[opensuse] Good SuSEfirewall strategy for SOHO users?
I am using SuSEfirewall for many years without problems and I am not very interested in switching to a more flexible solution (direct iptables usage, Firewall Builder ...). But I search a good strategy for configuring SuSEfirewall, so that I can divide the network into three ore more zones: * "trusted zone": trusted network devices in my network, e.g. Linux PCs under my control * "untrusted zone": network devices in my network, which are somewhat unreliable, e.g. smartphones without recent updates, TV set-top boxes, Smart TV devices, future IoT devices ... * "internet zone": connections from the internet (some ports are forwarded in my router) I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card. So I can not classify the networks using the network cards, which is the standard in SuSEfirewall. Probably a good starting point is the custom rules file for SuSEfirewall: /etc/sysconfig/scripts/SuSEfirewall2-custom My questions: 1. How can I classify my network devices best? Hardware/MAC addresses are my favorite. VLAN is currently unavailable, because my router does not support VLANs. Static IP addresses (maybe configured with static DHCP assignments in my router) are an alternative to hardware/MAC addresses. (Btw, I know, that everything can be forged, but probably my smartphone would not do this.) 2. Do you have an example configuration or strategy for SuSEfirewall? 3. Is SuSEfirewall powerful enough to deal with one network device and multiple VLANs, so that it's worth to exchange the router to a model which is VLAN capable? Do you have an example SuSEfirewall with VLANs setup? Regards, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 18/03/2017 à 21:18, Bjoern Voigt a écrit :
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
is that simply useful? packets will go through every computer on the network and may be sniffed in promiscuous mode without susefirewall even knowing it. That is what I guess, but I'm certainly not a network expert :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-18 22:19, jdd wrote:
Le 18/03/2017 à 21:18, Bjoern Voigt a écrit :
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
is that simply useful? packets will go through every computer on the network and may be sniffed in promiscuous mode without susefirewall even knowing it.
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes. As far as firewall is concerned, my policy is to close all, and open only those needed ports, if possible only from the IPs that need access. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/18/2017 05:38 PM, Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
VLANs can be used to provide isolation. A managed switch can be used to provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
A managed switch can be used to provide one of the VLANs on an access port. Btw, you don't necessarily need a managed switch for VLANs capabilities. Some cheap unmanaged SOHO switches, e.g. from Netgear also have VLAN capabilities. The reason, why the are called "unmanaged" is probably,
James Knott wrote: that the do not have real management and monitoring functions, they only have a PC configuration software which works, if the PC is directly connected to the switch. Also some routers have VLAN capabilities. Unfortunately not all of them provide VLAN functions to their web access, probably because the VLAN configuration might be too difficult for most customers. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/19/2017 06:54 AM, Bjoern Voigt wrote:
A managed switch can be used to provide one of the VLANs on an access port. Btw, you don't necessarily need a managed switch for VLANs capabilities. Some cheap unmanaged SOHO switches, e.g. from Netgear also have VLAN capabilities. The reason, why the are called "unmanaged" is probably,
James Knott wrote: that the do not have real management and monitoring functions, they only have a PC configuration software which works, if the PC is directly connected to the switch.
That's incorrect. Anything beyond basic switch function requires a managed switch, though an unmanaged switch can pass VLAN traffic. I recently bought a cheap managed switch, which includes VLAN support, port mirroring etc. An unmanaged switch is simply not capable of those things. I bought that switch specifically so I could use port mirroring to create a "data tap", where I could monitor traffic between devices.
Also some routers have VLAN capabilities. Unfortunately not all of them provide VLAN functions to their web access, probably because the VLAN configuration might be too difficult for most customers.
Many routers beyond the home/SOHO models support VLANs. In fact, VLAN support is necessary to communicate between VLANs. You simply can't do that without a router or layer 3 switch that supports VLANs. BTW, I'm a Cisco CCNA with several years experience working with routers & switches. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 03:19, James Knott wrote:
On 03/18/2017 05:38 PM, Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
VLANs can be used to provide isolation. A managed switch can be used to provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited.
[Paranoid hat on] But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/19/2017 10:27 AM, Carlos E. R. wrote:
On 2017-03-19 03:19, James Knott wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes. VLANs can be used to provide isolation. A managed switch can be used to
On 03/18/2017 05:38 PM, Carlos E. R. wrote: provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited. [Paranoid hat on]
But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say.
What you are referring to is called a "trunk port", which carries VLANs between switches. It is possible to limit what VLANs are carried on that trunk. An access port only has the VLAN it's configured for. Security is always important, so you limit access to the network, including the router. Routers can be configured to require a password, SSH etc. to make them more difficult to access. Another thing that can be done it to put the management interface on a separate VLAN, with limited access. i.e. don't send that VLAN over trunks where it's not needed. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 15:33, James Knott wrote:
On 03/19/2017 10:27 AM, Carlos E. R. wrote:
On 2017-03-19 03:19, James Knott wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes. VLANs can be used to provide isolation. A managed switch can be used to
On 03/18/2017 05:38 PM, Carlos E. R. wrote: provide one of the VLANs on an access port. The other VLANs will then not be reachable via that port. You only get multiple VLANs on trunk ports and even then available VLANs can be limited. [Paranoid hat on]
But that isolation is logical. The switch can say that some cables are one vlan, some other cables are another, and thus each vlan is physically isolated. However, at the input to the switch all vlan travel on the same cable, perhaps to the router, and then anything connected to that router can sniff the traffic. A hacker could hack the router and access both external and private only network, say.
