Mailinglist Archive: opensuse-security (69 mails)

< Previous Next >
Re: [suse-security] Open port in SuSEfirewall2
  • From: Jürgen Mell <juergen.mell@xxxxxxxxxxx>
  • Date: Sun, 15 Oct 2006 18:25:59 +0200
  • Message-id: <200610151826.05262.juergen.mell@xxxxxxxxxxx>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Terje,

On Sunday 15 October 2006 17:53, Terje J. Hanssen wrote:
> I'm new to SuSEfirewall2 and I'm struggling to get access to my openSUSE
> 10.1 workstation from remote locations. The purpose is to run NX
> server/clients and SSH in the first phase. So far port 22 of my network
> router is directed to the SuSE workstation, and I've tried with YaST to
> enable the ssh service in the firewall. But the workstation doesn't seem
> to respond on remote ssh commands.
>
> Looking in /etc/sysconfig/SuSEfirewall2 the following are set:
>
> FW_SERVICES_EXT_TCP="microsoft-ds netbios-ssn ssh"
> FW_SERVICES_EXT_UDP="netbios-dgm netbios-ns"
>
> I'm not sure about use of required zones EXT, INT and/or DMZ?
> In YaST2 I could neither see a way to set both "ssh 22" as commented in
> the config.file?
>
> Suggestions to how to do this and to what is the preferred way to test
> the settings, locally and from remote?

Is the workstation connected to the internet?

If not, try to disable the firewall: As root enter

rcSuSEfirewall2 stop

Then try to ping the workstation from another computer in your network

ping <IP address of workstation>

If this works well, the network connection to your workstationis ok and you
can proceed further. If not, you will have to check your routing.

If your workstation is connected to the internet, you will probably want to
remove the entries for microsoft-ds, netbios-dgm and netbios-ns from
FW_SERVICES_EXT_*. Otherwise you would allow anybody access to a SAMBA
server on your workstation which is probably not a good idea. The lines
should read

FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_UDP=""

to allow ssh access only.

Next step would be to check whether the SSH daemon is running at all. As
root at the workstation enter

rcsshd status

If it is not 'running' try to start it with

rcsshd start

Check for any error messages here. If the service is running or can be
started, try from another computer to access your workstation. telnet
might be a good program to try:

telnet <IP address of your workstation> 22

You should get at least some message from the SSH daemon. If this also
works, you can try the SSH program to connect to your workstation. If you
run it on Linux, add parameter -vv to get some information what happens
during start of connection. Also have a look into /var/log/messages and
check whether the SSH daemon complains about something. If a remote ssh
connection does not work, try it from the workstation itself:

ssh localhost

Does this work or do you get any error messages?

Bye,
Jürgen

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFFMmEdtMrl3JEeRvwRArfZAJ9PMlAgKnw4NrMLd25aoYAm9uKOfQCeOp4T
Me/VO6jmqD0by9HyUnFpVo4=
=ErPa
-----END PGP SIGNATURE-----

< Previous Next >
Follow Ups
References