[opensuse] How do I allow LAN through SUSE firewall?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have a mixture of openSUSE 13.1 and 13.2 machines on my LAN, behind a NAT router. One machine is running a web2py http server. The only way I can get the other machines to connect to this server is to disable the firewalls on all the machines. Is there a simple setting to allow LAN traffic (192.168.1.0/24) through the firewalls, while still offering each machine protection from the WAN? Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPFXcACgkQ0Sr7eZJrmU4H6QCgo4oWij012H843e1emCHNG2p6 3hsAn1wX7FLGrSsj3FtxgbDNR+pNuqW9 =60w2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 04:23 AM, Bob Williams wrote:
I have a mixture of openSUSE 13.1 and 13.2 machines on my LAN, behind a NAT router. One machine is running a web2py http server. The only way I can get the other machines to connect to this server is to disable the firewalls on all the machines. Is there a simple setting to allow LAN traffic (192.168.1.0/24) through the firewalls, while still offering each machine protection from the WAN?
Normally, you just have to allow http to the server. That should be easy enough to do. What firewall are you running? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 12:56, James Knott wrote:
On 05/10/2015 04:23 AM, Bob Williams wrote:
I have a mixture of openSUSE 13.1 and 13.2 machines on my LAN, behind a NAT router. One machine is running a web2py http server. The only way I can get the other machines to connect to this server is to disable the firewalls on all the machines. Is there a simple setting to allow LAN traffic (192.168.1.0/24) through the firewalls, while still offering each machine protection from the WAN?
Normally, you just have to allow http to the server. That should be easy enough to do. What firewall are you running?
The firewall is the SuSE one, that has a YaST setup module. The server is not a LAMP server it is just web2py. I access the page in my browser by going to http://192.168.1.12:8001/, which is this machine. - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPZwYACgkQ0Sr7eZJrmU5alACfUnHCnqaJnFLh+91gIeiY17Dw e7wAn3PDlrIZUDlXAvbouH1Ip6uIak+9 =KWfA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 10:11 AM, Bob Williams wrote:
The firewall is the SuSE one, that has a YaST setup module. The server is not a LAMP server it is just web2py. I access the page in my browser by going to http://192.168.1.12:8001/, which is this machine.
That's a non standard port. You'll have to go into "Custom Rules" to configure the firewall to pass that port. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 15:16, James Knott wrote:
On 05/10/2015 10:11 AM, Bob Williams wrote:
The firewall is the SuSE one, that has a YaST setup module. The server is not a LAMP server it is just web2py. I access the page in my browser by going to http://192.168.1.12:8001/, which is this machine.
That's a non standard port. You'll have to go into "Custom Rules" to configure the firewall to pass that port.
And presumably I choose 'Internal Zone'? - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPa2oACgkQ0Sr7eZJrmU5qYgCeLHWpH41GVpAQHDyzRVMhXykv XuIAnj//y+JoVswunnKGoyffycuxF6Fg =wywc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 10:30 AM, Bob Williams wrote:
And presumably I choose 'Internal Zone'?
There you're talking about a firewall protecting a network, rather than one protecting a single computer. The zone refers to which side of the firewall you're talking about. External would be the interface connected to the Internet and internal, your local lan. If you're protecting a single computer, then everything else is external. However, if you have a firewall facing the Internet, do you really need one on computer connected to your local network? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 17:37, James Knott wrote:
On 05/10/2015 10:30 AM, Bob Williams wrote:
And presumably I choose 'Internal Zone'?
There you're talking about a firewall protecting a network, rather than one protecting a single computer. The zone refers to which side of the firewall you're talking about. External would be the interface connected to the Internet and internal, your local lan. If you're protecting a single computer, then everything else is external. However, if you have a firewall facing the Internet, do you really need one on computer connected to your local network?