What you are referring to is called a "trunk port", which carries VLANs between switches. It is possible to limit what VLANs are carried on that trunk. An access port only has the VLAN it's configured for. Security is always important, so you limit access to the network, including the router. Routers can be configured to require a password, SSH etc. to make them more difficult to access. Another thing that can be done it to put the management interface on a separate VLAN, with limited access. i.e. don't send that VLAN over trunks where it's not needed.
So you see, we are going now to separate cables, as I said initially. The configuration is similar to having two separate switches connected to the same router (for internet), each one handling a different subnet. But instead we do the separation logically using a single switch instead, which is cheaper. Ie, "virtual" LANs. However, the cables connected to the switch carry only one LAN. One VLAN. [Paranoid hat on] Maybe the switch can be hacked by the bad guys. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/19/2017 10:43 AM, Carlos E. R. wrote:
What you are referring to is called a "trunk port", which carries VLANs
between switches. It is possible to limit what VLANs are carried on that trunk. An access port only has the VLAN it's configured for. Security is always important, so you limit access to the network, including the router. Routers can be configured to require a password, SSH etc. to make them more difficult to access. Another thing that can be done it to put the management interface on a separate VLAN, with limited access. i.e. don't send that VLAN over trunks where it's not needed. So you see, we are going now to separate cables, as I said initially. The configuration is similar to having two separate switches connected to the same router (for internet), each one handling a different subnet. But instead we do the separation logically using a single switch instead, which is cheaper. Ie, "virtual" LANs. However, the cables connected to the switch carry only one LAN. One VLAN.
There seems to be some confusion about what a network is and a VLAN is. A VLAN simply appears to be a physically separate network, nothing more. To communicate between VLANs requires a router or layer 3 switch. A separate switch, connected to a bridge port on a router (I assume that's what you're referring to) carrying a different IP address range does not make a VLAN. If you were to plug Wireshark into a switch, you'd still see things like ARP requests from other address ranges. This would not happen with a VLAN.
[Paranoid hat on]
Maybe the switch can be hacked by the bad guys.
As I said, don't make the management interface available beyond where it's needed. A lot of commercial grade gear can be configured to allow management access only via a serial port. Even without that, it's possible to put the management interface on it's own VLAN that only appears on one access port. This then pretty much requires physical access to that port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
As far as firewall is concerned, my policy is to close all, and open only those needed ports, if possible only from the IPs that need access. Yes, but this is not what I wanted to hear. ;-)
I do not search a perfect separation for my SOHO network. I search an easy solution which provides better security than the current solution, where SuSEfirewall has only one set of rules for trusted, untrusted and Internet hosts. So for instance an Android app which has hidden spyware capabilities should not query a list of my DLNA shared videos and send it to its master. (DLNA shared have usually no password/PIN.) This spyware is probably not powerful enough to fake the MAC address of the smartphone or to hack the router. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 11:19, Bjoern Voigt wrote:
Carlos E. R. wrote:
Yes, IMO, if you want separation the firewall is not the tool. You need separate cables. Any machine connected to the cable can listen to things that are not for it if it wishes.
As far as firewall is concerned, my policy is to close all, and open only those needed ports, if possible only from the IPs that need access. Yes, but this is not what I wanted to hear. ;-)
I do not search a perfect separation for my SOHO network. I search an easy solution which provides better security than the current solution, where SuSEfirewall has only one set of rules for trusted, untrusted and Internet hosts.
So for instance an Android app which has hidden spyware capabilities should not query a list of my DLNA shared videos and send it to its master. (DLNA shared have usually no password/PIN.) This spyware is probably not powerful enough to fake the MAC address of the smartphone or to hack the router.
Then you need one vlan with the wifi AP that the phone uses, with no access to another vlan that has the machines with your videos. But this also means you can not send files via wifi to your android, or watch videos on the tablet. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/18/2017 05:19 PM, jdd wrote:
Le 18/03/2017 à 21:18, Bjoern Voigt a écrit :
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
is that simply useful? packets will go through every computer on the network and may be sniffed in promiscuous mode without susefirewall even knowing it.
That is what I guess, but I'm certainly not a network expert :-(
jdd
It is possible to have multiple IP addresses on one NIC, by using alias addresses. However, as you say, there's no isolation that would block something like Wireshark. Typically VLANs are used on the LAN side, not the WAN. The only time I've seen VLANs on the WAN side is when one carrier is using another carriers fibre, to deliver a connection to a customer. In that situation, it's possible to have double VLANs on the fibre. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 03:16, James Knott wrote:
It is possible to have multiple IP addresses on one NIC, by using alias addresses. However, as you say, there's no isolation that would block something like Wireshark. Typically VLANs are used on the LAN side, not the WAN. The only time I've seen VLANs on the WAN side is when one carrier is using another carriers fibre, to deliver a connection to a customer. In that situation, it's possible to have double VLANs on the fibre.
