Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
firewall2 basics - how to allow a service only from trusted hosts?
  • From: Michael Zimmermann <zim@xxxxxxxx>
  • Date: Sun, 23 Dec 2001 15:19:50 +0100
  • Message-id: <200112231417.fBNEHCd06292@xxxxxxxxxxxxx>
Greetings to all,

could you please help me with some pointers - I'm a relatively fresh
user of firewall2 and perhaps I'm getting some basic things wrong.

The firewall is on a workstation with just one connection (eth0)
and is used as a packet-filter.

I want to allow a service to be accessed only from trusted hosts -
let's say the NTP (Network Time Protocoll - port 123) should
only be allowed (via upd) to IP a.b.c.d (say the server I want to
synchronize with).

Hence in /etc/rc.config.d/firewall2.rc.config I set

FW_TRUSTED_NETS="a.b.c.d,udp,123"

But then the packets are dropped with the log

Dec 23 12:38:22 k2 kernel: SuSE-FW-DROP-DEFAULTIN=eth0 OUT= MAC=blahblah
SRC=a.b.c.d DST=m.y.i.p LEN=76 TOS=0x00 PREC=0x00 TTL=233 ID=56172 DF
PROTO=UDP SPT=123 DPT=123 LEN=56

The packets get only thru when I add the ntp-port to the DMZ-Services with

FW_SERVICES_DMZ_UDP="ntp"

and add eth0 as the DMZ-device with

FW_DEV_DMZ="eth0"


But now (I think) the service is accessible to everyone,
the whole internet became the DMZ, and specifying the
FW_TRUSTED_NETS is not needed at all -
or am I wrong?


Thanks for any help or pointer.
Michael

< Previous Next >
Follow Ups