This is where my old brain finds it difficult to understand the concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings. I also understand that the process of 'Network Address Translation' causes rejection of any unsolicited packets from outside, which constitutes a sort of firewall. Are you saying I can rely on that? Thank you for your help and advice. Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPlw4ACgkQ0Sr7eZJrmU6SlwCfWtZUOX3WrwCtPM1+cVFQV9N6 yLQAnifIlkLy6jvWPZgv4xrJKIvuAxmG =2VMG -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 01:36 PM, Bob Williams wrote:
This is where my old brain finds it difficult to understand the concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings.
I also understand that the process of 'Network Address Translation' causes rejection of any unsolicited packets from outside, which constitutes a sort of firewall. Are you saying I can rely on that?
I'm not familiar with that device but, generally, yes. You don't need firewalls on each computer, unless you're really worried about security. For most users, a firewall on each computer just gets in the way. The only computer I have that has it's own firewall is my notebook computer, which gets used in other locations, including on public WiFi. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 18:43, James Knott wrote:
On 05/10/2015 01:36 PM, Bob Williams wrote:
This is where my old brain finds it difficult to understand the concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings.
I also understand that the process of 'Network Address Translation' causes rejection of any unsolicited packets from outside, which constitutes a sort of firewall. Are you saying I can rely on that?
I'm not familiar with that device but, generally, yes. You don't need firewalls on each computer, unless you're really worried about security. For most users, a firewall on each computer just gets in the way. The only computer I have that has it's own firewall is my notebook computer, which gets used in other locations, including on public WiFi.
OK, I understand and am reassured. These machines don't leave this house. Many thanks. - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPmiMACgkQ0Sr7eZJrmU7Z6wCgqqdId+TSg6co/VadPEQfUInR LKMAn28ODjiwOmCY91iMIiJFhV0xjKVb =RAeY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/05/2015 19:36, Bob Williams a écrit :
concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? T
depends... are all the computer of your network safe? for example, is there on your network a computer running Windows and can be compromised by a mail virus? Do you have a familial wifi network (that somebody on the vicinity can compromise)? Do you have some time friends that come with a laptop and have to be connected through your network? Did you buy recently a printer (most new printers connect to internet and may be compromised)? on the other side, a firewall on your desktop uses very few resources, so why not? jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 19:01, jdd wrote:
Le 10/05/2015 19:36, Bob Williams a écrit :
concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? T
depends...
are all the computer of your network safe?
for example, is there on your network a computer running Windows and can be compromised by a mail virus? Do you have a familial wifi network (that somebody on the vicinity can compromise)? Do you have some time friends that come with a laptop and have to be connected through your network? Did you buy recently a printer (most new printers connect to internet and may be compromised)?
We live in a rural area, so the wifi is unlikely to attract passers-by. It also has a fairly long, non-intuitive password. But, yes friends do visit and want to connect their devices to the Internet.
on the other side, a firewall on your desktop uses very few resources, so why not?
Which brings me back to the original question. Machine A is running a web2py server on a non-standard port on the private LAN. I want machine B to be able to access this web server from another room in the house. The firewall in Yast2 prevents this in its default configuration.
jdd
- -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVPoa0ACgkQ0Sr7eZJrmU6HEwCfSzKuQR/oq29cZN8Ys6axzMJV GjwAn2IeEfnKr5SdSfrK7iCR5fvZAPkP =0GlZ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 02:21 PM, Bob Williams wrote:
Which brings me back to the original question. Machine A is running a web2py server on a non-standard port on the private LAN. I want machine B to be able to access this web server from another room in the house. The firewall in Yast2 prevents this in its default configuration.
As I mentioned in another note, you have to allow that port. Just allowing the local lan addresses just opens up the firewall for anything on your lan. You could, however, specify both port and source address, to ensure that nothing outside of your network, should it make it past your firewall, can access that server. BTW, is there any reason you're using a non-standard port? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, 10 May 2015 20:21, Bob Williams wrote:
On 10/05/15 19:01, jdd wrote:
Le 10/05/2015 19:36, Bob Williams a écrit :
concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? T
depends...
are all the computer of your network safe?
for example, is there on your network a computer running Windows and can be compromised by a mail virus? Do you have a familial wifi network (that somebody on the vicinity can compromise)? Do you have some time friends that come with a laptop and have to be connected through your network? Did you buy recently a printer (most new printers connect to internet and may be compromised)?
