Results 1 to 6 of 6

Thread: A very basic question

  1. #1

    Default A very basic question

    Hello,
    I've never had the need to do this before so I am admitting to serious ignorance of the way the firewall works.
    Right now I need to have zoom meetings but consider zoom to be a security risk. Therefore, I would like to put one of my home computers in the public zone, in order to carry out these meetings, and the other two computers I would like to be in the trusted zone, in order to share files between them without exposure to the public computer.

    What I see in the YAST firewall interface is what I always used before, namely that I can set services such as ssh and nfs to any zone. I assigned them to the trusted zone only. But how do I tell the firewall which IP addressees to put in the trusted zone and which in the public zone?

    Thanks,

    Abe

  2. #2
    Join Date
    Jun 2008
    Location
    Auckland, NZ
    Posts
    24,244
    Blog Entries
    1

    Default Re: A very basic question

    Here's a blog descrbing how to assign sorce IP addresses to trusted and untrusted zones...
    https://www.ctrl.blog/entry/how-to-f...one-by-ip.html

    Another article discussing this...
    https://www.linuxjournal.com/content...configurations
    openSUSE Leap 15.4; KDE Plasma 5

  3. #3

    Default Re: A very basic question

    Many thanks, will read with interest.

    Abe

  4. #4

    Default Re: A very basic question

    Well, although one can get rather complex stuff using IP-tables - SuseFirewall is only for incoming traffic. As Zoom is likely build to work behind NAT and through firewalls I guess the more correct way would be to "close down" you other machines by setting their firewalls to something untrusted like public and set up specific iptables rules to allow traffic between them but not with the one you're running Zoom on. If you want to set up your firewall in a way so that zoom cannot reach the other two machines I guess you will have to do this via iptables as there is no built-in GUI stuff available to configure outgoing rules.

  5. #5
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    5,039

    Cool Re: A very basic question

    Quote Originally Posted by naimab View Post
    Right now I need to have zoom meetings but consider zoom to be a security risk.
    You seem to have a private IP LAN/WLAN connected to a Router which connects you to your ISP.
    • Most of these Routers have the ability to supply a Guest LAN/WLAN – meaning, at least Ethernet port can be assigned the “Guest” and, a separate WLAN SSID can be provided for guests.
    • The “Guest” networks have absolutely no access to your LAN/WLAN devices …


    If your Router has this ability, it's much easier to use the power and abilities and facilities offered by your Router, rather than trying to restrict the access by one of the devices on your LAN/WLAN to the rest of the devices on your LAN/WLAN.

    For your Router, it's easy and, reliable – it's simply routing …
    For any given device on your LAN/WLAN, the logic involved in restricting access to the other devices on your LAN/WLAN involves employing packet filters – multiple Firewalls – which is CPU intensive, not at all environmentally friendly and, difficult and, with regard to the amount of administration involved, time consuming …

  6. #6

    Default Re: A very basic question

    Although neat idea about using the "guest" mode (and in fact yes, many modern routers have this function by using implicit VLANs) your statement about the guest lan doesn't have any access to the "normal" one isn't quite true - at least not for those which also support hairpin connections (that is that you send a packet addressed to your public IP) - this way a host on the guest vlan could in fact reach the regular one if port forwarding or even upnp is enabled. So care must still be taken to account for that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •