* Howard, Neal; <nhoward@cwftx.net> on 26 Nov, 2002 wrote:
remotely manage via PCAnywhere. Thanks to Togan Muftuoglu's most excellent "Understanding and Using SuSE Firewall2" document, I have been able to configure SuSEfirewall2 to perform the FW_FORWARD_MASQ to make this work for
Glad that you found it usefull, before I hit the bed I'l try help so if it does not make sense don't try it :-)
need to be able to limit the inbound PCAnywhere connection requests to a specific source address. Let's call the vendor's address X.Y.Z.123. To get the firewall to work for the one PCA machine, I used these rules in the /etc/sysconfig/SuSEfirewall2 file:
[mundane config stuff that's normally self-explanatory left out] FW_SERVICES_EXT_TCP="5631" FW_SERVICES_EXT_UDP="5632"
Here you are opening these services to the whole world is this what you want or only the vendor
FW_TRUSTED_NETS="X.Y.Z.123"
X.Y.Z.123,tcp,5631 X.Y.Z.123,udp,5632 would just limit PcAnywhere for the vendor
FW_FORWARD_MASQ="X.Y.Z.123,192.168.1.10,tcp,5631 \ X.Y.Z .123,192.168.1.10,udp,5632"
This work great for PCAnywhere to get thru to the one machine. Now I need to set up a similar forward/masq deal happening for some external ip aliases to get forwarded and masqueraded to the other two machines on these tcp/udp ports like:
A.B.C.101 -> 192.168.1.11 (both 5631/tcp and 5632/udp) A.B.C.102 -> 192.168.1.12 (both 5631/tcp and 5632/udp)
Also only allow X.Y.Z.123 from the outside to be permitted to use these services.
I think FW_TRUSTED_NETS as I pointed out will do this
In Togan's document, he mentions how to do this using alternative tcp and udp port numbers for multiple internal PCAnywhere machines (i.e. 5631/5632 for first pc, 5633/5634 for second, 5635/5636 for the third one, etc) and only one ip address on the SuSEfirewall2's external address, but my vendor is stubbornly demanding that I provide separate ip addresses for each machine and stick with the standard PCAnywhere port numbers.
I already have the aliased external ip addreses on eth0, that part was easy. Does anyone know how to make SuSEfirewall2 scripts support them for my need?
FW_DEV_EXT="eth0 eth0:1 eth0:2" should make these aliases available and then basicly do the same thing for FW_FORWARD MASQ ps. If it works let me know so I can add in to the new version Warning I am half sleep so no guarantee :-) -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx