[opensuse] SuSEfirewall2 and multiple ip addresses
![](https://seccdn.libravatar.org/avatar/b3e4ab8ccf356664f5a50f8d26bbdb27.jpg?s=120&d=mm&r=g)
I have several SuSE 10.3 systems which have one network card but multiple ip addresses, the additional addresses are set up as aliases through YaST. For instance on one system, eth0 is x.y.z.69, eth0:1 is x.y.z.70 and eth0:2 is x.y.z.71. Is there any way I can allow access to specific ports/services on specific ip addresses through YaST's SuSEfirewall2 module? I'm aware that I could do this 'manually' using iptables, but I'd prefer to do it the 'SuSE way' using YaST or entries in /etc/sysconfig/SuSEfirewall2 - always assuming there is a SuSE way to do this :-) I'm thinking of rules such as "allow ssh access to the box only on x.y.z.69", "allow a webserver to be accessed on x.y.z.70", "allow a mailserver to be accessed on "x.y.z.71". Any ideas welcome.... Thanks, Jim -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/178aaecfb5530e0d0d9253df50f6991e.jpg?s=120&d=mm&r=g)
Jim Staunton wrote:
I have several SuSE 10.3 systems which have one network card but multiple ip addresses, the additional addresses are set up as aliases through YaST. For instance on one system, eth0 is x.y.z.69, eth0:1 is x.y.z.70 and eth0:2 is x.y.z.71.
Is there any way I can allow access to specific ports/services on specific ip addresses through YaST's SuSEfirewall2 module? I'm aware that I could do this 'manually' using iptables, but I'd prefer to do it the 'SuSE way' using YaST or entries in /etc/sysconfig/SuSEfirewall2 - always assuming there is a SuSE way to do this :-)
I'm thinking of rules such as "allow ssh access to the box only on x.y.z.69", "allow a webserver to be accessed on x.y.z.70", "allow a mailserver to be accessed on "x.y.z.71".
Any ideas welcome....
Thanks,
Jim I do NOT speak for SGI in this forum.
There is the usual SuSEfirewall2 custom script callout: From /etc/sysconfig/SuSEfirewall2 # This is really an expert option. NO HELP WILL BE GIVEN FOR THIS! # READ THE EXAMPLE CUSTOMARY FILE AT /etc/sysconfig/scripts/SuSEfirewall2-custom # #FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" FW_CUSTOMRULES="" -- Sent from my wired giant hulking workstation Nate Pearlstein - npearl@sgi.com - Product Support Engineer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/525429879e31958a513b2106164c44af.jpg?s=120&d=mm&r=g)
Jim Staunton wrote:
I have several SuSE 10.3 systems which have one network card but multiple ip addresses, the additional addresses are set up as aliases through YaST. For instance on one system, eth0 is x.y.z.69, eth0:1 is x.y.z.70 and eth0:2 is x.y.z.71.
Is there any way I can allow access to specific ports/services on specific ip addresses through YaST's SuSEfirewall2 module? I'm aware that I could do this 'manually' using iptables, but I'd prefer to do it the 'SuSE way' using YaST or entries in /etc/sysconfig/SuSEfirewall2 - always assuming there is a SuSE way to do this :-)
I'm thinking of rules such as "allow ssh access to the box only on x.y.z.69", "allow a webserver to be accessed on x.y.z.70", "allow a mailserver to be accessed on "x.y.z.71".
Any ideas welcome....
Thanks,
Jim Hi Jim,
Open Yast>Security and Users>Firewall>Use the custom rules tab. This is a new addition to the firewall only from versions 10.3 upwards. I really dont understand why your routing tables are so complex. O.K out of you Router use NAT (Network Address Translation) and turn on DHCP. If your router has only 1 LAN Port then you will need a switch to provide multiple cables to each PC. If your router has multiple LAN ports use 1 for each PC. You do NOT have to use an OpenSuse PC to hand out IP's, Let the router simply do it via NAT and DHCP. Configure each Network card with only 1 IP and you can use DHCP+Zero config to ensure that only DHCP has handed an IP to each PC via DHCP, you can rest assured that the same IP will always be handed to the same PC by using the DHCP+Zero config. This new feature in 10.3 permits each PC to have a static IP, however in the first instance it was obtained via DHCP. I have no idea why you want to maintain complex routing tables when it is not necessary. Let you router assign private IP's 192.168.1.0/24 via NAT out of the LAN port of your router. You do NOT need a PC to manage complex routing tables and hand out the IP's Scott - Good Luck -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/abdee805d4df05af9a496107100c582c.jpg?s=120&d=mm&r=g)
* Default Account
Open Yast>Security and Users>Firewall>Use the custom rules tab. This is a new addition to the firewall only from versions 10.3 upwards.
that's odd. I had it in 9.0.... -- Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://counter.li.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
![](https://seccdn.libravatar.org/avatar/4937736922892cdb4e6e48aacb15b2ee.jpg?s=120&d=mm&r=g)
Jim Staunton wrote:
I have several SuSE 10.3 systems which have one network card but multiple ip addresses, the additional addresses are set up as aliases through YaST. For instance on one system, eth0 is x.y.z.69, eth0:1 is x.y.z.70 and eth0:2 is x.y.z.71.
Is there any way I can allow access to specific ports/services on specific ip addresses through YaST's SuSEfirewall2 module? I'm aware that I could do this 'manually' using iptables, but I'd prefer to do it the 'SuSE way' using YaST or entries in /etc/sysconfig/SuSEfirewall2 - always assuming there is a SuSE way to do this :-)
I'm thinking of rules such as "allow ssh access to the box only on x.y.z.69", "allow a webserver to be accessed on x.y.z.70", "allow a mailserver to be accessed on "x.y.z.71".
I've not really gotten into the suse firewall, so my answer is probably not representative. I've always used my own iptables scripts, since I have linux servers running 24/7 my own lan, do my own dns/dhcp, run web and mail servers here, and also have connections to a few server to server VPNs. I'd never found a suitably capable yet easy to use firewall solution. I'd looked at suse firewall and tried several popular solutions without finding anything more compelling than my iptables scripts. But I've recently discovered that the basic linux firewall module in webmin does everything I need. It was able to import my working iptables rules as a baseline, and adding new rules is fairly self explanatory. So, my suggestion is to check out the webmin linux firewall module. You might be pleasantly surprised. Joe -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Default Account
-
Jim Staunton
-
Joe Sloan
-
Nate Pearlstein
-
Patrick Shanahan