Allow MAC addresses through SuSEfirewall2
Hi everyone! Using SuSE Linux Enterprise Server 8, SuSEfirewall2 A user is requesting that a number of developers have access to my server, but the IP addresses are variable across a large subnet, so allowing access to MAC address has been suggested. I want this not to interfere with the existing rules in the /etc/sysconfig/SuSEfirewall file, and I want a number of MAC addresses allowed in. I'm guessing I need to add something like: iptables -A INPUT -m mac --mac-source 12:23:34:45:56 -m tcp --dport [port] -j ACCEPT for each MAC address. Questions: 1. Is my guess at an iptables line anywhere near useful? 2. Is there anything I have to check in my kernel config? I stay with the default kernel. 3. How/where should I make this ionformation available to SuSEfirewall2? 4. Hang on - given they're on a different subnet, will this work anyway? Many thanks, Tom. -- Tom Knight System Administration Officer Arts & Humanities Data Service Web: http://www.ahds.ac.uk Email: tom.knight@ahds.ac.uk
I'm with you about trusting the individuals not the machines. Having said that I think they're the type to save passwords or use PPK with no password :-( Tom.
-----Original Message----- From: Gary Gapinski [mailto:gary.gapinski@grc.nasa.gov] Sent: 04 March 2005 18:06 To: suse-security@suse.com Subject: Re: [suse-security] Allow MAC addresses through SuSEfirewall2
Tom Knight wrote:
4. Hang on - given they're on a different subnet, will this work anyway?
No.
Authenticate the individuals, not the network addresses.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
The Saturday 2005-03-05 at 21:04 -0000, Thomas Knight wrote:
I'm with you about trusting the individuals not the machines. Having said that I think they're the type to save passwords or use PPK with no password :-(
Tom.
There are settings in Yast (profesional version) to force users to have "safer" passwords. I supposse the enterprise version has similar settings. Also, you could set up ssh to not accept login/password entry, but public key instead. -- Cheers, Carlos Robinson
-----Original Message----- From: Carlos E. R. [mailto:robin1.listas@tiscali.es] Sent: 06 March 2005 01:33 To: SuSE Security List Subject: RE: [suse-security] Allow MAC addresses through SuSEfirewall2
The Saturday 2005-03-05 at 21:04 -0000, Thomas Knight wrote:
I'm with you about trusting the individuals not the machines. Having said that I think they're the type to save passwords or use PPK with no password :-(
Tom.
There are settings in Yast (profesional version) to force users to have "safer" passwords. I supposse the enterprise version has similar settings.
Also, you could set up ssh to not accept login/password entry, but public key instead.
I'm with you there. What I mean is if I use username/password they'll just save the password somewhere. If they use PPK they'll "forget" to specify a passphrase for their private key, which is out of my control. Hey, I'll log all access and they'll have limited privs. We do what we can! Ta for the thoughts, Tom.
The Sunday 2005-03-06 at 14:18 -0000, Thomas Knight wrote:
There are settings in Yast (profesional version) to force users to have "safer" passwords. I supposse the enterprise version has similar settings.
Also, you could set up ssh to not accept login/password entry, but public key instead.
I'm with you there. What I mean is if I use username/password they'll just save the password somewhere.
You can also force them to change the passwords every two weeks :-P I remember once, while working for a certain important company (US based multinational), we were issued passwords for accessing certain machines (not exactly computers). A "boss" gave us big envelopes. Inside, there was a sealed envelope (secret and confidential) and a booklet explaining how to safely use passwords, how to choose them, how to keep them... etc. We had to sign and return a form as "read and understood". The sealed envelope contained the passwords, of course. I'm unsure now if the person that gave us the envelopes waited nearby till we returned the forms while keeping an eye on us, but I think he did... Sounds too paranoic? :-) Actually, I saw more "paranoic" measures from them a few years later on.
If they use PPK they'll "forget" to specify a passphrase for their private key, which is out of my control.
Yes, that's a thing I noticed recently. The sshd server can not force the client to use a long passphrase, I understand.
Hey, I'll log all access and they'll have limited privs. We do what we can!
Yap :-)
Ta for the thoughts,
Welcome. -- Cheers, Carlos Robinson
participants (4)
-
Carlos E. R.
-
Gary Gapinski
-
Thomas Knight
-
Tom Knight