Hi, Vahe Avedissian wrote:
Hi Togan,
I tried the first suggestion you made and that seems to work! Thanks!!! I will try your second suggestion as well. Any advantage of the first versus the second approach?
With FW_TRUSTED_NETS you let the ip access to the ports you want or the whole port range if you just put the ip Second approach is based on the "FW_SERVICES_ACCEPT_RELATED_EXT" parameter so you have two ways of doing the same thing. In this approach you only accept packets that are related to the requests. Meaning your tvtuner contacts the server asks something, the reply is in relation to the question. This will be let through with "FW_SERVICES_ACCEPT_RELATED_EXT" so this approach is more like fine tuning Now when you use the template that means you define all these things in the template and you just add the service name to "FW_CONFIGURATIONS_EXT" with this approach the service can be added to any FW_CONFIGURATIONS_XXX
Also, the HDHomeRun TV tuner is sitting on my local network. I was wondering what the implications of trusting them were per your comment below? Can you shed some light on this concern?
When you run a firewall and you let packets selectively that means you are not trusting everyone out there in the wild. Now if you just put the "HDHomeRun ip" alone giving the full port access, that would not sit well with me and I would like to limit their access to my network. So using (tcp,udp,icmp) and ports I would limit the access. And quoting the remarks for FW_TRUSTED_NETS from the /etc/sysconfig/SuSEfirewall2 * "Please note that this is no replacement for authentication since IP addresses can be spoofed." * That would leave me the option of letting packets that are related because I am initiating the contact first I would suggest since now you have working solution, find the ports, i.e using iptraf, and try to narrow down the ports to see what happens Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org