Allow a list of services to a list of networks using SuSEFirewall2
I have a sudden need to firewall a machine to allow a list of ports to a list of subnets. FW_SERVICES_EXT_TCP="ftp ftp-data ssh smtp domain http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap https smtps rsync ftps-data ftps imaps pop3s sunrpc" FW_TRUSTED_NETS=<8 distinct class C networks> So effectively I want to say, "Only trusted nets get anything, and then only services on the list". Trouble is, using the trusted nets concept I have to list the entire cross product, every possible combination. Without that uglyness, can I do it within SuSEFirewall2 or am I down to ipchains? TIA, michaelj -- Michael James michael.james@csiro.au System Administrator voice: 02 6246 5040 CSIRO Bioinformatics Facility fax: 02 6246 5166
/ 2004-03-17 15:28:08 +1100 \ Michael James:
I have a sudden need to firewall a machine to allow a list of ports to a list of subnets.
FW_SERVICES_EXT_TCP="ftp ftp-data ssh smtp domain http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap https smtps rsync ftps-data ftps imaps pop3s sunrpc"
FW_TRUSTED_NETS=<8 distinct class C networks>
So effectively I want to say, "Only trusted nets get anything, and then only services on the list".
Trouble is, using the trusted nets concept I have to list the entire cross product, every possible combination.
Without that uglyness, can I do it within SuSEFirewall2 or am I down to ipchains?
iptables is it now adays, iirc :) The /etc/sysconfig/SuSEfirewall2 config file is bash syntax, and it is "source"d from within the real SuSEfirewall2 script. So you can "simply" let bash "calculate" the "cross product" for you, by means of two nested for loops. Yes, within that very same config file. This is the power you get by not inventing some new config file language, but let the programming language you use do the parsing for you ;) Lars Ellenberg something like: __my_SERVICES_TCP="ftp ftp-data ssh smtp domain http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap https smtps rsync ftps-data ftps imaps pop3s sunrpc" # udp __my_TRUSTED_NETS="1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8" FW_TRUSTED_NETS="" for n in __my_TRUSTED_NETS; do FW_TRUSTED_NETS="$FW_TRUSTED_NETS $n,icmp" # add icmp type, if needed for s in __my_SERVICES_TCP; do FW_TRUSTED_NETS="$FW_TRUSTED_NETS $n,tcp,$s" done # UDP # etc. done unset n s ${!__my*} # echo > some.where "$FW_TRUSTED_NETS"
\ Michael James: I have a sudden need to firewall a machine to allow a list of ports to a list of subnets.
FW_SERVICES_EXT_TCP="ftp ftp-data ssh smtp domain http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap https smtps rsync ftps-data ftps imaps pop3s sunrpc"
FW_TRUSTED_NETS=<8 distinct class C networks>
So effectively I want to say, "Only trusted nets get anything, and then only services on the list".
Trouble is, using the trusted nets concept I have to list the entire cross product, every possible combination.
Without that uglyness, can I do it within SuSEFirewall2 or am I down to ipchains?
If your trusted nets followed a pattern like this 192.168.0.0/24, 192.168.32.0/24, ... , 192.168.224.0/24 or readressing them is achievable, you could adress them in one rule with 192.168.0.0/255.255.31.0 (somewhat tricky, but works for us with iptables). -- Mit freundlichen Grüßen Dr. H. Rosner Stadtverwaltung Jena Hauptamt / Datenverarbeitung Tel: (03641) 49 5502 Fax: (03641) 49 2222 eMail: ros@jena.de
participants (3)
-
Dr. Harro Rosner -
Lars Ellenberg -
Michael James