I'm not sure if this helps, but...
Daniel Bauer
Here confusion already begins. What is an "internal" machine? I have my computer on the eth-cable, and my laptop on WiFi.
Typically in a normal home network, the computers inside the network are shielded from the outside (internet) by way of a routing featured called Network Address Translation. Normally not a single host (computer) on the inside is reachable from any computer on the outside. An "internal" device is then some computer that is being NATted, that is to say, whenever it communicates with the outside, the router takes care of presenting it to the outside as if it is the router itself. If you have a bunch of computers on your network, they all appear to be only just talking to the router. Your internal addresses then usually have the form of 192.168.1.x. This is then what determines an "internal" machine. Internal machines are not directly reachable from the outside, which also means any services on any open ports they have, cannot be accessed. Computers on the inside can normally only contact SERVER devices on the internet. If, in another case, the program or computer wants to open some port, it can ask the router to open one for it, this is called "UPnP". Typically your router is the 'separator' (or the gateway) between the internal network, and the outside, or external internet. It, by that definition, is also a firewall protecting your computers.
and I have no idea what it means to protect from internal...
I'm not sure if this is what Yast does, but to protect from internal, would, under normal or ordinary nomenclature, mean or be meaning to protect against LAN computers (such as your visitors). However, most of what a firewall does is blocking ports or dropping suspicious packets. I don't know much about SuSE's configuration.
Yes, this is a nuisance, but I don't trust ISP routers with firewall: those things have holes and they are seldom patched.
What nuisance? The routers firewall isn't even on, simply because I don't know what those settings mean...
Carlos was not speaking of the router you have in your home, but rather of the firewall of the machine your are running OpenSuse on. If you have a machine on an internal NAT (NATted LAN) you don't really need a firewall. Although it is useful to know if some process on your computer is trying to open a port to the outside, usually you will want to monitor and know about this. I am not sure if this is possible in Linux. Typically, for instance, I want or would want to know whenever my computer is phoning home to microsoft. Unfortunately, this information is not available or made visible by default. But any "phoning home" by contrast is also not any different, or differentiable, from any other ordinary internet request made by your computer. Any process on your computer can request e.g. any web resource (a http:// request) and you will never know unless you have some software (which would be a firewall) that would monitor and maintain lists of processes doing stuff on the web/ on the internet, and allow you to cut short such attempts that you don't want. Actually I would very much prefer to do that. I normally seriously want to know and to decide what program can do what when.
Finally, if you need to have open services to the outside, like ssh, http, whatever, you have to really secure them. Ask, if you don't know how.
I have the ssh server "on". I need it to let my laptop connect, for rsync and the like,
I don't know much about securing. It seems a lot of work. I am securing some VPS online host but for me securing means having automated tools to monitor and respond to threats. So security for me means power and knowledge. Not necessarily "hardening". It seems quite a lot of work to get this power and knowledge in place, because it doesn't seem to be any form of default. People don't seem to care about it, to put the average user in this kind of control (you have more control in Windows than you do in e.g. Suse).
I would really like to know how I can manage that only MY laptop can ssh to the PC (and reverse). Due to DHCP, IP's change, so filtering by IP wouldn't help...
One way to achieve this is to require either a key without password, or a key with password, and to turn password-only off. Your laptop then needs to supply a key that matches what you have (on earlier occassion) given to the PC so secure that account. The usual way to do this is to copy the public key for your user account (that you can generate with ssh-keygen) to the .ssh directory of the remote user account (so it is account based, not host based). This is then copied with e.g. "cat ~/.ssh/id_rsa.pub | ssh user@laptop "cat - >> ~/.ssh/authorized_keys" This would copy the public RSA key on one host, to the authorized key file on another. By typical extention, this means now you no longer need a password to login. I do not yet know how to change that behaviour. There are directives like "PasswordAuthentication" and "PreferredAuthentications". But the result of this might be that a computer will be only be able to log into that account on that other machine (e.g. your laptop) (or vice versa) if that computer/user account can supply the required key. In sshd_config you can read the following: AuthenticationMethods Specifies the authentication methods that must be successfully completed for a user to be granted access. This option must be followed by one or more comma-separated lists of authentication method names. Successful authentication requires completion of every method in at least one of these lists. This is in the config for sshd, the ssh server daemon. If you set "AuthenticationMethods publickey" then any login attempt to that machine will require a public key.
What I "fear" most, is that one of my guests (to whom I gave the WiFi password) can follow my web-actions or even get into my PC....
Ahhh, it's all so complicated :-)
Maybe if they sniffed your LAN traffic (including wifi) they would be able to. This sniffing, however, is much more likely (or doable) than breaking into your pc. But someone still needs to be that hacker, sortof, that would do that. He/she would need to login to your wifi, but ordinarily it is (I think) impossible to read other people's traffic. On a regular network cable it should be possible. But I'm not sure what kind of visitors you get ;-). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org