Hi Philippe, Thank you for replying. See also my follow-up reply to Jürgen recently. Philippe Vogel wrote:
Terje J. Hanssen schrieb:
I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands. First of all how many nics (network cards) are inside the box? Is there only one this should be dev_ext (external device).
Yes, one, single NIC
Looking in /etc/sysconfig/SuSEfirewall2 the following are set: FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
This is correct as far as the external device is the device showing to the clients. If you use it as a router then you must set rules to dev_int to get access from internal network. If you intend to allow access to the internet and use a separate router you must setup forwarding rules on the router's firewall!
It's not used as a router. I have a separate Netscreen router with proprietary firewall. Port 22 of this router is forwarded to my Linux box.
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote? The easiest way is to use your "no-name-thingy-dingy-your-provider-gave-you" router. Setup forward rules to your specific server-ip.
INTERNET | ROUTER (Forward rule to server) | SERVER in internal network (DEV_EXT)
Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have and only forward ssh from the router to the server. What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and on UDP-protocol: "netbios-dgm netbios-ns"!
Do the "microsoft" and "netbios" entries possibly come from the istallation of Samba, although I haven't configured Samba yet? Else, I think this is principal how my configuration already is. As I already have a firewall running on the separate router, maybe I can disable the SuSE firewall, at least not until I get a SSH connection available. But it is installed and enabled default and I need it on my home PC.
The name of the service is enough as the firewall uses the ports specified in /etc/services. If you switch things here the changed port is used. Things can be tricky with changing ports so better leave as is if you don't know what you do! For example I changed for some not more to be discussed reason ssh-port to telnet-port and some other security related ports to other unknown ports to minimize the case of getting unwanted visitors.
By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration purpose for each line can be read between the (out commented) lines.
Yes, it was in the config.file I saw "ssh 22" mentioned, while the configuring the firewall with YaST did have only the service selection available as far as I could see.
For most common questions you may have a look at this: http://susefaq.sourceforge.net/susefaq.html ! It answers alot of questions.
Thanks for this url which I almost had forgotten. Beside I also are looking in this draft http://sourceforge.net/project/showfiles.php?group_id=42064&package_id=60847 as I haven't found an official SuSE guide for the firewall. Terje