[opensuse] Router firewall vs openSUSE firewall
Hi, My system is openSUSE 12.1 running KDE 4.9 behind a NAT router (Draytek 2800v) which incorporates its own configurable firewall. I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen. Is it safe to rely on the router firewall alone, combined with NAT, always accepting that safety is a relative term? Conversely, has anyone successfully set up minidlna through the openSUSE firewall, and if so, what settings did you use? Bob -- Bob Williams System: Linux 3.1.10-1.16-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.9.00 "release 555" Uptime: 06:00am up 16 days 7:10, 1 user, load average: 0.07, 0.08, 0.12 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Bob Williams wrote:
Is it safe to rely on the router firewall alone, combined with NAT, always accepting that safety is a relative term?
Well, many commercial boxes run on Linux or BSD. My firewall/router is openSUSE 11.4 on an old Compaq computer. Of course, security in depth can be more secure than a single layer. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Am Dienstag, 28. August 2012, 11:29:45 schrieb Bob Williams:
I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen.
Maybe igmp is missing in your firewall config. See the first section of http://en.opensuse.org/openSUSE:Synology_NAS on how to set it up. Sven -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 28/08/12 15:22, Sven Burmeister wrote:
Am Dienstag, 28. August 2012, 11:29:45 schrieb Bob Williams:
I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen.
Maybe igmp is missing in your firewall config. See the first section of http://en.opensuse.org/openSUSE:Synology_NAS on how to set it up.
Sven
I added igmp as an IP protocol under the Advanced button, but unfortunately it didn't open the firewall for minidlna. Thank you for the suggestion. Bob -- Bob Williams System: Linux 3.1.10-1.16-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.9.00 "release 555" Uptime: 06:00am up 16 days 7:10, 1 user, load average: 0.07, 0.08, 0.12 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2012-08-28 at 11:29 +0100, Bob Williams wrote:
My system is openSUSE 12.1 running KDE 4.9 behind a NAT router (Draytek 2800v) which incorporates its own configurable firewall. I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen. Is it safe to rely on the router firewall alone,
No, appropriate firewall rules should be applied to all devices.
combined with NAT,
NAT is not about security; it is about address space management.
always accepting that safety is a relative term?
Yes, safety is relative. And it is increased significantly when everything protects itself [every device should know what traffic it should and shouldn't carry].
Conversely, has anyone successfully set up minidlna through the openSUSE firewall, and if so, what settings did you use?
No, I've never used minidlna.
On 8/28/2012 3:29 AM, Bob Williams wrote:
Hi,
My system is openSUSE 12.1 running KDE 4.9 behind a NAT router (Draytek 2800v) which incorporates its own configurable firewall.
I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen.
Is it safe to rely on the router firewall alone, combined with NAT, always accepting that safety is a relative term?
Conversely, has anyone successfully set up minidlna through the openSUSE firewall, and if so, what settings did you use?
Bob
Bob: You really don't need a firewall in opensuse, because you don't have a ton of ports open, over which you have no control. If there is nothing listening on a port, you aren't going to have any issues with people trying to connect. Simply controlling what is listening is sufficient. However, if you are a belt and suspenders man, you can configure the suse firewall to pass DLNA data. There is a applet in Yast2 that lets you configure the firewall, so you can allow DLNA. See https://help.ubuntu.com/community/MiniDLNA You need to open ports on the firewall using the configuration tool in yast2 as indicated at the bottom of that page. Bear in mind that you may want to turn off upnp on the router because some Dlan devices will use upnp to open ports to the public side of your router. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 29/08/12 01:00, John Andersen wrote:
On 8/28/2012 3:29 AM, Bob Williams wrote:
Hi,
My system is openSUSE 12.1 running KDE 4.9 behind a NAT router (Draytek 2800v) which incorporates its own configurable firewall.
I'm also running a minidlna server linked through the router to my Blueray player. When I disable the openSUSE firewall, I can browse the directories on my computer from the TV and view/play media files. If I enable the openSUSE firewall, the server is not seen.
Is it safe to rely on the router firewall alone, combined with NAT, always accepting that safety is a relative term?
Conversely, has anyone successfully set up minidlna through the openSUSE firewall, and if so, what settings did you use?
Bob
Bob: You really don't need a firewall in opensuse, because you don't have a ton of ports open, over which you have no control. If there is nothing listening on a port, you aren't going to have any issues with people trying to connect. Simply controlling what is listening is sufficient.
I run both ssh and rsync servers, protected by key pairs.
However, if you are a belt and suspenders man, you can configure the suse firewall to pass DLNA data.
There is a applet in Yast2 that lets you configure the firewall, so you can allow DLNA. See https://help.ubuntu.com/community/MiniDLNA You need to open ports on the firewall using the configuration tool in yast2 as indicated at the bottom of that page.
Bear in mind that you may want to turn off upnp on the router because some Dlan devices will use upnp to open ports to the public side of your router.
I tried doing it with the YaST tool, but found it didn't work. I now have it set up by following instructions from Togan Muftuoglu in the other half of this thread. Thanks, Bob -- Bob Williams System: Linux 3.1.10-1.16-desktop Distro: openSUSE 12.1 (x86_64) with KDE Development Platform: 4.9.00 "release 555" Uptime: 06:00am up 15:53, 1 user, load average: 0.10, 0.12, 0.44 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Adam Tauno Williams -
Bob Williams -
James Knott -
John Andersen -
Sven Burmeister