Re: [suse-security] firewall-config: Allow external computers to access internal services
Well, I have a Sybase server running on an internal computer. A Zope-Server needs to have access to that computer. So a certain number of ports should be available. Is there a way to bypass the firewall for exactly one external computer? I heard something about /etc/fw_friends, but setting this didn't work. Thanks for your help Thomas
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I do something like this, though with a different database server. What I did was setup an SSH server and then forward all ssh traffic from the firewall to the SSH box. Then I use an SSH client (teraterm ssh) on the external windows clients and have those forward http (database front end is web) to the internal web server IP address and forward the database command port to the internal database server IP address. I had to make an Lmhosts entry also for the database server. I don't know if this will work with what you are doing or not. You can limit who gets in with ssh allow options. Perhaps this would add too much processing overhead to what you are attempting, too, but it's a little more secure than just opening all the ports in the firewall. - -Matt - -----Original Message----- From: Thomas_Janke@prisma-edv.de [mailto:Thomas_Janke@prisma-edv.de] Sent: Friday, November 02, 2001 6:09 AM To: Alex Levit Cc: suse-security@suse.com Subject: Re: [suse-security] firewall-config: Allow external computers to access internal services Well, I have a Sybase server running on an internal computer. A Zope-Server needs to have access to that computer. So a certain number of ports should be available. Is there a way to bypass the firewall for exactly one external computer? I heard something about /etc/fw_friends, but setting this didn't work. Thanks for your help Thomas - -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 Int. for non-commercial use <http://www.pgpinternational.com> iQA/AwUBO+K+XmCxI19Ln0TAEQL/wACZAe0LH6k7c1cyBNkWIco0oo2CWvUAoJYp H9hMwbvleVZOpI2zzm9/MTPg =OzVe -----END PGP SIGNATURE-----
I dont know what ports your Sybase uses but if it runs on a Linux machine netstat -plt (for TCP) and netstat -plu (for UDP) should give you an idea what is in use. My /etc/services says: sybase-sqlany 1498/tcp # Sybase SQL Any sybase-sqlany 1498/udp # Sybase SQL Any sybasedbsynch 2439/tcp # SybaseDBSynch sybasedbsynch 2439/udp # SybaseDBSynch sybaseanywhere 2638/tcp # Sybase Anywhere sybaseanywhere 2638/udp # Sybase Anywhere Some (or all) of those will be probably worth examining. Since you are talking about Zope I figure you are trying to access the Sysbase DB via some Zope interface (?) - if this is the case you should be able to find some information in the Zope docs as well. Depending on how complicated the communication between Sysbase and the Zope server is (i.e. FTP is an example) NATing could get quite a pain. Can't talk about iptables yet but from my experience with ipchains and ipmasqadm NAT is no big deal once you know your ports. Erwin Thomas_Janke@prisma-edv.de wrote:
Well, I have a Sybase server running on an internal computer. A Zope-Server needs to have access to that computer. So a certain number of ports should be available.
Is there a way to bypass the firewall for exactly one external computer? I heard something about /etc/fw_friends, but setting this didn't work.
Thanks for your help
Thomas
-- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler@stubainet.at / webmaster@stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91
participants (3)
-
Erwin Zierler - stubainet.at -
Matthew Thomas -
Thomas_Janke@prisma-edv.de