-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I try to use SuSEfirewall2 as included in SuSE 9.0 to secure the eth0-connection of a server-machine (only one interface, connected to the university network, no routing, NAT, bridging, etc.) but I'm a bit confused about the options and the available documentation (especially regarding differences between the current and older versions of SuSEfirewall2): What I have read (but maybe not fully understood :-)) so far: ============================================================= ~ * http://seismo.ethz.ch/linux/firewall.html, which deals with SuSE up to version 8.1 (which has obviously differences to the current version) ~ * http://susefaq.sourceforge.net/articles/firewall/fw_manual.html a nice manual about the same package also up to version 8.1 ~ * the archive of this mailinglist ~ * Googled the usual newsgroups/pages for more help. What I want to do: ================== Secure a server which should be used as a department server running SAMBA, NFS (maybe not), Netatalk, Apache, ssh/scp/sftp, xntpd (i.e. a plain simple standard intranet- and fileserver) against access from the outside world. The setup: ========== All machines are directly connected to the Internet (via the university network thanks to the University of Tuebingen not running their own firewall), therefore I want to grant/deny access to the server based on ~ * IP-address (i.e. "FW_TRUSTED_NETS") individually (per machine) ~ * possibly MAC-address (possible to set this in the firewall-config??) ~ * login and password-protection for services of course (not part of the ~ firewall) and deny access to all services except ssh for the rest of the world. In http://seismo.ethz.ch/linux/firewall.html I found the following entry which seems to be ok for me FW_TRUSTED_NETS="123.123.xxx.yyy 195.195.yyy.zzz" # Adjust FW_SERVICES_TRUSTED_TCP="1:65535" # Should be adjusted to needed services per machine, not globaly everything. FW_SERVICES_TRUSTED_UDP="1:65535" # see above in connection with FW_QUICKMODE="no" FW_DEV_EXT="eth0" FW_DEV_INT="" # Do I have to set eth0 here as well??? FW_SERVICES_EXT_TCP="" # drop all FW_SERVICES_EXT_UDP="" # drop all FW_AUTOPROTECT_SERVICES="yes" FW_PROTECT_FROM_INTERNAL="yes" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="no" FW_SERVICE_AUTODETECT="yes" ... (among others) to deny everything else from unknown computers. The problem is, that the variables "FW_SERVICES_TRUSTED*" seem to be absent in SuSEfirewall2-3.1-206 (as installed with SuSE 9.0). Can someone point me in the right direction to solve this problem? How to enable (more or less) fine-grained access controll to a computer on IP-address-basis (or better IP and MAC)? Thanks in advance. - -- Bye, Marc Saric Dr. Marc Saric, Bioinformatik, Proteom Centrum Tübingen, Paul-Ehrlich-Str. 15, D-72076 Tübingen, Germany, Tel: +49 (0)7071 29 77645, marc.saric@uni-tuebingen.de http://www.proteom-centrum-tuebingen.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUHy3BLD6PjSWyL4RAk9sAJ9RhHC0uVBfaRTWPPi/NV1OYyJNOwCeLOQ7 9HQHFLZ2fEBBRnt3ziatNF8= =tasY -----END PGP SIGNATURE-----