Those rules are surely wrong. The source port and destination port won’t both be 22.
You should just be able to go into Yast Firewall
Select “Allowed Services”
Select the appropriate zone (it should be the zone that your network card is in (the network card that you expect to use for ssh). I think the external zone covers unassigned network cards.
Select “Secure Shell Server” in service to allow. Click “Add”.
I usually configure this during install. With the DVD installer (and, I think, the NET installer), the summary page has place to click to enable ssh and to open the firewall. But I occasionally forget to do it there, and do it in firewall settings as described above.
I first tried with just destination as port 22 and it didn’t work so i also tried the other way. Those are all the separate rules I tried since nothing worked.
No, this doesn’t work for internal netowrk. They’re all greyed out (and already under the “add” section, but greyed out). You can only do what you suggest for external.
Toward the bottom of that Yast firewall settings page, there is a box “Protect from internal zone”. You have to check that box before you can set anything. That’s probably why it is greyed out.
The default is no firewall protection.
It seems to follow that you are not actually using the internal zone. It is probably the external zone that matters.
The term “internal zone” is confusing. It is not referring to your LAN. Rather, it is referring to network connections received on an interface that is considered external. You cannot separate connections from the internet from connections from your LAN via internal/external, unless you have two interfaces.
If you are behind a NAT router and do not use IPv6, then you can probably just disable the firewall and depend on your NAT router to protect from the Internet. But that’s risky with IPv6, since NAT protection doesn’t work there.
I guess but in external, there’s no way (that i could see) to turn on sshf for just one ip or just the 192.168.1.x network. I don’t want it turned on for anyone else
It’s the firewall on the server (the one running “sshd”) that matters. Outbound network traffic is always allowed because it is initiated locally.
I used to rely on tcpwrappers to limit inbound connections, so I left the firewall open for sshd. After libwrap support was removed, I continued to leave it open and got lots of breakin attempts from the Internet. But I’m allowing only publickey authentication, so I wasn’t seriously worried about those breakin attempts (the depend on password authentication and weak passwords). But they did add a lot of noise to the logs.
I no longer need to be able to connect from work, so I just closed down the port 22 forwarding on the NAT router. I don’t think I have seen any breakin attempts since then, though it is technically possible if the attacker uses IPv6.
I’m think you could try your custom rule on the server in Yast again but omit the setting for the source port. eg/.for my (main) LAN, I would just have:
Alternatively, as is being suggested, you might be able to use your router to ensure requests can only come from within your LAN.
With NAT, I believe you have to specifically tell the router what do do with an incoming request (eg. set up port forwarding) otherwise a port is effectively blocked by default.
As far as I understand it, with IPv6, you are looking at “direct connections”, ie. bypassing/no need for NAT. I’d have thought an IPv6 capable home router (mine is btw but I don’t have IPv6 ISP addresses yet) should allow you to have a firewall rule to block all incoming requests by default.
Whatever, it’s best to read your router’s documentation.
Turns out internal network does nothing. So adding the custom rule to external but pointed to my other computer’s internal ip (192.168.1.x) makes this work.