[opensuse] howto open firewall to all traffic to a host
Hello Folks, I am trying to get a SiliconDust internet TV card box to work with Opensuse 11.2, but am having firewall issues. With the firewall turned off, the hdhomerun (Silicon dust software) configure will detect the TV tuner and return it's IP address and ID. With the firewall enabled the tuner is not detected as expected. I tried opening up the necessary ports and services but thhat did not work and according to SiliconDust tech support the tuner uses random high port on the PC so it is not possible to firewall based on incoming ports. They suggest that I allow all traffic to/from the HDHomeRun's IP address. My question is how to best do this? I could not find how to do this with yast. Do I need to directly edit iptables and if so, how? Thanks, Vahe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Vahe Avedissian wrote:
Hello Folks,
I am trying to get a SiliconDust internet TV card box to work with Opensuse 11.2, but am having firewall issues.
With the firewall turned off, the hdhomerun (Silicon dust software) configure will detect the TV tuner and return it's IP address and ID. With the firewall enabled the tuner is not detected as expected.
I tried opening up the necessary ports and services but thhat did not work and according to SiliconDust tech support the tuner uses random high port on the PC so it is not possible to firewall based on incoming ports. They suggest that I allow all traffic to/from the HDHomeRun's IP address.
My question is how to best do this? I could not find how to do this with yast. Do I need to directly edit iptables and if so, how?
You can enter HDHomeRun's IP address into FW_TRUSTED_NETS but then the question is can you realy trust them # Format: space separated list of network[,protocol[,port]] # in case of icmp, port means the icmp type # # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" # FW_TRUSTED_NETS="HDHomeRun's IP" Another option, though I do not think that can be done via Yast, is you can create a service "HDHomeRun" based on the /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE and here is the relevant part of the template. ### variables below are only needed in very special cases # space separated list of net,protocol[,sport[,dport]] # see FW_SERVICES_ACCEPT_RELATED_EXT # net 0/0 means IPv4 and IPv6. If this sevice should only work for # IPv4 use 0.0.0.0/0 RELATED="HDHomeRun's IP" This will open the ports that are related to your computers request Then you can add this service to your FW_CONFIGURATIONS_EXT="HDHomeRun" Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi Togan, I tried the first suggestion you made and that seems to work! Thanks!!! I will try your second suggestion as well. Any advantage of the first versus the second approach? Also, the HDHomeRun TV tuner is sitting on my local network. I was wondering what the implications of trusting them were per your comment below? Can you shed some light on this concern? Thanks again! Vahe ----- Original Message ---- From: Togan Muftuoglu <toganm+suse@dinamizm.com> To: opensuse@opensuse.org Sent: Tue, April 6, 2010 12:23:11 AM Subject: Re: [opensuse] howto open firewall to all traffic to a host Vahe Avedissian wrote:
Hello Folks,
I am trying to get a SiliconDust internet TV card box to work with Opensuse 11.2, but am having firewall issues.
With the firewall turned off, the hdhomerun (Silicon dust software) configure will detect the TV tuner and return it's IP address and ID. With the firewall enabled the tuner is not detected as expected.
I tried opening up the necessary ports and services but thhat did not work and according to SiliconDust tech support the tuner uses random high port on the PC so it is not possible to firewall based on incoming ports. They suggest that I allow all traffic to/from the HDHomeRun's IP address.
My question is how to best do this? I could not find how to do this with yast. Do I need to directly edit iptables and if so, how?
You can enter HDHomeRun's IP address into FW_TRUSTED_NETS but then the question is can you realy trust them # Format: space separated list of network[,protocol[,port]] # in case of icmp, port means the icmp type # # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" # FW_TRUSTED_NETS="HDHomeRun's IP" Another option, though I do not think that can be done via Yast, is you can create a service "HDHomeRun" based on the /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE and here is the relevant part of the template. ### variables below are only needed in very special cases # space separated list of net,protocol[,sport[,dport]] # see FW_SERVICES_ACCEPT_RELATED_EXT # net 0/0 means IPv4 and IPv6. If this sevice should only work for # IPv4 use 0.0.0.0/0 RELATED="HDHomeRun's IP" This will open the ports that are related to your computers request Then you can add this service to your FW_CONFIGURATIONS_EXT="HDHomeRun" Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi, Vahe Avedissian wrote:
Hi Togan,
I tried the first suggestion you made and that seems to work! Thanks!!! I will try your second suggestion as well. Any advantage of the first versus the second approach?
With FW_TRUSTED_NETS you let the ip access to the ports you want or the whole port range if you just put the ip Second approach is based on the "FW_SERVICES_ACCEPT_RELATED_EXT" parameter so you have two ways of doing the same thing. In this approach you only accept packets that are related to the requests. Meaning your tvtuner contacts the server asks something, the reply is in relation to the question. This will be let through with "FW_SERVICES_ACCEPT_RELATED_EXT" so this approach is more like fine tuning Now when you use the template that means you define all these things in the template and you just add the service name to "FW_CONFIGURATIONS_EXT" with this approach the service can be added to any FW_CONFIGURATIONS_XXX
Also, the HDHomeRun TV tuner is sitting on my local network. I was wondering what the implications of trusting them were per your comment below? Can you shed some light on this concern?
When you run a firewall and you let packets selectively that means you are not trusting everyone out there in the wild. Now if you just put the "HDHomeRun ip" alone giving the full port access, that would not sit well with me and I would like to limit their access to my network. So using (tcp,udp,icmp) and ports I would limit the access. And quoting the remarks for FW_TRUSTED_NETS from the /etc/sysconfig/SuSEfirewall2 * "Please note that this is no replacement for authentication since IP addresses can be spoofed." * That would leave me the option of letting packets that are related because I am initiating the contact first I would suggest since now you have working solution, find the ports, i.e using iptraf, and try to narrow down the ports to see what happens Hope this helps Togan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Togan Muftuoglu -
Vahe Avedissian