I don't see anywhere in yast where I can configure the suse firewall to limit connections to a port to a subnet as well. Is this possible in the gui? So, for example, I want to limit who can ssh to a machine to 3 subnets, can I do something like port 23 host allow 129.219.0.0/32 ? -- David Bear phone: 480-965-8257 fax: 480-965-9189 College of Public Programs/ASU Wilson Hall 232 Tempe, AZ 85287-0803 "Beware the IP portfolio, everyone will be suspect of trespassing"
Hi David,
I don't see anywhere in yast where I can configure the suse firewall to limit connections to a port to a subnet as well. Is this possible in the gui?
So, for example, I want to limit who can ssh to a machine to 3 subnets, can I do something like
port 23 host allow 129.219.0.0/32 ?
--> I don't know about the GUI but in the SuSEfirewall configuration file /etc/sysconfig/SuSEfirewall2 there is a variable called "FW_TRUSTED_NETS" where you can put FW_TRUSTED_NETS="129.219.1.0/24,tcp,22 129.219.2.0/24,tcp,22" or something like this depending on your subnets. Additionally, you should use /etc/hosts.allow to restrict the access to the sshd daemon via the tcpwrapper mechanism. By the way, the port for SSH is 22. Port 23 is used by TELNET (which you really don't want to allow). HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
I recommend making use of paswordless RSA authentication too. The it begins to matter less where the server is accessible from, which is a good idea just because not all networks use RPF ----- Original Message ----- From: Armin Schoech To: suse-security@suse.com Sent: Tuesday, June 14, 2005 7:50 PM Subject: Re: [suse-security] limiting connections to subnets Hi David,
I don't see anywhere in yast where I can configure the suse firewall to limit connections to a port to a subnet as well. Is this possible in the gui?
So, for example, I want to limit who can ssh to a machine to 3 subnets, can I do something like
port 23 host allow 129.219.0.0/32 ?
--> I don't know about the GUI but in the SuSEfirewall configuration file /etc/sysconfig/SuSEfirewall2 there is a variable called "FW_TRUSTED_NETS" where you can put FW_TRUSTED_NETS="129.219.1.0/24,tcp,22 129.219.2.0/24,tcp,22" or something like this depending on your subnets. Additionally, you should use /etc/hosts.allow to restrict the access to the sshd daemon via the tcpwrapper mechanism. By the way, the port for SSH is 22. Port 23 is used by TELNET (which you really don't want to allow). HTH, Armin -- Am Hasenberg 26 office: Institut f?r Atmosph?renphysik D-18209 Bad Doberan Schloss-Stra?e 6 Tel. ++49-(0)38203/42137 D-18225 K?hlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50 -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
participants (3)
-
Andre Venter
-
Armin Schoech
-
David Bear