SuSEfirewall2 restrict access to specific networks to hosts?
I have a SuSE 9.3 machine using SuSEfirewall2 (as configured via YAST) to open a few ports for services such as sshd and cups. However I want to restrict which hosts and/or networks can connect. For this purpose I have used hosts.allow/deny for ssh and /etc/cups/cupsd.conf for cups. But is possible to add an ACL via SuSEfirewall2? Regards -- Simon Oliver
Hi Simon,
I have a SuSE 9.3 machine using SuSEfirewall2 (as configured via YAST) to open a few ports for services such as sshd and cups. However I want to restrict which hosts and/or networks can connect. For this purpose I have used hosts.allow/deny for ssh and /etc/cups/cupsd.conf for cups. But is possible to add an ACL via SuSEfirewall2?
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
I have a SuSE 9.3 machine using SuSEfirewall2 (as configured via YAST) to open a few ports for services such as sshd and cups. However I want to restrict which hosts and/or networks can connect. For this purpose I have used hosts.allow/deny for ssh and /etc/cups/cupsd.conf for cups. But is possible to add an ACL via SuSEfirewall2?
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts. Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper. One option, perhaps insecure but better than nothing, would be to allow the dynamic ports on the external interface but not the portmapper itself and then open this via FW_TRUSTED_NETS? FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status ypbind" FW_TRUSTED_NETS="172.20.0.0/16,udp,111 172.20.0.0/16,tdp,111" Another option I have considered was using the /etc/sysconfig/scripts/SuSEfirewall2-custom script, perhaps in the fw_custom_before_port_handling() section but I don't know how to do this. I suppose I'm trying to emulate the Scope feature that's available in the XP firewall. Any ides, or comments on the above? Regards -- Simon Oliver
Hello Simon,
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts. Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
--> I have only tried FW_TRUSTED_NETS="172.20.0.0/16" to open up all ports. Whether you can restrict this to TCP, you have to try.
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper.
--> I don't have any experience with a setup like this.
One option, perhaps insecure but better than nothing, would be to allow the dynamic ports on the external interface but not the portmapper itself and then open this via FW_TRUSTED_NETS?
--> This would work but probably only block NIS/NFS from other nets without protecting you against other services/attacks (since all dynamic ports are open).
FW_SERVICES_EXT_RPC="mountd nfs nfs_acl nlockmgr status ypbind" FW_TRUSTED_NETS="172.20.0.0/16,udp,111 172.20.0.0/16,tcp,111"
Another option I have considered was using the /etc/sysconfig/scripts/SuSEfirewall2-custom script, perhaps in the fw_custom_before_port_handling() section but I don't know how to do this.
--> I'm no iptables expert so I can't help you with this. The only thing would be to try to get away from NFS and try to use SSH/SCP/SFTP whereever possible. Do you know LUFS (http://lufs.sourceforge.net/lufs/) for mounting SSH servers ? Bye, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
Hi *, Armin Schoech schrieb:
Hello Simon,
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts.
Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
--> I have only tried FW_TRUSTED_NETS="172.20.0.0/16" to open up all ports. Whether you can restrict this to TCP, you have to try.
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper.
you cannot trust NIS and NFS if you cannot trust the other host _and_ the transporting Network. So you cannot use one of them over unencrypted Internet !! _Please_ use VPN to connect Server and Client. And as you use VPN, you simply can trust the other IP ;-) (FW_TRUSTED_NETS=) Just my 2 ctEUR Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you
participants (3)
-
Armin Schoech -
Dirk Schreiner -
Simon Oliver