc.com - shield's up. Better yet, scan your box using nmap from another machine on the same network where the web service is supposed to be listening.

Second, if grc.com or your nmap scan gives the same results, then post your packet filtering rules here.

Code:

# iptables -nvL

Put the rules in code tags so that they're readable.

cheesus · 03-06-2007, 02:11 PM

Thank you for your response.

I didn't realize my DSL router had the firewall activated, so
it has nothing to do with the Linux...

Still, I think it is strange behavior for a firewall to accept the
connection, then drop it, instead of just blocking the port...

Cheers, Tom.