Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: "Terje J. Hanssen" <nteknikk@xxxxxxxx>
  • Date: Sun, 15 Oct 2006 22:00:04 +0200
  • Message-id: <45329344.8040307@xxxxxxxx>
Hi Philippe,

Thank you for replying. See also my follow-up reply to Jürgen recently.

Philippe Vogel wrote:
> Terje J. Hanssen schrieb:
> > I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE
> > 10.1 workstation from remote locations. The purpose is to run NX
> > server/clients and SSH in the first phase. So far port 22 of my network
> > router is directed to the SuSE workstation, and I've tried with YaST to
> > enable the ssh service in the firewall. But the workstation doesn't seem
> > to respond on remote ssh commands.
> First of all how many nics (network cards) are inside the box?
> Is there only one this should be dev_ext (external device).

Yes, one, single NIC

> > Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
> > FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh"
> > FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"

> This is correct as far as the external device is the device showing to
> the clients.
> If you use it as a router then you must set rules to dev_int to get
> access from internal network.
> If you intend to allow access to the internet and use a separate
> router you must setup forwarding rules on the router's firewall!

It's not used as a router. I have a separate Netscreen router with
proprietary firewall. Port 22 of this router is forwarded to my Linux box.

> > Suggestions to how to do this and to what is the preferred way to test
> > the settings, locally and from remote?
> The easiest way is to use your
> "no-name-thingy-dingy-your-provider-gave-you" router. Setup forward
> rules to your specific server-ip.
>
> INTERNET
> |
> ROUTER (Forward rule to server)
> |
> SERVER in internal network (DEV_EXT)
>
> Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have
> and only forward ssh from the router to the server.
> What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and
> on UDP-protocol: "netbios-dgm netbios-ns"!

Do the "microsoft" and "netbios" entries possibly come from the
istallation of Samba, although I haven't configured Samba yet?

Else, I think this is principal how my configuration already is. As I
already have a firewall running on the separate router, maybe I can
disable the SuSE firewall, at least not until I get a SSH connection
available. But it is installed and enabled default and I need it on my
home PC.

> The name of the service is enough as the firewall uses the ports
> specified in /etc/services. If you switch things here the changed port
> is used.
> Things can be tricky with changing ports so better leave as is if you
> don't know what you do!
> For example I changed for some not more to be discussed reason
> ssh-port to telnet-port and some other security related ports to other
> unknown ports to minimize the case of getting unwanted visitors.
>
> By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration
> purpose for each line can be read between the (out commented) lines.

Yes, it was in the config.file I saw "ssh 22" mentioned, while the
configuring the firewall with YaST did have only the service selection
available as far as I could see.

> For most common questions you may have a look at this:
> http://susefaq.sourceforge.net/susefaq.html ! It answers alot of
> questions.

Thanks for this url which I almost had forgotten. Beside I also are
looking in this draft
http://sourceforge.net/project/showfiles.php?group_id=42064&package_id=60847
as I haven't found an official SuSE guide for the firewall.

Terje



< Previous Next >