We live in a rural area, so the wifi is unlikely to attract passers-by. It also has a fairly long, non-intuitive password. But, yes friends do visit and want to connect their devices to the Internet.
on the other side, a firewall on your desktop uses very few resources, so why not?
Which brings me back to the original question. Machine A is running a web2py server on a non-standard port on the private LAN. I want machine B to be able to access this web server from another room in the house. The firewall in Yast2 prevents this in its default configuration.
jdd
On the machine the web2py service runs on: In the file: /etc/sysconfig/SuSEfirewall Search for pattern: FW_SERVICES_[A-Z]*_TCP= Add (separated with a space, if necessary), your web2py port 8xxx. Restart the Firewall, test. non-standard port = manual config.
On 05/10/2015 02:35 PM, Yamaban wrote:
On the machine the web2py service runs on: In the file: /etc/sysconfig/SuSEfirewall Search for pattern: FW_SERVICES_[A-Z]*_TCP= Add (separated with a space, if necessary), your web2py port 8xxx.
Restart the Firewall, test. non-standard port = manual config.
Or custom rules in Yast. With them, you can specify source address and both source and destination ports. So, in Bob's example, allow TCP port 8001 from source addresses 192.168.1.0/24 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/05/2015 20:21, Bob Williams a écrit :
Which brings me back to the original question. Machine A is running a web2py server on a non-standard port on the private LAN. I want machine B to be able to access this web server from another room in the house. The firewall in Yast2 prevents this in its default configuration.
you just have to allow the port. You can do this on yast2. It have to be on the server's firewall, external network (external for this computer) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 01:36 PM, Bob Williams wrote:
On 10/05/15 17:37, James Knott wrote:
On 05/10/2015 10:30 AM, Bob Williams wrote:
And presumably I choose 'Internal Zone'?
There you're talking about a firewall protecting a network, rather than one protecting a single computer. The zone refers to which side of the firewall you're talking about. External would be the interface connected to the Internet and internal, your local lan. If you're protecting a single computer, then everything else is external. However, if you have a firewall facing the Internet, do you really need one on computer connected to your local network?
This is where my old brain finds it difficult to understand the concepts.
I can't say I blame you. For a long time now vendors have abused terminology and have made claims about functionality in the sake of of getting people to buy by means of increasing their expectations. Classically a firewall was a portal between two networks made up of a host managing two routers. Compare this with a simple single point access control such as TCPWrappers
The firewalls I'm talking about are on each machine in the house connected to the NAT router,
In many ways, that 'front end' is TCPWrappers write large, implemented in the IP stack rather than the application layer. http://udel.edu/~grim/tcp_wrapper.pdf http://www.slashroot.in/linux-access-control-using-tcp-wrappers Has a nice illustration of the layering Also show an answer to your Q ... If you were using TCPWrappers :-) http://www.aboutlinux.info/2005/10/using-tcp-wrappers-to-secure-linux.html
which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings.
Again I see that as abuse of terminology for the purpose of marketing. I have a Netgear that makes similar claims. No, its not really a firewall, not in the classical sense.
I also understand that the process of 'Network Address Translation' causes rejection of any unsolicited packets from outside, which constitutes a sort of firewall. Are you saying I can rely on that?
