On 18/03/2021 08.30, Gustav Degreef wrote:
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops running opensuse 15.x (and 2 android phones) on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
I'm confused.
 - Do you need access via ssh from Internet?
No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
It is *the* way. It is possible, with SuSEfirewall2, to block ssh (for example), but permit it only from certain listed IPs: FW_TRUSTED_NETS="192.168.1.10,tcp,ssh" as a second layer of protection besides the router. But the router must block outside attempts. Unfortunately, I don't know how to achieve the same thing with firewalld.
 - your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. Then I'll read up on how to do that. Gustav
Some people consider that the router does put a sufficient barrier by doing NAT, but it is much better if it also has a firewall. Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)