SUSE built-in Firewall questions

wardialer · 05-24-2005, 02:37 PM

Ok, here you go. This my output of DEFAULT iptables -L in SUSE Linux 9.3. I just want to know if its doing a STATEFUL PACKET INSPECTION firewalling. Thats it. If it does, then I will stick to this one. Check it out below.

PLEASE LOOK BELOW....

wardialer · 05-24-2005, 03:44 PM

Ok, here you go. This my output of DEFAULT iptables -L in SUSE Linux 9.3. I just want to know if its doing a STATEFUL PACKET INSPECTION firewalling. Thats it. If it does, then I will stick to this one. Check it out below. Please tell me if this script is doing STATEFUL PACKET INSPECTION. And if does do SPI, then how would I tell?

linux:~ # iptables -L

Code:

Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
input_ext  all  --  anywhere             anywhere
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP       all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (0 references)
target     prot opt source               destination

Chain input_ext (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere            PKTTYPE = broadcast
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp echo-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT     icmp --  anywhere             anywhere            state RELATED,ESTABLISHED icmp redirect
reject_func  tcp  --  anywhere             anywhere            tcp dpt:ident state NEW
LOG        tcp  --  anywhere             anywhere            limit: avg 3/min burst 5 tcp flags:SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        icmp --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        udp  --  anywhere             anywhere            limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG        all  --  anywhere             anywhere            limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP       all  --  anywhere             anywhere

Chain reject_func (1 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     udp  --  anywhere             anywhere            reject-with icmp-port-unreachable
REJECT     all  --  anywhere             anywhere            reject-with icmp-proto-unreachable

wardialer · 05-24-2005, 09:22 PM

Well, I guess no one here uses Linux... I want a simple answer here... And Im being ignored. Please do not shut me out.

I demand an reponse within hours. If not, I will going to bump this post...

Capt_Caveman · 05-24-2005, 10:37 PM

I just want to know if its doing a STATEFUL PACKET INSPECTION firewalling
I've already answered that question for you in the past: http://www.linuxquestions.org/questi...light=stateful

I demand an reponse within hours.
Sweet! I want to demand stuff too.. I demand a pet monkey with a red beanie, no wait, I demand a jet pack. Yes, a jet pack will be rather acceptable, thanks

wardialer · 05-25-2005, 01:00 PM

I know, but now Im not using Mandrake anymore. And plus, this is a different script that came as default in SUSE.

All Im asking is a simple NO and YES answer. What is so secretive about saying YES or NO???

Also, how can I tell if its doing SPI? This is important to know because thats what I want for a firewall. And this script will go into my dial-up machine.

wardialer · 05-25-2005, 02:57 PM

I know you guys are ignoring me on purpose and THATS UTTERLY UTTERLY dispectable and rude.

I EXPECT AN A RESPONSE OR ELSE I WILL SETTLE THIS WITH THE MASTER MODERATOR. UNDERSTAND? HOPE SO...OH, AND TO ALSO MENTION THAT ITS VERY DISCRIMINATING!!!!!!!

jfryman · 05-25-2005, 03:36 PM

Quote:

Originally posted by wardialer
I know you guys are ignoring me on purpose and THATS UTTERLY UTTERLY dispectable and rude.

I EXPECT AN A RESPONSE OR ELSE I WILL SETTLE THIS WITH THE MASTER MODERATOR. UNDERSTAND? HOPE SO...OH, AND TO ALSO MENTION THAT ITS VERY DISCRIMINATING!!!!!!!

YES!

DON'T BE A JERK... You must respect to deserve respect... and I don't see any of that happening on your end. Who is discriminating? And how?! I'm sorry if you aren't the most important person in the world, but we're all trying to get things done in this world, and you should probably chill for a little bit and give people some time to answer you, without being rude yourself and demanding answers.

Ask yourself this. If someone asked you in such a rude fashion, would you respond? If you answer yes... then you are a liar. Granted, computer people don't have the best of social skills, but a little respect goes a long way.

Now, it seems like you use this tactic to get people to answer your posts. A lot of people on this board have some major skills to make your life a miserable hell if you piss off the wrong person... so let's recap:

1) Respect
2) See #1

Maybe you should learn to ask intelligent questions: http://www.catb.org/~esr/faqs/smart-questions.html

And go ahead and take this up with the master-moderator... I would be interested in what he would have to say.

wardialer · 05-25-2005, 04:15 PM

NO, YOU WAIT!!!

The things that bothers me is that I signed up for this forum to get intelligent repsonses. BUT NO....I hate when people on here dont tell the truth. Meaning, is if you dont like Linux or SUSE isn't your fav distro, then please be honest. Please....It will be fine for me if someone says or admits that they dont know. BUT PLEASE, I RESPECT AN ANSWER EVEN IF SOMEONE DOES NOT KNOW. Thats it... Thats all I want.

It looks like not everyone likes to work with Linux or SUSE, like I said, thats fine, but be honest or tell me if thats the case here. But please do not IGNORE my questions just like this. It drives me up the wall.

I But dont take it the wrong way here. I am just angry the way Linux is-which means FRUSTERATING and yes I have a hard time master minding it.

Now, my goal is to make Linux as secure as OpenBSD. Is this possible? And my main question, SuSEfirewall has its own built-in iptables or ipchains script and I got this script by doing iptables -L.

Question is, is doing SPI? Also, this for my dial-up machine which has very crucial data in it. Should this firewall script be secure enough and (one more time) does it do SPI? And MOST IMPORTANTLY, can this iptables script stealth ALL OF MY PORTS like my Linksys router can do or not?