My ISP uses a configuration I don't understand yet, not documented. I get the typical 192* for home, but there is also a 10* network that it is using for the VoIp transparent phone, and I think it is external. Ie, the thing accesses 10.* hosts on the outside. And there is another vlan for the TV, I don't remember on which range. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/19/2017 10:38 AM, Carlos E. R. wrote:
On 2017-03-19 03:16, James Knott wrote:
It is possible to have multiple IP addresses on one NIC, by using alias addresses. However, as you say, there's no isolation that would block something like Wireshark. Typically VLANs are used on the LAN side, not the WAN. The only time I've seen VLANs on the WAN side is when one carrier is using another carriers fibre, to deliver a connection to a customer. In that situation, it's possible to have double VLANs on the fibre. My ISP uses a configuration I don't understand yet, not documented. I get the typical 192* for home, but there is also a 10* network that it is using for the VoIp transparent phone, and I think it is external. Ie, the thing accesses 10.* hosts on the outside. And there is another vlan for the TV, I don't remember on which range.
While I have worked in many areas of the telecom industry, I have never worked on the cable TV network. However, it's common to provide multiple address ranges over the cable, without using VLANs. When I use Wireshark to see what's coming through my cable modem, I can see several different IP address blocks. I haven't seen any indication of VLANs, thought it's possible that would be blocked by the modem. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 15:45, James Knott wrote:
On 03/19/2017 10:38 AM, Carlos E. R. wrote:
On 2017-03-19 03:16, James Knott wrote:
It is possible to have multiple IP addresses on one NIC, by using alias addresses. However, as you say, there's no isolation that would block something like Wireshark. Typically VLANs are used on the LAN side, not the WAN. The only time I've seen VLANs on the WAN side is when one carrier is using another carriers fibre, to deliver a connection to a customer. In that situation, it's possible to have double VLANs on the fibre. My ISP uses a configuration I don't understand yet, not documented. I get the typical 192* for home, but there is also a 10* network that it is using for the VoIp transparent phone, and I think it is external. Ie, the thing accesses 10.* hosts on the outside. And there is another vlan for the TV, I don't remember on which range.
While I have worked in many areas of the telecom industry, I have never worked on the cable TV network. However, it's common to provide multiple address ranges over the cable, without using VLANs. When I use Wireshark to see what's coming through my cable modem, I can see several different IP address blocks. I haven't seen any indication of VLANs, thought it's possible that would be blocked by the modem.
Makes sense. However, I have the suspicion that the router is using vlans for that, or that it is configured in the vlan section. You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/19/2017 10:57 AM, Carlos E. R. wrote:
Makes sense. However, I have the suspicion that the router is using vlans for that, or that it is configured in the vlan section.
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
It doesn't make any difference what it's called. It just converts from the transmission medium, fibre in your case, and probably provides management and diagnostic functions, along with VLAN & MPLS support. I have worked with boxes like that, but they were just called "media converters". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/03/2017 à 15:57, Carlos E. R. a écrit :
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
my ONT seems to be only a fiber to ethernet converter (one in one out), I have a second real modem on my side in addition jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/19/2017 01:59 PM, jdd wrote:
Le 19/03/2017 à 15:57, Carlos E. R. a écrit :
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
my ONT seems to be only a fiber to ethernet converter (one in one out), I have a second real modem on my side in addition
What is the modem used for, when you already have Ethernet from that ONT? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/03/2017 à 19:06, James Knott a écrit :
On 03/19/2017 01:59 PM, jdd wrote:
Le 19/03/2017 à 15:57, Carlos E. R. a écrit :
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
my ONT seems to be only a fiber to ethernet converter (one in one out), I have a second real modem on my side in addition
What is the modem used for, when you already have Ethernet from that ONT?
the ont do not route at all jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/19/2017 02:15 PM, jdd wrote:
Le 19/03/2017 à 19:06, James Knott a écrit :
On 03/19/2017 01:59 PM, jdd wrote:
Le 19/03/2017 à 15:57, Carlos E. R. a écrit :
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
my ONT seems to be only a fiber to ethernet converter (one in one out), I have a second real modem on my side in addition
What is the modem used for, when you already have Ethernet from that ONT?
the ont do not route at all
So then, you have a router, not a modem. I have a cable modem. It can be used in either router or bridge mode. Mine is in bridge mode, with a separate computer running pfSense for a router. You might also be able to connect a single computer to that ONT and have it connect to the Internet. As I mentioned, I have a lot of experience in telcom, where routers are usually separate, except for small businesses. What the carrier delivers is IP/Ethernet over fibre, xDSL, T1 & CSU, short haul microwave, etc.. A separate router is used and provided by either the carrier or customer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 19:22, James Knott wrote:
On 03/19/2017 02:15 PM, jdd wrote:
Le 19/03/2017 à 19:06, James Knott a écrit :
On 03/19/2017 01:59 PM, jdd wrote:
Le 19/03/2017 à 15:57, Carlos E. R. a écrit :
You gave me an idea, perhaps I can plug to the modem (it is not called that, it has a peculiar name, what is it... ah, ONT (Optical Network Terminal)); it is fibre, not coax) and listen.
my ONT seems to be only a fiber to ethernet converter (one in one out), I have a second real modem on my side in addition
What is the modem used for, when you already have Ethernet from that ONT?
the ont do not route at all
So then, you have a router, not a modem. I have a cable modem. It can be used in either router or bridge mode. Mine is in bridge mode, with a separate computer running pfSense for a router. You might also be able to connect a single computer to that ONT and have it connect to the Internet.
