Hi *, Armin Schoech schrieb:
Hello Simon,
--> you can use FW2_TRUSTED_NETWORKS to allow access to certain services only from selected networks/hosts.
Thanks Armin. Am I correct in thinking that if I don't specify a port then all ports are open for the specified network? So for example, FW_TRUSTED_NETS="172.20.0.0/16,tcp,22" allows ssh from 172.20.0.0/16, but FW_TRUSTED_NETS="172.20.0.0/16,tcp" allows all tcp ports from the 172.20.0.0/16 network?
--> I have only tried FW_TRUSTED_NETS="172.20.0.0/16" to open up all ports. Whether you can restrict this to TCP, you have to try.
I also use the portmapper for NIS and NFS, which uses dynamically allocated ports. I found FW_SERVICES_EXT_RPC and FW_SERVICES_INT_RPC but nothing about trusted nets for RPC. I can't use FW_TRUSTED_NETS with RPC since I don't know which ports are going to be used by the portmapper.
you cannot trust NIS and NFS if you cannot trust the other host _and_ the transporting Network. So you cannot use one of them over unencrypted Internet !! _Please_ use VPN to connect Server and Client. And as you use VPN, you simply can trust the other IP ;-) (FW_TRUSTED_NETS=) Just my 2 ctEUR Dirk TRIA IT-consulting GmbH Joseph-Wild-Straße 20 81829 München Germany Tel: +49 (89) 92907-0 Fax: +49 (89) 92907-100 http://www.tria.de -------------------------------------------------------- working hard | for your success -------------------------------------------------------- Registergericht München HRB 113466 USt.-IdNr. DE 180017238 Steuer-Nr. 802/40600 Geschäftsführer: Richard Hofbauer kaufm. Geschäftsleitung: Rosa Igl -------------------------------------------------------- Nachricht von: Dirk.Schreiner@tria.de Nachricht an: suse-security@suse.com # Dateianhänge: 0 Die Mitteilung dieser E-Mail ist vertraulich und nur für den oben genannten Empfänger bestimmt. Wenn Sie nicht der vorgesehene Empfänger dieser E-Mail oder mit der Aushändigung an ihn betraut sind, weisen wir darauf hin, daß jede Form der Kenntnisnahme, Veröffentlichung, Vervielfältigung sowie Weitergabe des Inhalts untersagt ist. Wir bitten Sie uns in diesem Fall umgehend zu unterrichten. Vielen Dank The information contained in this E-Mail is privileged and confidental intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient or competent to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this E-Mail is strictly prohibited. If you have received this E-Mail in error, please notify us immediately. Thank you