Hello,
I’ve never had the need to do this before so I am admitting to serious ignorance of the way the firewall works.
Right now I need to have zoom meetings but consider zoom to be a security risk. Therefore, I would like to put one of my home computers in the public zone, in order to carry out these meetings, and the other two computers I would like to be in the trusted zone, in order to share files between them without exposure to the public computer.
What I see in the YAST firewall interface is what I always used before, namely that I can set services such as ssh and nfs to any zone. I assigned them to the trusted zone only. But how do I tell the firewall which IP addressees to put in the trusted zone and which in the public zone?
Well, although one can get rather complex stuff using IP-tables - SuseFirewall is only for incoming traffic. As Zoom is likely build to work behind NAT and through firewalls I guess the more correct way would be to “close down” you other machines by setting their firewalls to something untrusted like public and set up specific iptables rules to allow traffic between them but not with the one you’re running Zoom on. If you want to set up your firewall in a way so that zoom cannot reach the other two machines I guess you will have to do this via iptables as there is no built-in GUI stuff available to configure outgoing rules.
You seem to have a private IP LAN/WLAN connected to a Router which connects you to your ISP.
Most of these Routers have the ability to supply a Guest LAN/WLAN – meaning, at least Ethernet port can be assigned the “Guest” and, a separate WLAN SSID can be provided for guests.
The “Guest” networks have absolutely no access to your LAN/WLAN devices …
[HR][/HR]If your Router has this ability, it’s much easier to use the power and abilities and facilities offered by your Router, rather than trying to restrict the access by one of the devices on your LAN/WLAN to the rest of the devices on your LAN/WLAN.
For your Router, it’s easy and, reliable – it’s simply routing …
For any given device on your LAN/WLAN, the logic involved in restricting access to the other devices on your LAN/WLAN involves employing packet filters – multiple Firewalls – which is CPU intensive, not at all environmentally friendly and, difficult and, with regard to the amount of administration involved, time consuming …
Although neat idea about using the “guest” mode (and in fact yes, many modern routers have this function by using implicit VLANs) your statement about the guest lan doesn’t have any access to the “normal” one isn’t quite true - at least not for those which also support hairpin connections (that is that you send a packet addressed to your public IP) - this way a host on the guest vlan could in fact reach the regular one if port forwarding or even upnp is enabled. So care must still be taken to account for that.