As I mentioned, I have a lot of experience in telcom, where routers are usually separate, except for small businesses. What the carrier delivers is IP/Ethernet over fibre, xDSL, T1 & CSU, short haul microwave, etc.. A separate router is used and provided by either the carrier or customer.
I have an ONT, which converts from fibre to ethernet, with I think four sockets. One only is connected to the router input port. The ONT also has one rj45 analogue telephone socket, where the house phone is connected to. I'm not there, so I can't look up the model. So the ONT also does VoIp to POTS translation, on a 10.* network that I think goes outside, on my ISP. The router also has one RJ45 socket, unused and maybe disabled. It is possible I could connect a cable to the ONT directly and listen. There is a third box, connected to router, that does the TV out conversion. Has an infrared receiver decoder for the remote. Plus an UPS that I had to add myself, and the telephone wireless station. Apparently my ISP started deploying a year later a single box that replaces all three boxes. It is a nightmare of cables behind the TV. I can request it, but they charge extra, so it is not going to happen. Also means "forget third party router", if it is ever available. And sometimes I have to reboot all three apparatuses. Power off/on. It is also funny that the ISP insists on giving one 300Mbps symmetrical bw, but then the technician only does setup WiFi, which is incapable of handling that. They don't install the LAN cables. It took me some months to do that on my own time and effort, with a temporary cable hanging from the lamps in the ceiling going to the computer room upstairs. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/20/2017 09:22 AM, Carlos E. R. wrote:
It is also funny that the ISP insists on giving one 300Mbps symmetrical bw, but then the technician only does setup WiFi, which is incapable of handling that. They don't install the LAN cables. It took me some months to do that on my own time and effort, with a temporary cable hanging from the lamps in the ceiling going to the computer room upstairs.
Your LAN connections are always your responsibility. In my work, I provide a "demarc point", which is where the carrier's network meets the customer's. The carrier or ISP is responsible up to that demarcation point and the customer beyond. In some instances, there are 2 demarc points, when the carrier is relying on another carrier to deliver the circuit. In that case both companies have demarcs, the first between carriers and the 2nd between the carrier or ISP and customer. In this situation you may see double VLAN tagging. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-20 14:29, James Knott wrote:
On 03/20/2017 09:22 AM, Carlos E. R. wrote:
It is also funny that the ISP insists on giving one 300Mbps symmetrical bw, but then the technician only does setup WiFi, which is incapable of handling that. They don't install the LAN cables. It took me some months to do that on my own time and effort, with a temporary cable hanging from the lamps in the ceiling going to the computer room upstairs.
Your LAN connections are always your responsibility.
That is absurd when doing service to home customers that have no idea. But my point was rather on the absurd of saying "we give you 300 Mbps" and then only install WiFi. They install 300 and charge for it, when 50 would suffice. In fact, when you ask they tell you that of course, the installer has to install the LAN for you if you ask. They have to install the router on the place you tell them, and carry the cable from the ONT to the router several rooms away (not the cables from router to computers). But the installers deny this. Instead they place the router behind the TV, where it is useless. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/20/2017 09:40 AM, Carlos E. R. wrote:
On 2017-03-20 14:29, James Knott wrote:
On 03/20/2017 09:22 AM, Carlos E. R. wrote:
It is also funny that the ISP insists on giving one 300Mbps symmetrical bw, but then the technician only does setup WiFi, which is incapable of handling that. They don't install the LAN cables. It took me some months to do that on my own time and effort, with a temporary cable hanging from the lamps in the ceiling going to the computer room upstairs. Your LAN connections are always your responsibility. That is absurd when doing service to home customers that have no idea. But my point was rather on the absurd of saying "we give you 300 Mbps" and then only install WiFi. They install 300 and charge for it, when 50 would suffice.
In fact, when you ask they tell you that of course, the installer has to install the LAN for you if you ask. They have to install the router on the place you tell them, and carry the cable from the ONT to the router several rooms away (not the cables from router to computers). But the installers deny this.
Instead they place the router behind the TV, where it is useless.
They install a working connection that's capable of providing up to the specified bandwidth. That's the end of their responsibility. Some companies may go beyond that, at extra cost. As for WiFi, not being able to support it, that's not entirely true. 802.11ac certainly is. Regardless, you still have the option of using wired connections. As for where they installed the modem, there may be something there. In my condo, the TV cable appears in 2 locations, on opposite sides of the wall between my living room and master bedroom. When I got the cable modem, I wanted it in the 2nd bedroom "office" where my desk is. They ran the cable in, the entire length of my condo, running it through walls, above ceilings and finally into the closest, near where I wanted the modem. The only place where the cable is visible is where it crosses my laundry room ceiling. When done, the then put red tags on the cables going to the modem, as it was a data connection. All in all, an excellent job and at no cost to me. Regardless, anything beyond the modem is my responsibility. On the other hand, another company, when they ran a cable in my sister's home, stapled the big black coax right up the middle of the living room wall. I wouldn't have allowed that in my home. So, if you can't run your network cables, hire someone who can and make sure you know what's going to happen before they start. As far as the carrier being responsible for your network, I can tell you from many years experience, that customers are all too quick to place blame on others, for their own problems. Having the carrier/ISP responsible for the customer's network would make that situation even worse. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Carlos E. R. wrote:
On 2017-03-20 14:29, James Knott wrote:
On 03/20/2017 09:22 AM, Carlos E. R. wrote:
It is also funny that the ISP insists on giving one 300Mbps symmetrical bw, but then the technician only does setup WiFi, which is incapable of handling that. They don't install the LAN cables. It took me some months to do that on my own time and effort, with a temporary cable hanging from the lamps in the ceiling going to the computer room upstairs.