I depends on what you mean by "Rely". BAT is just that, address translation. TCP is stateful and the NAT software tracks the state of an established link and does address translation. But this only makes sense for outgoing TCP connections. UDP is stateless and there are a few guesses to make DNS work. More to the point, NAT will not allow an incoming TCP _request_. That doesn't mean its secure. There are ways of piggy-backing on established connections. The famous Mitnick vs Tsutomu Shimomura case documented as the book and movie "Takedown" was based on such a technique. We've made adjustment to the way TCP initiation & packet sequencing is done that makes such an attack very difficult, but its not impossible. See also http://tools.ietf.org/html/rfc1948 So in order to run certain services, which may not apply in your case but seems all too prevalent in the way much commercial software for Windows has been designed, "holes" in that have to be opened up. Either a TCP or UDP link for a certain port is "forwarded" to a particular host. You can see, pretty easily, how this would apply for a web server on the inside of the NAT "firewall". But even so, there are MANY ways a NAT firewall won't protect you. There are many ways that something on the inside can be made to initiate a session outbound. It may be javascript in a web site or even a HTML laden email. Lets face it. HTML email is redundant and potentially EVIL! So if you ask me, the answer is NO YOU CANNOT RELY ON A NAT TO ACT AS A SECURITY DEVICE. But to be fail, the way most "personal" or "host-based" firewalls are configured, the same applies. No host-based firewall is going to stop the user reading email or browsing the web. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 04:47 PM, Anton Aylward wrote:
More to the point, NAT will not allow an incoming TCP _request_.
That doesn't mean its secure. There are ways of piggy-backing on established connections. The famous Mitnick vs Tsutomu Shimomura case documented as the book and movie "Takedown" was based on such a technique. We've made adjustment to the way TCP initiation & packet sequencing is done that makes such an attack very difficult, but its not impossible.
That is why many state NAT isn't a firewall. From a networking point of view, beyond stretching address space, it's generally a bad thing, in that it breaks some protocols. As for being a firewall, there's nothing it can do that a properly configured firewall can't. With a firewall, you generally start from block everything and then allow only what you want. On a proper firewall, this works in both directions, so that you can block outgoing as well as incoming. If you want to see what a real firewall can do, take a look at Cisco access lists. They can be applied to any interface in either direction, with multiple qualifiers in each statement, so you get maximum flexibility in what you allow or block. Hopefully, with IPv6, NAT will be a thing of the past. Unfortunately, some people think it's a good idea to use it with IPv6 too. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-10 19:36, Bob Williams wrote:
This is where my old brain finds it difficult to understand the concepts. The firewalls I'm talking about are on each machine in the house connected to the NAT router, which in turn is connected to the Internet. So from your last remark, they are all protected by the router, and do not need to be running separate software firewalls themselves? The router (Draytek Vigor 2830Vn) claims to have a 'firewall' inside it, but I have never changed the default settings.
The distinction between external/internal interfaces came about on machines having to network cards: one connected to the outside, to Internet, another to the inside, the LAN. What to do on machines with only one socket? It is connected to the internal network, yes, so it should be "internal". However, in that LAN there is one machine, a router, that connects to the outside. It is this machine that should run a good and reliable firewall to protect all the machines inside. Is it that secure and reliable, the router? Really, I don't trust mine. I had one from my ISP, and it never got an update in years. Then I bought one of my own; it had an update, yes, but I verified that it still had a hole. So no, I don't trust home routers. Thus on all my Linux machines I tell them they are on "external" network. About your question: FW_TRUSTED_NETS="192.168.1.0/24,tcp,8001" I think that's what you need. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVP1j8ACgkQja8UbcUWM1wK6QD+Nb6SJy3PwsDOF+CtX/WIIQWI XMCgfUCwdwFACiznHV4A/RrrZcfsCcq9X2W0R9BmDqmX8BijCwGbE+VzdRxDpXp6 =i4eF -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/10/2015 06:05 PM, Carlos E. R. wrote:
What to do on machines with only one socket? It is connected to the internal network, yes, so it should be "internal". However, in that LAN there is one machine, a router, that connects to the outside. It is this machine that should run a good and reliable firewall to protect all the machines inside.
Does "internal" really apply to a single computer? There is only what's external to it, that is the rest of the lan and beyond that it has to be protected from. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-11 02:27, James Knott wrote:
On 05/10/2015 06:05 PM, Carlos E. R. wrote:
What to do on machines with only one socket? It is connected to the internal network, yes, so it should be "internal". However, in that LAN there is one machine, a router, that connects to the outside. It is this machine that should run a good and reliable firewall to protect all the machines inside.
