Bjoern Voigt wrote:
I am using SuSEfirewall for many years without problems and I am not very interested in switching to a more flexible solution (direct iptables usage, Firewall Builder ...).
But I search a good strategy for configuring SuSEfirewall, so that I can divide the network into three ore more zones:
* "trusted zone": trusted network devices in my network, e.g. Linux PCs under my control * "untrusted zone": network devices in my network, which are somewhat unreliable, e.g. smartphones without recent updates, TV set-top boxes, Smart TV devices, future IoT devices ... * "internet zone": connections from the internet (some ports are forwarded in my router)
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
So I can not classify the networks using the network cards, which is the standard in SuSEfirewall.
Probably a good starting point is the custom rules file for SuSEfirewall: /etc/sysconfig/scripts/SuSEfirewall2-custom Here is my setup. I started with my smartphone from the "untrusted" devices. I have allowed several server ports on my PC, so that I can for instance use the CUPS printer server from another "trusted" PC. But if I do not fully trust my smartphone and if my smartphone does not need to access for instance CUPS on my PC, I can simply block it.
Because it's easier to fake the IP address than the hardware (MAC) address on my smartphone, I used the MAC address to identify my smartphone in Iptables rules. I know, this is not perfect, but I am unwilling to build a difficult setup with routers, VLANs, several Wifis etc. I have done this with SuSEfirewall. First I allowed several ports in SuSEfirewall with YaST, e.g. SSH, SMTP, IMAP, CUPS, Apache etc. Now I block some of them for my smartphone. I don't block all ports, because I want to use Samba and MythTV from my smartphone. At first I have to activate the custom rules in /etc/sysconfig/SuSEfirewall2: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" In custom rules file /etc/sysconfig/scripts/SuSEfirewall2-custom I extent the function fw_custom_before_port_handling. fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. # the MAC address of my smartphone # see Settings -> About Phone -> Status mysmartphone="12:34:56:78:9a:bc" for target in LOG DROP; do for chain in input_ext forward_ext; do # block unneeded ports for my smartphone iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 22 # SSH iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 25 # SMTP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 143 # IMAP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 631 # CUPS iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 3306 # MySQL iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 6000 # Xorg done done true } This is all. In "dmesg" I can see the log messages for the blocked access tries from my smartphone. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org