Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: SuSEFirewall2

  1. #1

    Default SuSEFirewall2

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi, how do I block all connections from xxx.xx.??.??? and only allow
    connections from xxx.xx.bb.??? on openSUSE firewall?

    - --
    VampirD

    Microsoft Windows is like air conditioning
    Stops working when you open a window.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAku8mW4ACgkQJQ+0ABWtaVnZ1ACg1fdmwHM0IVdF7Ds/uwf7vVie
    yjQAn3/5l/7GyNhuN+lRypY/Bfge11Ea
    =7Cue
    -----END PGP SIGNATURE-----

  2. #2

    Default Re: SuSEFirewall2

    Read comments in /etc/sysconfig/SuSEfirewall2.

    It is one of the best documented files in openSUSE.
    Never attribute to malice that which can be adequately explained by stupidity. (R.J. Hanlon)

  3. #3

    Default Re: SuSEFirewall2

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    So, I would change it to

    FW_SERVICES_EXT_TCP=""
    FW_SERVICES_EXT_UDP=""
    FW_SERVICES_EXT_IP=""
    FW_SERVICES_EXT_RPC=""
    FW_CONFIGURATIONS_EXT="ypbind"
    FW_TRUSTED_NETS="xxx.xx.aa.0/bb apache2 samba-client samba-server sshd"

    ????

    - --
    VampirD

    Microsoft Windows is like air conditioning
    Stops working when you open a window.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAku9xigACgkQJQ+0ABWtaVlbOQCg37sDww/pbyeRfF9UCXk64LtM
    FhwAoMZUiCU1bayAA+uXOiaV1MWSZ5G4
    =Ouh2
    -----END PGP SIGNATURE-----

  4. #4

    Default Re: SuSEFirewall2

    Not sure why you're not using the firewall module looks self explanatory to me. Though you would have to add them individually with ports.

    Then as you seem to be struggling use the /etc/sysconfig yast module if you wish to continue the way you are which will allow the rule to be better written and probably allow you to digest the comments better. i.e you can't have services in trusted_nets.

    As for the way, from the looks of thing you have several ways(Define the services using the configs but then tighten, only allow ip to ports needed(ip,protocol(1 of 3),port) as to what is the safest and what is the easiest I guess you have some research. i.e Are you really sure you wish to expose samba to the net. I suggest you look at ssh tunneling. AFAIK this is a bad idea it may of changed recently, may need samba reconfiguring or a newer version for example, but I'm not sure and haven't really looked.

    Also apache2 isn't a service look in /etc/services it is a config to be used with FW_CONFIGURATIONS_EXT as is most of the others.

    Remember iptables -L is your friend.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  5. #5

    Default Re: SuSEFirewall2

    clarity

    you can't have services in trusted_nets this is written wrong

    You can't define the services from /etc/sysconfig/susefirewall.d/ as services you can use the services from /etc/services as ports though i.e www not apache2
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  6. #6

    Default Re: SuSEFirewall2

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    OK, so, how can I block some networks from reach my server? all the
    networks I want to block are sub nets of my company, and the whole
    network are behind a proxy server

    Company -> institute 1
    -> institute 2
    -> institute 3
    -> institute etc.

    I want for example block 1 and 2 on the PDC server of 3

    - --
    VampirD

    Microsoft Windows is like air conditioning
    Stops working when you open a window.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v2.0.12 (GNU/Linux)
    Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

    iEYEARECAAYFAku95kYACgkQJQ+0ABWtaVm6JACgzdE9VxXdlm7QZ7Xmu1VfJVYQ
    rnMAnivWXGaGWXQrg/mKjOTTFVgVk6ZY
    =ke2e
    -----END PGP SIGNATURE-----

  7. #7

    Default Re: SuSEFirewall2

    To do the subnet you do some stuff at the end of the 0.0.0.0/n where n is the correct figure(Something to do with netmask) as to what that is I've not a got a clue but iirc googling network calculators or something should get you started.

    I have tbh and say I don't really understand how the proxy is involved or whether it is relevant.

    But honestly I'm so far out of my depth it's not even funny I hear networks and the brain cells go into melt down, I fought masquerading for 3 weeks once.

    Edit
    Why don't you just put everything into ext and punch holes or from the sounds of things you just want to disable the default int allow all, just use the protect firewall from int in the yast firewall module and punch holes.

    Use nmap(Or some port scanner) and from another machine scan to see what is being offered.
    Man first, have a try at Info, have a look at Wiki, if all that fails Scroogle!!!!!
    If I've helped click on the Rep button I don't know what it does but it sounds cool.

  8. #8
    Join Date
    Mar 2008
    Location
    Oz
    Posts
    10,844
    Blog Entries
    2

    Default Re: SuSEFirewall2

    This command issued as root will block the subnet 192.168.1.0/24
    Code:
    iptables -I INPUT -s 192.168.1.0/24 -j DROP
    and to remove the rule run this:
    Code:
    iptables -D INPUT -s 192.168.1.0/24 -j DROP

  9. #9

    Default Re: SuSEFirewall2

    Quote Originally Posted by swerdna View Post
    This command issued as root will block the subnet 192.168.1.0/24
    Code:
    iptables -I INPUT -s 192.168.1.0/24 -j DROP
    and to remove the rule run this:
    Code:
    iptables -D INPUT -s 192.168.1.0/24 -j DROP
    I know how to do this with iptables, what I don't know is how to do is to use the OpenSUSE firewall (having all of 1 day's experience with this OS) to achieve the same effect. Used yast to configure a workstation as ypbind client and it opened ports 926 (TCP) and (925) UDP, as well as the rpcbind 111 UDP port for the entire internet. Not at all what I want.

    In Yast firewall configuration allowed services shows NFS client and NIS client as the allowed services, both attached to "external zone". Doesn't seem to be any way to click on them and modify their properties. Presumably I need to create a "myzone" corresponding to the subnet and move them there. How is this done in yast/SusEFirewall2? Through yast there only seems to be the ability to bind an entire interface to a zone, not an interface address range to a zone.

    Thanks.

  10. #10

    Default Re: SuSEFirewall2

    Anybody?

    Specifically I need a set of INPUT rules, presumably set using the /etc/sysconfig/SuSEfirewall2 file, that does this:

    1. accept all packets from ONEHOST (for NIS, NFS, etc.)
    2. accept connections to sshd from LOCALNET (from local subnet, campus address/16)
    3. accept returning packets from EVERYWHERE (for client connections to the outside world initiated on the workstation, ie, for Web,ftp, ssh clients )
    4. reject everything else

    There is only the one interface, and outgoing packets don't need any filtering at all.

    What are the rules? I was able to set up (1), but it doesn't help much since currently the firewall is accepting INPUT for all listed services from everywhere (0.0.0.0/0). Note that the NIS client is picking TCP and UDP ports at random,
    so one cannot hardwire those addresses as numbers into the configuration file.

    Thanks

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •