\ Michael James: I have a sudden need to firewall a machine to allow a list of ports to a list of subnets.
FW_SERVICES_EXT_TCP="ftp ftp-data ssh smtp domain http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap https smtps rsync ftps-data ftps imaps pop3s sunrpc"
FW_TRUSTED_NETS=<8 distinct class C networks>
So effectively I want to say, "Only trusted nets get anything, and then only services on the list".
Trouble is, using the trusted nets concept I have to list the entire cross product, every possible combination.
Without that uglyness, can I do it within SuSEFirewall2 or am I down to ipchains?
If your trusted nets followed a pattern like this 192.168.0.0/24, 192.168.32.0/24, ... , 192.168.224.0/24 or readressing them is achievable, you could adress them in one rule with 192.168.0.0/255.255.31.0 (somewhat tricky, but works for us with iptables). -- Mit freundlichen Grüßen Dr. H. Rosner Stadtverwaltung Jena Hauptamt / Datenverarbeitung Tel: (03641) 49 5502 Fax: (03641) 49 2222 eMail: ros@jena.de