Your LAN connections are always your responsibility.
That is absurd when doing service to home customers that have no idea.
Then those customers can call an electrician - same situation here, the telco does the installation up to a point, the rest is up to the customer. -- Per Jessen, Zürich (15.8°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 11:38 AM, Per Jessen wrote:
That is absurd when doing service to home customers that have no idea. Then those customers can call an electrician - same situation here, the telco does the installation up to a point, the rest is up to the customer.
An electrician is not always the best bet, unless you get one who knows how to work with Ethernet cables. At one customer's site, the cables were stapled right into the corner, with 90° bends! However, there are plenty of companies and individuals who specialize in running network cables. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 03/20/2017 11:38 AM, Per Jessen wrote:
That is absurd when doing service to home customers that have no idea. Then those customers can call an electrician - same situation here, the telco does the installation up to a point, the rest is up to the customer.
An electrician is not always the best bet, unless you get one who knows> how to work with Ethernet cables.
Ours generally do - if a firm doesn't have someone trained in network and telephone installation, they'll refer you to someone else. -- Per Jessen, Zürich (15.4°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-20 17:45, Per Jessen wrote:
James Knott wrote:
On 03/20/2017 11:38 AM, Per Jessen wrote:
That is absurd when doing service to home customers that have no idea. Then those customers can call an electrician - same situation here, the telco does the installation up to a point, the rest is up to the customer.
An electrician is not always the best bet, unless you get one who knows> how to work with Ethernet cables.
Ours generally do - if a firm doesn't have someone trained in network and telephone installation, they'll refer you to someone else.
I have a training course (>200 hours) on network installation, and nobody told us not to crimp at right angles. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On March 20, 2017 12:37:53 PM MST, "Carlos E. R." <robin.listas@telefonica.net> wrote:
James Knott wrote:
On 03/20/2017 11:38 AM, Per Jessen wrote:
That is absurd when doing service to home customers that have no idea. Then those customers can call an electrician - same situation here, the telco does the installation up to a point, the rest is up to
On 2017-03-20 17:45, Per Jessen wrote: the
customer.
An electrician is not always the best bet, unless you get one who knows> how to work with Ethernet cables.
Ours generally do - if a firm doesn't have someone trained in network and telephone installation, they'll refer you to someone else.
I have a training course (>200 hours) on network installation, and nobody told us not to crimp at right angles.
Well, with cat5 or cat5e you will find varying recommdations on line. Most are overly conservative, aimed at preventing an internal wire break of the solid copper wires inside. Stranded wires virtually never break, but solid ones do occasionally. I had several highly trained professional installers on my staff in the past. None of them worried about the occasional 90 degree bend, but the avoided multiple such bends as you might encounter following a wall with many recessed areas. That many 90 degree bends could end up stretching one or more strands that just happened to be on the long side of consecutive bends. Short runs? It doesn't matter. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 01:07 PM, James Knott wrote:
On 03/20/2017 03:53 PM, John Andersen wrote:
Short runs? It doesn't matter.
On the job I mentioned, it did matter. The cable was useless.
Because they broke internal wires, probably using the staple gun to push it into the corner. Had the done that by hand it would have not been a problem. Their post installation test with a cable tester would have found that issue in 10 seconds. Bending was actually a problem in coax because it was radio waves traveling down the cable, and signal strength would diminish after the bends. Cat5 is simply digital on/off signals (voltage), and it is not hampered by bends. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 04:37 PM, John Andersen wrote:
Bending was actually a problem in coax because it was radio waves traveling down the cable, and signal strength would diminish after the bends.
Cat5 is simply digital on/off signals (voltage), and it is not hampered by bends.
You may want to look up what constitutes a square wave. It's an infinite series of harmonics. Gigabit Ethernet runs at about 135 MHz fundamental frequency and, last I heard, that's RF. When a cable is deformed, either coax or twisted pair, an impedance bump is created that will affect the signal. Also, should you look up what's actually on the wire, you'll find gigabit Ethernet uses 5 level pulse amplitude modulation and Trellis encoding, so it's not simply on/off signals. Never has been, even with 10 Mb. Ethernet. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 05:01 PM, James Knott wrote:
Never has been, even with 10 Mb. Ethernet.
Here's some info on Ethernet signalling: https://en.wikipedia.org/wiki/Gigabit_Ethernet -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 02:01 PM, James Knott wrote:
When a cable is deformed, either coax or twisted pair, an impedance bump is created that will affect the signal.
