Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: Philippe Vogel <filiaap@xxxxxxxxxx>
  • Date: Sun, 15 Oct 2006 21:00:13 +0200
  • Message-id: <4532853D.2020405@xxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Terje J. Hanssen schrieb:
> I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE
> 10.1 workstation from remote locations. The purpose is to run NX
> server/clients and SSH in the first phase. So far port 22 of my network
> router is directed to the SuSE workstation, and I've tried with YaST to
> enable the ssh service in the firewall. But the workstation doesn't seem
> to respond on remote ssh commands.
First of all how many nics (network cards) are inside the box?
Is there only one this should be dev_ext (external device).
> Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
>
> FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh"
> FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
This is correct as far as the external device is the device showing to
the clients.
If you use it as a router then you must set rules to dev_int to get
access from internal network.
If you intend to allow access to the internet and use a separate
router you must setup forwarding rules on the router's firewall!
> I'm not sure about use of required zones EXT, INT and/or DMZ?
> In YaST2 I could neither see a way to set both "ssh 22" as commented in
> the config.file?
EXT/INT/DMZ what the hack is this most newbees ask ...

You can use a router from your provider or build your own firewall
with linux (especially on this list with SuSE-Linux).

EXT - external network card (shows to the bad internet)

Here you allow what services on the server are allowed.

INT - internal network card (shows to the clients in your network)

Here you allow what the clients are allowed.

DMZ - demilitarized zone (this is the place where the servers life in
more complex environments)

Here you place servers and allow access from the server's side.
On the server's side you have to look for what is allowed and build
their own firewall rules additional to your firewall here on this
linux router!

On the other hand there are two ways to setup a router (own ip-range
or masquerading for DSL/cable/...).
In both cases you can forward ports which means the same you do on the
router to bypass the firewall and directly forward a request to a
designated port.
With forwarding some people think it is evil some others use it. What
you will do depends on your decision.

The best way is to setup a firewall is to first disallow everything
and then allow what you want to allow! This is the way the
SuSEfirewall2 is designed (more or less but you have to get through
the script). For my purpose I modify the script as there are a lot of
double rules you really don't need in no case if you have no DMZ!

@SuSE-Team: Can someone at SuSE have a look at the
SuSEfirewall2-script and change it that in case of no use of DMZ the
iptables rules aren't set? This minimizes the amount of rules needed.
Another thing is the big size of logs which are written if you use the
"out of the box" configuration!
> Suggestions to how to do this and to what is the preferred way to test
> the settings, locally and from remote?
The easiest way is to use your
"no-name-thingy-dingy-your-provider-gave-you" router. Setup forward
rules to your specific server-ip.

INTERNET
|
ROUTER (Forward rule to server)
|
SERVER in internal network (DEV_EXT)

Setup FW_SERVICES_EXT_TCP and FW_SERVICES_EXT_UDP as you already have
and only forward ssh from the router to the server.
What to not forward is on TCP-protocol: "microsoft-ds netbios-ssn" and
on UDP-protocol: "netbios-dgm netbios-ns"!

The name of the service is enough as the firewall uses the ports
specified in /etc/services. If you switch things here the changed port
is used.
Things can be tricky with changing ports so better leave as is if you
don't know what you do!
For example I changed for some not more to be discussed reason
ssh-port to telnet-port and some other security related ports to other
unknown ports to minimize the case of getting unwanted visitors.

By the way try to read /etc/sysconfig/SuSEfirewall2. The configuration
purpose for each line can be read between the (out commented) lines.
> Thanks,
> Terje J. Hanssen
For most common questions you may have a look at this:
http://susefaq.sourceforge.net/susefaq.html ! It answers alot of
questions.

With best regards

Philippe

- --
Diese Nachricht ist digital signiert und enthält weder Siegel noch
Unterschrift!

Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt
gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az:
16 O 201/98). Jede kommerzielle Nutzung der übermittelten
persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich
untersagt!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: GnuPT 2.7.2
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQD1AwUBRTKFPENg1DRVIGjBAQI1egb7BLZsyEZBOjrDdvSkPM8pXPvHJiNzwKRo
/cwcv8DJ5+xlUb6w7DvwFOuoKN1uyNEtNksfBKCKokUdZT1XntZMlyvifclReof4
+zuDirhMidI8CcXPWe7iU/YTCVkBS72bZr8AHvyKFqB0dtbJtfwkeg7FpO/iNLOA
NGwrcb55t7NrWGM8vE/qFsfZAXQTK3LCvReDh64U3mFQS+1bxsq3LEnqU4gLvnWV
9GXffPw91VBTaLW6znShf1Ui7CLWdvugUisRd9NDmBo9pM2B3h9cjWeDV5CFKcvI
ARAxMK7+W+8=
=ZPgE
-----END PGP SIGNATURE-----


< Previous Next >
Follow Ups
References