I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE 10.1 workstation from remote locations. The purpose is to run NX server/clients and SSH in the first phase. So far port 22 of my network router is directed to the SuSE workstation, and I've tried with YaST to enable the ssh service in the firewall. But the workstation doesn't seem to respond on remote ssh commands. First of all how many nics (network cards) are inside the box? Is there only one this should be dev_ext (external device). Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh" FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns" This is correct as far as the external device is the device showing to
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Terje J. Hanssen schrieb: the clients. If you use it as a router then you must set rules to dev_int to get access from internal network. If you intend to allow access to the internet and use a separate router you must setup forwarding rules on the router's firewall!
I'm not sure about use of required zones EXT, INT and/or DMZ? In YaST2 I could neither see a way to set both "ssh 22" as commented in the config.file? EXT/INT/DMZ what the hack is this most newbees ask ...
You can use a router from your provider or build your own firewall with linux (especially on this list with SuSE-Linux). EXT - external network card (shows to the bad internet) Here you allow what services on the server are allowed. INT - internal network card (shows to the clients in your network) Here you allow what the clients are allowed. DMZ - demilitarized zone (this is the place where the servers life in more complex environments) Here you place servers and allow access from the server's side. On the server's side you have to look for what is allowed and build their own firewall rules additional to your firewall here on this linux router! On the other hand there are two ways to setup a router (own ip-range or masquerading for DSL/cable/...). In both cases you can forward ports which means the same you do on the router to bypass the firewall and directly forward a request to a designated port. With forwarding some people think it is evil some others use it. What you will do depends on your decision. The best way is to setup a firewall is to first disallow everything and then allow what you want to allow! This is the way the SuSEfirewall2 is designed (more or less but you have to get through the script). For my purpose I modify the script as there are a lot of double rules you really don't need in no case if you have no DMZ! @SuSE-Team: Can someone at SuSE have a look at the SuSEfirewall2-script and change it that in case of no use of DMZ the iptables rules aren't set? This minimizes the amount of rules needed. Another thing is the big size of logs which are written if you use the "out of the box" configuration!
Suggestions to how to do this and to what is the preferred way to test the settings, locally and from remote? The easiest way is to use your "no-name-thingy-dingy-your-provider-gave-you" router. Setup forward rules to your specific server-ip.
INTERNET | ROUTER (Forward rule to server) | SERVER in internal network (DEV_EXT) Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have and only forward ssh from the router to the server. What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and on UDP-protocol: "netbios-dgm netbios-ns"! The name of the service is enough as the firewall uses the ports specified in /etc/services. If you switch things here the changed port is used. Things can be tricky with changing ports so better leave as is if you don't know what you do! For example I changed for some not more to be discussed reason ssh-port to telnet-port and some other security related ports to other unknown ports to minimize the case of getting unwanted visitors. By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration purpose for each line can be read between the (out commented) lines.
Thanks, Terje J. Hanssen For most common questions you may have a look at this: http://susefaq.sourceforge.net/susefaq.html ! It answers alot of questions.
With best regards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: GnuPT 2.7.2 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQD1AwUBRTKFPENg1DRVIGjBAQI1egb7BLZsyEZBOjrDdvSkPM8pXPvHJiNzwKRo /cwcv8DJ5+xlUb6w7DvwFOuoKN1uyNEtNksfBKCKokUdZT1XntZMlyvifclReof4 +zuDirhMidI8CcXPWe7iU/YTCVkBS72bZr8AHvyKFqB0dtbJtfwkeg7FpO/iNLOA NGwrcb55t7NrWGM8vE/qFsfZAXQTK3LCvReDh64U3mFQS+1bxsq3LEnqU4gLvnWV 9GXffPw91VBTaLW6znShf1Ui7CLWdvugUisRd9NDmBo9pM2B3h9cjWeDV5CFKcvI ARAxMK7+W+8= =ZPgE -----END PGP SIGNATURE-----