Hello Simon,
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts. Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
--> I have only tried FW_TRUSTED_NETS="172.20.0.0/16" to open up all ports. Whether you can restrict this to TCP, you have to try.
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper.
--> I don't have any experience with a setup like this.
One option, perhaps insecure but better than nothing, would be to allow the dynamic ports on the external interface but not the portmapper itself and then open this via FW_TRUSTED_NETS?
--> This would work but probably only block NIS/NFS from other nets without protecting you against other services/attacks (since all dynamic ports are open).
FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status ypbind" FW_TRUSTED_NETS="172.20.0.0/16,udp,111 172.20.0.0/16,tcp,111"
Another option I have considered was using the /etc/sysconfig/scripts/SuSEfirewall2-custom script, perhaps in the fw_custom_before_port_handling() section but I don't know how to do this.
--> I'm no iptables expert so I can't help you with this. The only thing would be to try to get away from NFS and try to use SSH/SCP/SFTP whereever possible. Do you know LUFS (http://lufs.sourceforge.net/lufs/) for mounting SSH servers ? Bye, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50