If for instance you do not trust some smartphones or smart TVs in your home, you can create firewall rules to protect your Linux machine. I tested this with the SuSEfirewall2. You have to edit a /etc/sysconfig/scripts/SuSEfirewall2-custom file and activate it in /etc/sysconfig/SuSEfirewall2 with FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom". Then you have to add the blocking firewall rules into function fw_custom_before_port_handling(). My example blocks some common ports, but not all ports (e.g. noch the HTTP and HTTPS ports) for the smartphone with hardware address 01:02:03:04:05:06. fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. # the MAC address of my smartphone # see Settings -> About Phone -> Status mysmartphone="01:02:03:04:05:06" # set the hardware address of the "dangerous" device here for target in LOG DROP; do for chain in input_ext forward_ext; do # block unneeded ports for my smartphone iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 22 # SSH iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 25 # SMTP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 143 # IMAP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 631 # CUPS iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 3306 # MySQL iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 6000 # Xorg done done true } Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org