[opensuse] firewall and network
When I turn my firewall off I can see the other computers on my network, When I turn the firewall on, I can't. Does someone have a solution to this problem on how I can use my firewall and still be able to see my network with a firewall or some other setting? dwain -- Dwain Alford Alford Design Group P.O. Box 145 Winfield, Alabama 35594 telephone: 205.487.2570 cellphone: 205.495.5619 email: dwain@alford-design-group.com web: http://www.alford-design-group.com "The artist may use any form which his expression demands; for his inner impulse must find suitable expression." Wassily Kandinsky, "Concerning The Spiritual In Art" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-03-26 09:12, dwain wrote:
When I turn my firewall off I can see the other computers on my network, When I turn the firewall on, I can't. Does someone have a solution to this problem on how I can use my firewall and still be able to see my network with a firewall or some other setting?
dwain
What are you using to connect to other systems on your network? If Samba, you need to open ports on the internal network as follows: for FW_SERVICES_INT_TCP, microsoft-ds netbios-dgm netbios-ns netbios-ssn (port numbers 445 137:139) for FW_SERVICES_INT_UDP, netbios-ns (137) Also set FW_ALLOW_FW_BROADCAST_INT to allow netbios-ns. Use the Yast sysconfig editor, as I don't know if the firewall module works for port/service settings on the internal zone (it is definitely broken for the external zone). If you need CUPS printer access across the network, open ipp (port 631) for TCP. If you are using NFS to connect remote drives, open port 2049 (for TCP only, I think). -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hello, On Mar 26 10:43 Darryl Gregorash wrote (shortened):
If you need CUPS printer access across the network, open ipp (port 631) for TCP.
Perhaps IPP port 631 for UDP is also needed, see http://en.opensuse.org/SDB:CUPS_in_a_Nutshell "The Spooler" In the YaST firewall module there are predefined "services" for IPP (and also for Samba if you use Samba) so that it should be easiest to use the YaST firewall module. By the way: I wonder why a firewall is active for a network zone in which services should be used which require trusted users (nobody lets arbitraty users print on his printer). By default the Suse firewall allows any access via a network interface which belongs to the "internal zone" because this zone is trusted by default. If the CUPS server and the client systems are in an internal network and when you trust all what there is in your internal network, your network interface must be set to be in the "internal zone". It doesn't make sense to have a network setup in a trusted internal network with a network interface which belongs to the untrusted "external zone" (which is the default to be safe). Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-03-27 02:26, Johannes Meixner wrote:
Hello,
On Mar 26 10:43 Darryl Gregorash wrote (shortened):
If you need CUPS printer access across the network, open ipp (port 631) for TCP.
Perhaps IPP port 631 for UDP is also needed, see http://en.opensuse.org/SDB:CUPS_in_a_Nutshell "The Spooler"
In the YaST firewall module there are predefined "services" for IPP (and also for Samba if you use Samba) so that it should be easiest to use the YaST firewall module.
I guess I should have guessed that browsing announcements are sent on UDP -- as is the case with, for example, netbios. As for the Yast firewall module, I think I mentioned that it is broken for opening services on the external device (and has been broken since at least SLE 9), and I don't know if it is working properly for the internal device. Concerning the rest of your remarks, long ago I stopped questioning why some people wish to do such strange things -- it is like trying to herd cats, and they are just going to do what they want anyway :-) -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 26 March 2007 11:12, dwain wrote:
When I turn my firewall off I can see the other computers on my network, When I turn the firewall on, I can't. Does someone have a solution to this problem on how I can use my firewall and still be able to see my network with a firewall or some other setting?
You said you had a router connected to a DSL modem to run your network. I assume you are turning on your Linux firewall... why? What you are telling linux is that "you are connected to the internet (not an internal network" and therefore protect me from everything using the firewall". You just shut yourself off from your own network. Almost all routers these days are very good firewalls and I would bet that you don't have the firewalls on your Windows machines turned on. But in any event, if you want to run the linux firewall, then you are going to have to open up a lot of ports in order to talk to the rest of the network. So you are defeating the purpose here of the firewall. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Bruce Marshall wrote:
On Monday 26 March 2007 11:12, dwain wrote:
When I turn my firewall off I can see the other computers on my network, When I turn the firewall on, I can't. Does someone have a solution to this problem on how I can use my firewall and still be able to see my network with a firewall or some other setting?
You said you had a router connected to a DSL modem to run your network.
I assume you are turning on your Linux firewall... why?
What you are telling linux is that "you are connected to the internet (not an internal network" and therefore protect me from everything using the firewall". You just shut yourself off from your own network.
Almost all routers these days are very good firewalls and I would bet that you don't have the firewalls on your Windows machines turned on.
But in any event, if you want to run the linux firewall, then you are going to have to open up a lot of ports in order to talk to the rest of the network. So you are defeating the purpose here of the firewall.
So my router firewall is taking care of the internet part of the network? How can I check to make sure this is happening? dwain -- Dwain Alford Alford Design Group P.O. Box 145 Winfield, Alabama 35594 telephone: 205.487.2570 cellphone: 205.495.5619 email: dwain@alford-design-group.com web: http://www.alford-design-group.com "The artist may use any form which his expression demands; for his inner impulse must find suitable expression." Wassily Kandinsky, "Concerning The Spiritual In Art" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 2007-03-27 19:45, dwain wrote:
<snip>
So my router firewall is taking care of the internet part of the network? How can I check to make sure this is happening?
a) only if you have set it up (properly), which in view of the second question appears unlikely b) read the router documentation for the necessary instructions on how to access it -- they should all allow http access from within the internal network. -- Moral indignation is jealousy with a halo. -- HG Wells -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Darryl Gregorash wrote:
On 2007-03-27 19:45, dwain wrote:
<snip>
So my router firewall is taking care of the internet part of the network? How can I check to make sure this is happening?
a) only if you have set it up (properly), which in view of the second question appears unlikely b) read the router documentation for the necessary instructions on how to access it -- they should all allow http access from within the internal network.
Thanks to all of you who have helped ease my paranoid mind. I went to the site suggested and check my computer (router). I was clean and green all the way down the grid. many greetings from Alabama dwain -- Dwain Alford Alford Design Group P.O. Box 145 Winfield, Alabama 35594 telephone: 205.487.2570 cellphone: 205.495.5619 email: dwain@alford-design-group.com web: http://www.alford-design-group.com "The artist may use any form which his expression demands; for his inner impulse must find suitable expression." Wassily Kandinsky, "Concerning The Spiritual In Art" -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (5)
-
Bruce Marshall -
Darryl Gregorash -
dwain -
James Knott -
Johannes Meixner