I recommend making use of paswordless RSA authentication too. The it begins to matter less where the server is accessible from, which is a good idea just because not all networks use RPF ----- Original Message ----- From: Armin Schoech To: suse-security@suse.com Sent: Tuesday, June 14, 2005 7:50 PM Subject: Re: [suse-security] limiting connections to subnets Hi David,
I don't see anywhere in yast where I can configure the suse firewall to limit connections to a port to a subnet as well. Is this possible in the gui?
So, for example, I want to limit who can ssh to a machine to 3 subnets, can I do something like
port 23 host allow 129.219.0.0/32 ?
--> I don't know about the GUI but in the SuSEfirewall configuration file /etc/sysconfig/SuSEfirewall2 there is a variable called "FW_TRUSTED_NETS" where you can put FW_TRUSTED_NETS="129.219.1.0/24,tcp,22 129.219.2.0/24,tcp,22" or something like this depending on your subnets. Additionally, you should use /etc/hosts.allow to restrict the access to the sshd daemon via the tcpwrapper mechanism. By the way, the port for SSH is 22. Port 23 is used by TELNET (which you really don't want to allow). HTH, Armin -- Am Hasenberg 26 office: Institut f?r Atmosph?renphysik D-18209 Bad Doberan Schloss-Stra?e 6 Tel. ++49-(0)38203/42137 D-18225 K?hlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50 -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here