Hi Marc,
and deny access to all services except ssh for the rest of the world.
--> make sure to use /etc/hosts.allow hosts.deny as a second layer of security after the firewall.
In http://seismo.ethz.ch/linux/firewall.html I found the following entry which seems to be ok for me
FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # Adjust FW_SERVICES_TRUSTED_TCP="1:65535" # Should be adjusted to needed services per machine, not globaly everything.
FW_SERVICES_TRUSTED_UDP="1:65535" # see above
--> Have a look at 10) in /etc/sysconfig/SuSEfirewall2. You can finetune the services in the FW_TRUSTED_NETS variable. Example: FW_TRUSTED_NETS="123.123.0.0/16,tcp,ssh 195.195.yyy.zzz,tcp,80"
in connection with
FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" # Do I have to set eth0 here as well???
--> No.
to enable (more or less) fine-grained access controll to a computer on IP-address-basis (or better IP and MAC)?
--> I think for MAC controll you have to write your own rules. See 25) and /etc/sysconfig/scripts/SuSEfirewall2-custom HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50