On 29/07/07, Richard Creighton <[EMAIL PROTECTED]> wrote: > Turns out that I have spent the morning trying to figure out why on my > machine that didn't work at all. I perused the iptables -L and found > the order of the rules produced by susefirewall2 is wrong IF you open > the ssh port using the sysconfig editor OR the YAST2 firewall > configururation Allowed Services advanced TCP ports external. It puts > dpt:22 as ACCPT BEFORE the rule produced by the line shown above so that > rule never gets executed. The solution is to go back into the > sysconfig editor or YAST2 and remove the ssh port and then the above > line and resultant rule becomes activated and works.
Yeah, you'll need to use either one or the other. > It really isn't > better than fail2ban in that it works at the same level, ie, at the > firewall and the rule produced by fail2ban is the first rule examined > and what I like, it is logged so I can easily produce a report to send a > report to the offending site (that might not even know they have the > worm) and suggest they clean house. IPTables can and is logged of course, see /var/log/firewall , you can adjust the verbosity of this etc, if you need the rule to be examined sooner you could put the rule the above generates into a /etc/sysconfig/scripts/SuSEfirewall2-custom , inserting the rule where you please. fail2ban might be less prone to DoS attack problems than the simple firewall rule though. > As to your second question, I think if you were to examine the output of > iptables -L and find the 2 (I believe) lines that make up the rules that > make the above line function, you could change the dpt:22 to the port > you need to monitor and add it manually. I've not seen anyplace in the > GUI that has a place to do it. Assuming of course that you don't want > to use fail2ban :) Yes, the rules are space separated, so FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=120,recentname=ssh 0/0,tcp,25......" should work I believe. _ Benjamin Weber -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
