Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: "Terje J. Hanssen" <nteknikk@xxxxxxxx>
  • Date: Sun, 15 Oct 2006 21:13:58 +0200
  • Message-id: <45328876.6080307@xxxxxxxx>
Hi Jürgen,

Thank you for replying. I'm sitting "external" from my office network
just now on my homePC running openSUSE 10.1. Therefore I cannot run all
the local tests you mentioned before tomorrow internal on my office.

What I can do and have verified now is:

Running openvpn and tsclient/RDP clients on my Linux homePC I can
connect to my office Win2k Terminal server running openvpn. This is
equivalent with the NX connection I wish to my office Linux workstation,
with the exception that NX uses its embedded ssh. I'll use NX client for
Linux on my home PC connecting to my office openSUSE 10.1 workstation
running NX server and also use NX client for Windows on my office. But
first I'll try to get a plain ssh connection to work.

Internal ping ok
Logged on my Win2kTS and started a Command terminal. Ping ok with no
response problem from my networked Linux workstation, trying both its
privat IP (NAT) nor hostname. I know also there is neither any problem
to ping the opposite way to all networked hosts and printers on my office.

Internal telnet attempt
Started also a Win2kTS telnet window and tried
open internal_IP_of_Linux_host 22
which responded
"SSH-1.99-OpenSSH_4.2"
entered Return then got
"Protocol mismatch"

Tried also from my homePC in a terminal
telnet external_IP_of_office_router 22
but got no response

Does this say something more to possibly try?

Else,
yes, my office Linux workstation is connected to Internet through a
Netscreen router and firewall (gateway).

I though the entries microsoft and netbios in the config.file came from
installing the Samba server, which I haven't really set up yet. Are they
possibly required for Samba?


Terje

Jürgen Mell wrote:
> Hi Terje,
>
> On Sunday 15 October 2006 17:53, Terje J. Hanssen wrote:
> > I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE
> > 10.1 workstation from remote locations. The purpose is to run NX
> > server/clients and SSH in the first phase. So far port 22 of my network
> > router is directed to the SuSE workstation, and I've tried with YaST to
> > enable the ssh service in the firewall. But the workstation doesn't seem
> > to respond on remote ssh commands.
>
> > Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
>
> > FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh"
> > FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
>
> > I'm not sure about use of required zones EXT, INT and/or DMZ?
> > In YaST2 I could neither see a way to set both "ssh 22" as commented in
> > the config.file?
>
> > Suggestions to how to do this and to what is the preferred way to test
> > the settings, locally and from remote?
>
> Is the workstation connected to the internet?
>
> If not, try to disable the firewall: As root enter
>
> rcSuSEfirewall2 stop
>
> Then try to ping the workstation from another computer in your network
>
> ping <IP address of workstation>
>
> If this works well, the network connection to your workstationis ok
> and you
> can proceed further. If not, you will have to check your routing.
>
> If your workstation is connected to the internet, you will probably
> want to
> remove the entries for microsoft-ds, netbios-dgm and netbios-ns from
> FW_SERVICES_EXT_*. Otherwise you would allow anybody access to a SAMBA
> server on your workstation which is probably not a good idea. The lines
> should read
>
> FW_SERVICES_EXT_TCP="ssh"
> FW_SERVICES_EXT_UDP=""
>
> to allow ssh access only.
>
> Next step would be to check whether the SSH daemon is running at all. As
> root at the workstation enter
>
> rcsshd status
>
> If it is not 'running' try to start it with
>
> rcsshd start
>
> Check for any error messages here. If the service is running or can be
> started, try from another computer to access your workstation. telnet
> might be a good program to try:
>
> telnet <IP address of your workstation> 22
>
> You should get at least some message from the SSH daemon. If this also
> works, you can try the SSH program to connect to your workstation. If you
> run it on Linux, add parameter -vv to get some information what happens
> during start of connection. Also have a look into /var/log/messages and
> check whether the SSH daemon complains about something. If a remote ssh
> connection does not work, try it from the workstation itself:
>
> ssh localhost
>
> Does this work or do you get any error messages?
>
> Bye,
> Jürgen
>


< Previous Next >