I have a SuSE 9.3 machine using SuSEfirewall2 (as configured via YAST) to open a few ports for services such as sshd and cups. However I want to restrict which hosts and/or networks can connect. For this purpose I have used hosts.allow/deny for ssh and /etc/cups/cupsd.conf for cups. But is possible to add an ACL via SuSEfirewall2?
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts. Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper. One option, perhaps insecure but better than nothing, would be to allow the dynamic ports on the external interface but not the portmapper itself and then open this via FW_TRUSTED_NETS? FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status ypbind" FW_TRUSTED_NETS="172.20.0.0/16,udp,111 172.20.0.0/16,tdp,111" Another option I have considered was using the /etc/sysconfig/scripts/SuSEfirewall2-custom script, perhaps in the fw_custom_before_port_handling() section but I don't know how to do this. I suppose I'm trying to emulate the Scope feature that's available in the XP firewall. Any ides, or comments on the above? Regards -- Simon Oliver