Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: "Joe Morris (NTM)" <Joe_Morris@xxxxxxx>
  • Date: Tue, 17 Oct 2006 07:54:34 +0800
  • Message-id: <45341BBA.1080005@xxxxxxx>
Terje J. Hanssen wrote:
> On my office, I'm not quite sure if SuseFirewall really is required on
> my Linux workstation there, as we have a separate Netsreen router with a
> built-in firewall to protect our Internet connection (cable modem now,
> to be replaced with ADSL soon).
Absolutely required, perhaps not, but suggested, I would. Even if the
router's firewall protects you from the Internet, SuSEfirewall2 would
protect from the LAN.
> The router port 22 and ssh service is
> forwarded now to the Linux workstation.
Which should work with no problems. I've done that a few times. Since
this opens ssh up to the Internet, I would suggest locking it down to
only key authentication (not password).
> What do you think, is
> SuseFirewall2 really needed for ssh/NX, though yet, it does of course
> not harm if I get it to work?
>
And it is not hard to configure in your situation. Everything in your
case is configured on the external interface. You have no internal LAN,
no need to forward or NAT, etc. You only need to decide which ports to
open, which you have already done.
> >From Windows on my homePC
> D:\>ping 1.2.3.4
> ...no response ...request quitted
>
Did you allow ping (ICMP) on your firewall? This could and probably is
blocked for the external interface on your SuSEfirewall2.
> Microsoft Telnet> open 1.2.3.4 22
> Connect to 1.2.3.4 ..... Cannot open connection to server on port 22:
> Cannot connect
>
Use PuTTy instead of telnet. I think this is because of the program.
> The same happends also booting Linux on my home PC. Tried also with ssh:
>
> terje@dhcppc1:~> ssh -vv 1.2.3.4 22
> OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.
>
Is your username the same on both boxes? You should use ssh (-X to
forward X programs) user@IP If you want to give a port, it uses -p
option, but since you are using port 22, no need.
> If I try internal from my office Win2kTS both, indipendent of local or
> remote RDP logins to it:
>
> C:\> ping ip_linux_ws
> ....responded ok
> C:\> ping hostname_linux_ws
> ....responded ok
>
Then the router is not forwarding the ICMP packets.
> Well, in the YaST network configuration routing part, I entered our
> privat ip_router_ address as standard system port. Then the access to
> Internet worked ok from the Linux workstation. Beside I use /etc/hosts
> and fixed (privat) ip, and have added our domain name and DNS ip there.
>
>
Doesn't your router do DHCP? This manual config sounds confusing to
me. But if you have forwarded port 22 on your router to the IP of your
Linux box, sshd is started, and port 22 is open on your ext interface in
your firewall, it should work.
> # route
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric Ref Use Iface
> 1.2.3.0 * 255.255.255.0 U 0 0 0 eth0
> link-local * 255.255.0.0 U 0 0 0 eth0
> loopback * 255.0.0.0 U 0 0 0 lo
> default netscreen 0.0.0.0 UG 0 0 0 eth0
>
This doesn't look right. The gateway should be the IP of your router,
not netscreen.

BTW, you only need to reply to the security list. We are all subscribed
and will get your reply there.

--
Joe Morris
Registered Linux user 231871







< Previous Next >