SPI for me, is very very important. Like someone said, its even better than NAT.

I would appreciate it and please except my appologies. Remember, its NOT YOU, its the frusterating aspects of Linux which will never die.

But remember if you guys DO NOT KNOW the answer or do not like working with Linux then please be tell me rather than just to ignore my questions...

Thank you.

jfryman · 05-25-2005, 05:31 PM

Quote:

Originally posted by wardialer
NO, YOU WAIT!!!

The things that bothers me is that I signed up for this forum to get intelligent repsonses. BUT NO....I hate when people on here dont tell the truth. Meaning, is if you dont like Linux or SUSE isn't your fav distro, then please be honest. Please....It will be fine for me if someone says or admits that they dont know. BUT PLEASE, I RESPECT AN ANSWER EVEN IF SOMEONE DOES NOT KNOW. Thats it... Thats all I want.

It looks like not everyone likes to work with Linux or SUSE, like I said, thats fine, but be honest or tell me if thats the case here. But please do not IGNORE my questions just like this. It drives me up the wall.

I But dont take it the wrong way here. I am just angry the way Linux is-which means FRUSTERATING and yes I have a hard time master minding it.

Now, my goal is to make Linux as secure as OpenBSD. Is this possible? And my main question, SuSEfirewall has its own built-in iptables or ipchains script and I got this script by doing iptables -L.

Question is, is doing SPI? Also, this for my dial-up machine which has very crucial data in it. Should this firewall script be secure enough and (one more time) does it do SPI? And MOST IMPORTANTLY, can this iptables script stealth ALL OF MY PORTS like my Linksys router can do or not?

SPI for me, is very very important. Like someone said, its even better than NAT.

I would appreciate it and please except my appologies. Remember, its NOT YOU, its the frusterating aspects of Linux which will never die.

But remember if you guys DO NOT KNOW the answer or do not like working with Linux then please be tell me rather than just to ignore my questions...

Thank you.

Not my intentions to start a flame war, but you're already starting one by reading way into what is going on here. I've been a member of this forum on and off for over three years, and not once have I seen answers being discriminated against because of the particular distro. There are subtle differences, but the people on this list are pretty knowledgable.

If you have an overall goal, why don't you share this rightout, instead of throwing out little tidbits and screaming at people when they don't answer.

I think you need to learn to do some things on your own. Google is great for this. Hell, 30 second on Google with simple searches got me this: http://iptables-tutorial.frozentux.n...-tutorial.html

Read that, come back with questions.

Just don't rant at people. Oftentimes an ignored question oftentimes represents one of two things:

1) It's been answered, please find it
2) They don't know.

So don't then scream at people when nobody answers. I'm just saying that you can't control people, but you're definately not going to win friends by being a jerk.

Now, say what you will in response, but I refuse to turn this into a flame thread. Good luck to you, and try and learn some netiquette. Good luck.

wardialer · 05-25-2005, 06:21 PM

Well????? Ok, what about an answer to my question please?? Is this doing SPI or not? WHATS SO HARD ABOUT THIS QUESTION!!!!!!???????? IM MEAN REALLY..

Im serious here, I have cruicial data to manage on this system. Thats all I want to know for crying out load. Does this do SPI or not?

NO!!! PEOPLE ON THIS LAME ASS FORUM ARE NOT SOOOOOO INTELIGENT BECAUSE MY QUESTION WOULD OF BEEN ANSWERED BY NOW.

Until I get an response, Im going to bump this post unitl I do so. Im not kicked out so far so I guess its OK.

rshaw · 05-25-2005, 06:35 PM

how many times do you need to hear the answer "yes" before you'll accept it. once in the other thread and twice in this one.

get over yourself.

wardialer · 05-25-2005, 06:39 PM

You dont understand do you???

I upgraded to SUSE. And I see that SUSE Firewall2 has this script by default. I would like to know if the SUSE Firewall is an iptables (SPI firewall) or an ipchains firewall?

Thats all.

Because I do not like ipchains type script. But one thing that concerns me is that I see this below.

Code:

Chain INPUT (policy DROP)

Capt_Caveman · 05-25-2005, 08:23 PM

Quote:

Originally posted by wardialer
PEOPLE ON THIS LAME *** FORUM ARE NOT SOOOOOO INTELIGENT BECAUSE MY QUESTION WOULD OF BEEN ANSWERED BY NOW.

That or they don't appreciate your attitude. Everyone here is an unpaid volunteer who use some of their free time to help out others, not paid tech support. So demanding answers, using profanity, and calling LQ a "lame" place is not going to make others want to help you. You've been repeatedly warned about your behaviour, so let me make this completely clear to you: If you continue to act in an unacceptable manner, you will be banned. If you want to demand answers, pay for SuSE tech support and demand all you want, but that attitude is not "ok" here. I do realize that Linux can be frustrating at times, however the members of this forum live in different time zones and have jobs/families/both, so try to be patient...

Until I get an response, Im going to bump this post unitl I do so. Im not kicked out so far so I guess its OK.
No it's not. See our rules and the above statements.

wardialer · 05-25-2005, 09:23 PM

Quote:

If you continue to act in an unacceptable manner, you will be banned.

PROMISES PROMISES... THERE JUST WORDS FALSE WORDS.

Sorry, but I will bump it up until I get responses.... So what!!!! Be it. Here you go.

trickykid · 05-25-2005, 09:27 PM

Move along people, wardialer won't be demanding answers any longer..