All taken into account when the protocol was designed. Otherwise all cat5e cables would be straight and ridged. There's no use wringing your hands about this because cables will never stay straight or pristine. If you sincerely believe this will cause signal degradation, i sugges you get out your scope and try to measure it. Mountain. Mole Hill. -- After all is said and done, more is said than done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Mon, Mar 20, 2017 at 5:38 PM, John Andersen <jsamyth@gmail.com> wrote:
On 03/20/2017 02:01 PM, James Knott wrote:
When a cable is deformed, either coax or twisted pair, an impedance bump is created that will affect the signal.
All taken into account when the protocol was designed. Otherwise all cat5e cables would be straight and ridged.
There's no use wringing your hands about this because cables will never stay straight or pristine. If you sincerely believe this will cause signal degradation, i sugges you get out your scope and try to measure it.
Mountain. Mole Hill.
With fiber-optic cables there is a minimum radius of curvature. That was interesting to find out. The reason is light reflects off the side of the cable as it propagates down the fiber. It the bend is too great, the light going down the fiber won't reflect, but instead will go through the side. That I've heard of and its a real issue because it is easy to bend the fiber too tight. But for cat5, I'm not aware of any minimum bend radius issues that need to be consciously thought about when you install it. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 21/03/2017 à 02:29, Greg Freemyer a écrit :
With fiber-optic cables there is a minimum radius of curvature. That was interesting to find out.
radius probably around two inches. I was just connected by fiber some days ago and was here during the operation, the worker wrapped the excess fiber on a plate around that radius (in the street connector) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-21 12:03, jdd wrote:
Le 21/03/2017 à 02:29, Greg Freemyer a écrit :
With fiber-optic cables there is a minimum radius of curvature. That was interesting to find out.
radius probably around two inches. I was just connected by fiber some days ago and was here during the operation, the worker wrapped the excess fiber on a plate around that radius (in the street connector)
The fibre on the street has even more strict requisites. It is very probably glass, not plastic, for long distance. The one inside the house is more flexible. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/21/2017 10:48 AM, Carlos E. R. wrote:
days ago and was here during the operation, the worker wrapped the excess fiber on a plate around that radius (in the street connector) The fibre on the street has even more strict requisites. It is very
radius probably around two inches. I was just connected by fiber some probably glass, not plastic, for long distance. The one inside the house is more flexible.
I have worked with both single mode and multi mode fibre. The fibre is the same in the street as in the patch cords, as they must be the same diameter. On the other hand, the outside cable has a much tougher sheath, for physical strength, as well as more fibres in the bundle, which also makes it stiffer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-21 15:58, James Knott wrote:
On 03/21/2017 10:48 AM, Carlos E. R. wrote:
days ago and was here during the operation, the worker wrapped the excess fiber on a plate around that radius (in the street connector) The fibre on the street has even more strict requisites. It is very
radius probably around two inches. I was just connected by fiber some probably glass, not plastic, for long distance. The one inside the house is more flexible.
I have worked with both single mode and multi mode fibre. The fibre is the same in the street as in the patch cords, as they must be the same diameter. On the other hand, the outside cable has a much tougher sheath, for physical strength, as well as more fibres in the bundle, which also makes it stiffer.
I don't have the training to handle fibre. But I know that that the people that installed mine at home, had to use some type of microscope to connect the external fibre, whereas the internal one they just plugged it. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/21/2017 11:05 AM, Carlos E. R. wrote:
I don't have the training to handle fibre. But I know that that the people that installed mine at home, had to use some type of microscope to connect the external fibre, whereas the internal one they just plugged it.
It sounds like they spliced it. That's done with a laser. Installing connectors can be tricky too, which is why, at the company I used to work for, "pigtails" with a connector were spliced onto the fibre. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 21/03/2017 à 15:48, Carlos E. R. a écrit :
The fibre on the street has even more strict requisites. It is very probably glass, not plastic, for long distance. The one inside the house is more flexible.
yes, for sure. but for the plastic, I worked with it some years ago qnd itv was not possible to bend it more than that without breaking it. I have i hand a small fiberglass (glass?) link for HiFi purpose one can't bend for more than 1 inch radius jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/20/2017 05:38 PM, John Andersen wrote:
All taken into account when the protocol was designed.
It has nothing to do with the protocol and everything to do with the laws of physics. An impedance bump will cause reflections, possibly resonant sections and more. This is all covered in transmission line theory. An Ethernet cable is definitely a transmission line. Take a look at transmission line theory, particularly about 1/4 wave sections, which invert the impedance of a point a quarter wavelength away. If there's a short, it appears as an open circuit. If an open circuit, it appears as a short. This will affect, to varying degrees the impedance at the point the impedance bump occurs. This bump could be caused by a lot of factors, including crushing the cables so that the conductors are closer than they should be or perhaps a metal staple. The entire system is designed to maintain an impedance of about 100 ohms . Significant deviations will interfere with the signal. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-20 21:37, John Andersen wrote:
Bending was actually a problem in coax because it was radio waves traveling down the cable, and signal strength would diminish after the bends.
Cat5 is simply digital on/off signals (voltage), and it is not hampered by bends.
