Hello Stefan, I have a similar problem and tried the FW_TRUSTED_NETS to enable www-access to one special client. But the uSe firewall drops the packets. Do you have any idea?? Jörg -----Ursprüngliche Nachricht----- Von: Peer Stefan [mailto:stefan.peer@tiwag.at] Gesendet: Mittwoch, 28. Mai 2003 13:24 An: suse-security@suse.com Betreff: RE: [suse-security] Blocking ports and services[Scanned] Hi Dietmar,
From: Dietmar Stein [mailto:DStein@phoenixcontact.com] Hi
I am new to the list but I have gone through archives and several internet resources before, but I can't find a detailed answer, so I am asking ...
I have a machine running SLES7 (fully updated), which has only one ethernet interface (eth0). The machine is running SAP and Oracle and I want to ensure that only some IP addresses can connect to SAP (which is running on ports 3200, 3300, 4800, 3600); all other services except ssh should be unavailable to the local network.
FW_DEV_EXT="eth0" FW_EXT_SERVICES="ssh" FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600" If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g. FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet.
What do I want? I want to have access to SAP/Oracle from only a few IP addresses and all other services blocked (except ssh which should be public). I have tried to use SuSEfirewall without success (it won't start if I do not specify an extrenal device and if I specify it, I lock myself).
A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-)
Any suggestions?
Thanks, Dietmar
You're welcome, Stefan -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here