Hi all, I'm trying to set up a firewall that allows certain hosts in on certain ports, e.g. mail/ssh, but I can't see how to configure it as tightly as I would like. I've used the FW_TRUSTED_NETS and FW_SERVICES_TRUSTED_* and as far as I can see this lets all the listed hosts/subnets in on all listed ports. Is this the case? If so, is there any way I can say: let only host a in on port x, subnet b in on port y etc? TIA, Mark mailto:mcr@reason-technology.com
On Tue, 12 Dec 2000, Mark Robinson wrote:
Hi all,
I'm trying to set up a firewall that allows certain hosts in on certain ports, e.g. mail/ssh, but I can't see how to configure it as tightly as I would like. I've used the FW_TRUSTED_NETS and FW_SERVICES_TRUSTED_* and as far as I can see this lets all the listed hosts/subnets in on all listed ports. Is this the case? If so, is there any way I can say: let only host a in on port x, subnet b in on port y etc?
With Marc Heuse's SuSEfirewall (which I understand you use) you can designate (a) trusted system(s) with FW_TRUSTED_NETS. Any host/network you define there will have access to all ports you allow for your trusted nets. You can of course limit this to a single machine in a network (aaa.bbb.ccc.ddd/32 will give only machine aaa.bbb.ccc.ddd trusted access, not the other machines in the aaa.bbb.ccc.0 net) If you want tighter security (more differentiation between "trusted" hosts) you need to build you own ipchains configuration. With that you can grant access on a machine basis if you want.
TIA, Mark mailto:mcr@reason-technology.com
cheers Stefan
Hi Marc! Mark Robinson schrieb:
Hi all,
I'm trying to set up a firewall that allows certain hosts in on certain ports, e.g. mail/ssh, but I can't see how to configure it as tightly as I would like. I've used the FW_TRUSTED_NETS and FW_SERVICES_TRUSTED_* and as far as I can see this lets all the listed hosts/subnets in on all listed ports. Is this the case? If so, is there any way I can say: let only host a in on port x, subnet b in on port y etc?
TIA, Mark mailto:mcr@reason-technology.com
AFAIK you must take a look at ipchains itself when you try to make something like this. There are several good descrpitions and examples in the web. If you get along with german, you can take a look at http://www.home.foni.net/~bmueller/infos/ipchains.html I know, I can't take that for granted... Greetings, Max
participants (3)
-
Mark Robinson
-
Max Lindner
-
Stefan Suurmeijer