RE: [suse-security] Blocking ports and services
Hi Dietmar,
From: Dietmar Stein [mailto:DStein@phoenixcontact.com] Hi
I am new to the list but I have gone through archives and several internet resources before, but I can't find a detailed answer, so I am asking ...
I have a machine running SLES7 (fully updated), which has only one ethernet interface (eth0). The machine is running SAP and Oracle and I want to ensure that only some IP addresses can connect to SAP (which is running on ports 3200, 3300, 4800, 3600); all other services except ssh should be unavailable to the local network.
FW_DEV_EXT="eth0" FW_EXT_SERVICES="ssh" FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600" If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g. FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet.
What do I want? I want to have access to SAP/Oracle from only a few IP addresses and all other services blocked (except ssh which should be public). I have tried to use SuSEfirewall without success (it won't start if I do not specify an extrenal device and if I specify it, I lock myself).
A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-)
Any suggestions?
Thanks, Dietmar
You're welcome, Stefan
participants (1)
-
Peer Stefan