Does "internal" really apply to a single computer? There is only what's external to it, that is the rest of the lan and beyond that it has to be protected from.
Well, yes, I consider the interface on a lone computer as external. And when I consider one as "internal", I also set "protect from internal" on. It does complicates things a lot, of course. Every service I want, samba, nfs, printing... has to be explicitly allowed. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVQAOoACgkQja8UbcUWM1w57gEAiv+XZYy7QQi8/tnYouf9VPsd GB0yaVpHfAZdRJwYfqkA/0Q2prQO9rUGp4OVvi1G+nobtS4ogJlIvrWsO+6r6FqP =7ouq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 11/05/2015 02:27, James Knott a écrit :
Does "internal" really apply to a single computer? There is only what's external to it, that is the rest of the lan and beyond that it has to be protected from.
think at the firewall as a door. on a single computer, as on a house, the external is the door that opens to the network, the internal is the house, that is your computer. if your computer is not otherwise connected, the firewall is only useful to protect you from bad configuration, because any non used port is "closed". An open port is a port some application read and his security is up to the application, a closed port is either a port that nobody reads, or one that the firewall is blocking. there is a discussion about is it necessary to have a firewall even for unused ports, because any port is read at least a some level, else nothing will be transmitted to applications, but I have no idea on this. jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2015-05-11 08:59, jdd wrote:
Le 11/05/2015 02:27, James Knott a écrit :
Does "internal" really apply to a single computer? There is only what's external to it, that is the rest of the lan and beyond that it has to be protected from.
think at the firewall as a door.
on a single computer, as on a house, the external is the door that opens to the network, the internal is the house, that is your computer.
Think rather of an apartment building. There is the door to the street, perhaps with a janitor. Then there are the doors to the apartments. Do you leave the apartment doors open, because you trust the janitor? Or do you use a good lock on your home, and check who calls using the peep hole?
there is a discussion about is it necessary to have a firewall even for unused ports, because any port is read at least a some level, else nothing will be transmitted to applications, but I have no idea on this.
Strictly speaking, a firewall is not needed if no port is listening. However, as you can not be sure of this, because tons of applications can open doors and you would have to check all and all users, it makes sense to have another layer. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVQwTMACgkQja8UbcUWM1yoOAD9ERX1odQI/9tlnl5TvkBWADQP 6JPuSuwAHQU11lQsMUgA/1/9PhynkIisqXbV9WxNXlpCr5z3AkCQ9dqGqZq9Nz6h =tTzE -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/05/15 20:43, James Knott wrote:
Or custom rules in Yast. With them, you can specify source address and both source and destination ports. So, in Bob's example, allow TCP port 8001 from source addresses 192.168.1.0/24
and On 10/05/15 23:05, Carlos E. R. wrote:
About your question:
FW_TRUSTED_NETS="192.168.1.0/24,tcp,8001"
I think that's what you need.
Many thanks for everyone's input; I certainly understand a bit more about firewalls, in particular the difference between 'external' and 'internal' zones. Unfortunately, neither of the above suggestions worked (yes, I did restart the firewall after each change). Bob - -- Bob Williams System: Linux 3.16.7-7-desktop Distro: openSUSE 13.2 (x86_64) with KDE Development Platform: 4.14.3 Uptime: 06:00am up 7:55, 3 users, load average: 0.16, 0.05, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlVQuewACgkQ0Sr7eZJrmU4bUACdEoB4p6BdwnvQcoeDjH32HVgG MC0An3Dy2q8A6tJ2X7WYQYk5UXqQCobH =WR8g -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/11/2015 10:17 AM, Bob Williams wrote:
Unfortunately, neither of the above suggestions worked (yes, I did restart the firewall after each change).
Have you tried doing a NMAP scan (or similar) to see that the reality is? You might try A-B comparison, firewall off/firewall on, to see what's happening? I'm wondering if the restart of the firewall reset it to the original config? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (6)
-
Anton Aylward -
Bob Williams -
Carlos E. R. -
James Knott -
jdd -
Yamaban