On 3/18/21 11:11 AM, Carlos E. R. wrote:
On 18/03/2021 08.30, Gustav Degreef wrote:
On 3/17/21 8:56 PM, Carlos E. R. wrote:
On 17/03/2021 20.43, Gustav Degreef wrote:
On 3/17/21 8:09 PM, Carlos E. R. wrote:
On 17/03/2021 19.42, Gustav Degreef wrote:
...... tried to make sure that I set my firewall (firewalld) to block all ssh connections from outside my home LAN My ISP provides access via cable modem and I set up my own router.
There are 3-4 laptops ....... on my home network (adresses configured with DHCP) and I log in periodically via ssh (as user, not root) to the other computers ......
Via the yast2 firewall configuration I set only the "public", "internal" and "home" zones to have ssh as an allowed service. The "external" and other zones do not have ssh allowed.
Why that many zones? You need only one per network interface.
How many interfaces? I assume "one", be it "eth0" or "wlan0". Typically set it to "home". If you are connecting the laptop outside of your home, then use "public".
Only 1, wlan0. All wireless, no ethernet on the network.
- Do you need access via ssh from Internet? No, I want to prevent ssh logins from the internet.
Then you only need to configure the router.
I wondered if that might be a better way. So, I just configure the firewall with only the home zone to allow ssh and block incoming ssh from the internet via the router?
It is *the* way.
- your router, what does it run?
I bought the router myself, configured it myself. TP link (TL-WR840N), don't know what it runs.
Then that's the one you have to configure. Some people consider that the router does put a sufficient barrier by doing NAT, but it is much better if it also has a firewall.
Home routers may have its firewall disabled, so you just need to enable it and done. On some, the feature is hidden. Others may come with it enabled by default.
Yes, the router has a firewall enabled by default. There are basic and advanced security settings. The basic is to enable (or not) SPI Firewall - Stateful Packet Inspection (SPI). Not sure if this is sufficient to block all ssh connections from the internet. I could not see if there is a facility to block/allow specific protocols such as ssh. I will now look at the zones and NetworkManager settings more closely. Takes me time due to my visual disability. Gustav.