No, in both cases it is radio waves. Only that in the second case, it is over 4 cables, so the fundamental frequency can be lower. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/20/2017 03:37 PM, Carlos E. R. wrote:
I have a training course (>200 hours) on network installation, and nobody told us not to crimp at right angles. Make only gradual bends in the cable where necessary to maintain the minimum bend radius of 4 times the cable diameter or approximately 1" radius (about the roundness of a half-dollar). From http://www.lanshack.com/cat5e-tutorial.aspx "Make only gradual bends in the cable where necessary to maintain the minimum bend radius of 4 times the cable diameter or approximately 1" radius (about the roundness of a half-dollar)."
If you bend the cable too much, you run the risk of deforming the insulation. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-20 21:06, James Knott wrote:
On 03/20/2017 03:37 PM, Carlos E. R. wrote:
I have a training course (>200 hours) on network installation, and nobody told us not to crimp at right angles. Make only gradual bends in the cable where necessary to maintain the minimum bend radius of 4 times the cable diameter or approximately 1" radius (about the roundness of a half-dollar). From http://www.lanshack.com/cat5e-tutorial.aspx "Make only gradual bends in the cable where necessary to maintain the minimum bend radius of 4 times the cable diameter or approximately 1" radius (about the roundness of a half-dollar)."
If you bend the cable too much, you run the risk of deforming the insulation.
Basically, you change the parameters by which the cable has been calculated to be able to transmit the data properly. Yes, I'm aware of the issues, perhaps more than the teacher at my course. I'm just commenting that even "trained people" may not know about these things. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
jdd wrote:
is that simply useful? packets will go through every computer on the network and may be sniffed in promiscuous mode without susefirewall even knowing it. At least my router does not allow to sniff packets from other devices connected to the router. So I am safe here.
Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/03/2017 à 11:10, Bjoern Voigt a écrit :
At least my router does not allow to sniff packets from other devices connected to the router. So I am safe here.
all on the same network? separating device connected through wifi? do the wifi act like a switch or a hub? I don't know jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 19/03/2017 à 11:10, Bjoern Voigt a écrit :
At least my router does not allow to sniff packets from other devices connected to the router. So I am safe here.
all on the same network? separating device connected through wifi?
do the wifi act like a switch or a hub? I don't know Yes. 3 devices are on cable, some more devices on wifi. But this it unimportant since the router connects all devices over an internal switch.
Does anyone still used hubs? The only exception is a possible guest wifi of the Fritzbox router. Devices connected to the guest wifi have Internet access, but absolutely no access to the local network and no access to other guest devices. So, for instance, if you connect the smartphone to the guest wifi, the smartphone will have Internet access, but the smartphone can not download a song from your Samba server. Also if TV and smartphone are on the guest network, the smartphone can not be a remove control of the TV. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 19/03/2017 à 11:42, Bjoern Voigt a écrit :
jdd wrote:
do the wifi act like a switch or a hub? I don't know Yes. 3 devices are on cable, some more devices on wifi. But this it unimportant since the router connects all devices over an internal switch.
I doubt it. Do you have as many channels as devices? I'm not even sure of the way simple switch works (I don't speak of managed ones), about privacy. well other may give a better answer jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/19/2017 06:52 AM, jdd wrote:
Le 19/03/2017 à 11:42, Bjoern Voigt a écrit :
jdd wrote:
do the wifi act like a switch or a hub? I don't know Yes. 3 devices are on cable, some more devices on wifi. But this it unimportant since the router connects all devices over an internal switch.
I doubt it. Do you have as many channels as devices?
I'm not even sure of the way simple switch works (I don't speak of managed ones), about privacy.
well other may give a better answer
A switch simply connects all devices together, with absolutely no security. The closest an unmanaged switch has to security is it normally only forwards frames to the destination device, though there are exceptions. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2017-03-19 11:42, Bjoern Voigt wrote:
jdd wrote:
Le 19/03/2017 à 11:10, Bjoern Voigt a écrit :
At least my router does not allow to sniff packets from other devices connected to the router. So I am safe here.
all on the same network? separating device connected through wifi?
do the wifi act like a switch or a hub? I don't know Yes. 3 devices are on cable, some more devices on wifi. But this it unimportant since the router connects all devices over an internal switch.
Does anyone still used hubs?
Not intentionally. But sometimes I have suspicions.
The only exception is a possible guest wifi of the Fritzbox router. Devices connected to the guest wifi have Internet access, but absolutely no access to the local network and no access to other guest devices. So, for instance, if you connect the smartphone to the guest wifi, the smartphone will have Internet access, but the smartphone can not download a song from your Samba server.
My new WiFi access point has several SSIDs, but they are all on the same LAN :-( -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
On 03/19/2017 10:47 AM, Carlos E. R. wrote:
Not intentionally. But sometimes I have suspicions.
At one time it was commonplace to use them to allow monitoring traffic. However, these days, with gigabit LANs, they'd cause a real performance hit. That's why I bought a cheap managed switch to use as a data tap. It's good for gigabit networks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/19/2017 06:10 AM, Bjoern Voigt wrote:
jdd wrote:
is that simply useful? packets will go through every computer on the network and may be sniffed in promiscuous mode without susefirewall even knowing it. At least my router does not allow to sniff packets from other devices connected to the router. So I am safe here.
Unless those devices are on separate interfaces, the router does no such thing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 03/18/2017 04:18 PM, Bjoern Voigt wrote:
I am using SuSEfirewall for many years without problems and I am not very interested in switching to a more flexible solution (direct iptables usage, Firewall Builder ...).
