For More Information - Novell LINUX ENTERPRISE SERVER 11 - SECURITY Manual

FW_SERVICES_ACCEPT_RELATED_* (firewall)
SuSEfirewall2 now implements a subtle change regarding packets that are consid-
ered RELATED by netfilter.
For example, to allow finer grained filtering of Samba broadcast packets, RELATED
packets are no longer accepted unconditionally. The new variables starting with
FW_SERVICES_ACCEPT_RELATED_ have been introduced to allow restricting
RELATED packets handling to certain networks, protocols and ports.
This means that adding connection tracking modules (conntrack modules) to
FW_LOAD_MODULES does no longer automatically result in accepting the packets
tagged by those modules. Additionally, you must set variables starting with
FW_SERVICES_ACCEPT_RELATED_ to a suitable value.
After configuring the firewall, test your setup. The firewall rule sets are created by en-
tering SuSEfirewall2 start as root. Then use telnet, for example, from an
external host to see whether the connection is actually denied. After that, review /var/
log/messages, where you should see something like this:
Mar 15 13:21:38 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0
OUT= MAC=00:80:c8:94:c3:e7:00:a0:c9:4d:27:56:08:00 SRC=192.168.10.0
DST=192.168.10.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=15330 DF PROTO=TCP
SPT=48091 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0
OPT (020405B40402080A061AFEBC0000000001030300)
Other packages to test your firewall setup are nmap or nessus. The documentation of
nmap is found at /usr/share/doc/packages/nmap and the documentation of
nessus resides in the directory /usr/share/doc/packages/nessus-core
after installing the respective package.

15.5 For More Information

The most up-to-date information and other documentation about the SuSEfirewall2
package is found in /usr/share/doc/packages/SuSEfirewall2. The home
page of the netfilter and iptables project, http://www.netfilter.org, provides
a large collection of documents in many languages.
Masquerading and Firewalls 179