Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: "Terje J. Hanssen" <nteknikk@xxxxxxxx>
  • Date: Tue, 17 Oct 2006 00:37:55 +0200
  • Message-id: <453409C3.3090504@xxxxxxxx>
I'll do an attempt here to deepen and collect the requested information:

Joe Morris (NTM) wrote:

> He may need them for the smb client to work. Since he seems to have a
> workstation in a network mixed with Windows boxes, if any printers or
> directories were shared from Windows, he would need those opened. If he
> knows they are not needed, then remove them, as they certainly are not
> needed for ssh access.

Yes, this is the situation. My new Xeon/Linux workstation will replace
my old Sparc/Solaris workstation on a SO mixed network of Windows
PCs/server and network printers. I have just on beforehand mounted
shared Windows maps using the Gnome menu to connect the win2k server
(maybe smbclient still is used in behind this). My plan is next to setup
also a Samba server for file sharing to Windows.


Carlos E. R. wrote:
>
> In that case I would use profiles: one for home, another for the office.
>
On my multiboot homePC, SuseFirewall is undoubtly required as its
connection to Internet is using a vanilla ADSL router (modem) and DHCP
from my ISP. Booting Windows on the same PC, ZoneAlarm has been used
correspondingly.

On my office, I'm not quite sure if SuseFirewall really is required on
my Linux workstation there, as we have a separate Netsreen router with a
built-in firewall to protect our Internet connection (cable modem now,
to be replaced with ADSL soon). The router port 22 and ssh service is
forwarded now to the Linux workstation. What do you think, is
SuseFirewall2 really needed for ssh/NX, though yet, it does of course
not harm if I get it to work?

(Just for background information I'll mentione that the proprietary
Netsreen firewall had Windows only clients available, and I had to boot
Windows on my home PC just to be able to connect using Netsreen/RDP
clients to my office Win2k Terminal server. To connect to Solaris I've
used SCO TermVision vt420 emulator and a GUI based (tcp) file browser
and for file transfers. We overcome this by installing OpenVpn on the
Win2kTS and by forwarding the actual router port to this server. Now I
can also connect from Linux at home to my office Wind2kTS using
openvpn/tsclient/rdesktop clients, and we also use openvpn clients on
laptops)

The actual additional step now is to get a direct connection from my
home PC to my office Linux workstation. I wish to use NX client/server
for running full X/Gnome/KDE desktops, correspondingly to RDP for
Win2kTS connection. I hope to get this to work also from office to home
afterwards.

Richard Ems wrote:
>
> So you connect to the external ip address on your router, say 1.2.3.4 on
> port 22 and this is forwarded to your linux box.

Yes.

> With or without NAT?

Yes, we use NAT on our office network router, and port 22 with ssh, ping
and echo in the firewall are forwarded to the private IP for my Linux
workstation. I'll double check regarding NAT with my consultant who has
configured the router (and previous for openvpn).

Connection examples, here using fictive external ip address to our router:

>From Windows on my homePC
D:\>ping 1.2.3.4
...no response ...request quitted

Microsoft Telnet> open 1.2.3.4 22
Connect to 1.2.3.4 ..... Cannot open connection to server on port 22:
Cannot connect

The same happends also booting Linux on my home PC. Tried also with ssh:

terje@dhcppc1:~> ssh -vv 1.2.3.4 22
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 1.2.3.4 [1.2.3.4] port 22.


If I try internal from my office Win2kTS both, indipendent of local or
remote RDP logins to it:

C:\> ping ip_linux_ws
....responded ok
C:\> ping hostname_linux_ws
....responded ok

telnet> open ip_linux_ws
....... som responderte
"SSH-1.99-OpenSSH_4.2"
........I entered Return then
"Protocol mismatch"

> Are the packets arriving at the Linux box?

Sorry, how do I possibly find out that (log files, tools)?

> With ip address 1.2.3.4 or natted?

Same as above?

> Did you try to sniff with tcpdump?

How do I verify/check that? (sorry, unknown tool for me)
I guess I have to sit local on my Linux workstation, possibly do a
tsclient/rdesktop login to our Win2kTS and send something to the
external ip of our router or? Maybe I can send something directly from
the Linux workstation also?

> Is properly routing configured on the linux box?

Well, in the YaST network configuration routing part, I entered our
privat ip_router_ address as standard system port. Then the access to
Internet worked ok from the Linux workstation. Beside I use /etc/hosts
and fixed (privat) ip, and have added our domain name and DNS ip there.

> What does /sbin/route say?

Output from the route command as follows:


# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.2.3.0 * 255.255.255.0 U 0 0 0 eth0
link-local * 255.255.0.0 U 0 0 0 eth0
loopback * 255.0.0.0 U 0 0 0 lo
default netscreen 0.0.0.0 UG 0 0 0 eth0

> Any sshd messages on /var/log/messages?

Sorry, forgot to check that.

Carlos E. R. wrote:
> How exactly are you testing it? Hardware, software, network setup, both
> sides.

I think and hope I've managed to explain this above.

> I assume there are no tunnels or things involved.
>
There is no tunnels involved between my home PC to connect directly to
my Linux workstation on my office, using port 22 forwarding from the
office router/firewall to the Linux box.

(OpenVpn as mentioned is used when connecting to the office Win2k
Terminal Server with another port # forwarding)


Rgds,
Terje







< Previous Next >