But I search a good strategy for configuring SuSEfirewall, so that I can divide the network into three ore more zones:
* "trusted zone": trusted network devices in my network, e.g. Linux PCs under my control * "untrusted zone": network devices in my network, which are somewhat unreliable, e.g. smartphones without recent updates, TV set-top boxes, Smart TV devices, future IoT devices ... * "internet zone": connections from the internet (some ports are forwarded in my router)
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
So I can not classify the networks using the network cards, which is the standard in SuSEfirewall.
Probably a good starting point is the custom rules file for SuSEfirewall: /etc/sysconfig/scripts/SuSEfirewall2-custom
My questions:
1. How can I classify my network devices best? Hardware/MAC addresses are my favorite. VLAN is currently unavailable, because my router does not support VLANs. Static IP addresses (maybe configured with static DHCP assignments in my router) are an alternative to hardware/MAC addresses. (Btw, I know, that everything can be forged, but probably my smartphone would not do this.) 2. Do you have an example configuration or strategy for SuSEfirewall? 3. Is SuSEfirewall powerful enough to deal with one network device and multiple VLANs, so that it's worth to exchange the router to a model which is VLAN capable? Do you have an example SuSEfirewall with VLANs setup?
Regards, Björn
Why are you worried that your router doesn't support VLANs? You don't send VLANs out to the Internet. Also, a Linux firewall already makes a decent router. I used openSUSE as my firewall/router for several years, until I had to switch to pfSense, because openSUSE didn't support DHCP6-PD. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 18 Mar 2017, Bjoern Voigt wrote:
I am using SuSEfirewall for many years without problems and I am not very interested in switching to a more flexible solution (direct iptables usage, Firewall Builder ...).
...
Probably a good starting point is the custom rules file for SuSEfirewall: /etc/sysconfig/scripts/SuSEfirewall2-custom
1. Health and Safety Warning. file /etc/sysconfig/scripts/SuSEfirewall2-custom says # THERE IS NO HELP FOR USING HOOKS EXCEPT THIS FILE ! The hooks work well, but you are on your own if things go wrong. 2. Using these hooks means direct iptables/ipsets usage. As you say, you are not interested. I would recommend multiple physical networks. Roger -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bjoern Voigt wrote:
I am using SuSEfirewall for many years without problems and I am not very interested in switching to a more flexible solution (direct iptables usage, Firewall Builder ...).
But I search a good strategy for configuring SuSEfirewall, so that I can divide the network into three ore more zones:
* "trusted zone": trusted network devices in my network, e.g. Linux PCs under my control * "untrusted zone": network devices in my network, which are somewhat unreliable, e.g. smartphones without recent updates, TV set-top boxes, Smart TV devices, future IoT devices ... * "internet zone": connections from the internet (some ports are forwarded in my router)
I know, that I can configure such a network setup in SuSEfirewall using three networks cards, each connected with one network. But no, I only use one network card.
So I can not classify the networks using the network cards, which is the standard in SuSEfirewall.
Probably a good starting point is the custom rules file for SuSEfirewall: /etc/sysconfig/scripts/SuSEfirewall2-custom Here is my setup. I started with my smartphone from the "untrusted" devices. I have allowed several server ports on my PC, so that I can for instance use the CUPS printer server from another "trusted" PC. But if I do not fully trust my smartphone and if my smartphone does not need to access for instance CUPS on my PC, I can simply block it.
Because it's easier to fake the IP address than the hardware (MAC) address on my smartphone, I used the MAC address to identify my smartphone in Iptables rules. I know, this is not perfect, but I am unwilling to build a difficult setup with routers, VLANs, several Wifis etc. I have done this with SuSEfirewall. First I allowed several ports in SuSEfirewall with YaST, e.g. SSH, SMTP, IMAP, CUPS, Apache etc. Now I block some of them for my smartphone. I don't block all ports, because I want to use Samba and MythTV from my smartphone. At first I have to activate the custom rules in /etc/sysconfig/SuSEfirewall2: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" In custom rules file /etc/sysconfig/scripts/SuSEfirewall2-custom I extent the function fw_custom_before_port_handling. fw_custom_before_port_handling() { # these rules will be loaded after the anti-spoofing and icmp handling # and after the input has been redirected to the input_XXX and # forward_XXX chains and some basic chain-specific anti-circumvention # rules have been set, # but before any IP protocol or TCP/UDP port allow/protection rules # will be set. # You can use this hook to allow/deny certain IP protocols or TCP/UDP # ports before the SuSEfirewall2 generated rules are hit. # the MAC address of my smartphone # see Settings -> About Phone -> Status mysmartphone="12:34:56:78:9a:bc" for target in LOG DROP; do for chain in input_ext forward_ext; do # block unneeded ports for my smartphone iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 22 # SSH iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 25 # SMTP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 143 # IMAP iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 631 # CUPS iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 3306 # MySQL iptables -A $chain -m mac --mac-source $mysmartphone -j $target -p tcp --dport 6000 # Xorg done done true } This is all. In "dmesg" I can see the log messages for the blocked access tries from my smartphone. Greetings, Björn -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (8)
-
Bjoern Voigt -
Carlos E. R. -
Greg Freemyer -
James Knott -
jdd -
John Andersen -
Per Jessen -
Roger Price