Different firewall zones for wlan device?

Is it possible to assign a wlan network interface different firewall zones depending on the connection? If yes, how?

For an example, when I am at home in my private WLAN, I want ports TCP:22, TCP:631, UDP:631 to be open (for SSH and sharing a wired USB-printer). However, when I am travelling and enjoying free WiFi in a cafe, I want those ports to be closed, of course.

So I want to assign the wlan0 network interface to the internal zone for my WLAN at home, and to the external firewall zone for other WLANs.

Knetworkmanager allows me to restrict a network connection to a certain network interface, so I guess I need to setup multiple network interfaces for one and the same physical network device somehow?!

I might be confused
But as I understand this, you are using a mobile machine (So it’s not a server?)
Why would you need to ssh port open (That’s only needed on the server side) At least it is for me.

Well, I tried to keep it simple since the reason does not really matter for the problem at hand. Windows7 allows different firewall settings according to the network connection, and I thought Linux, being good with network stuff, ought to offer something similar. However, according to what I could learn thus far, Linux only differentiates firewall settings between physical network devices by assigning them to external/demilitarized/internal zone. :frowning:

Anyway, if you must know, here is the real scenario: I am talking about our laptops. I usually keep the SSH port open on my wife’s machine so that I can run updates remotely, install software and look after things whenever there is a problem. I can also tunnel home into her machine through our server in case of urgent emergencies. However, she also takes the laptop to work and to town, using open wireless connections in the latter case, so open ports might be bad idea when connected to those networks, especially since she keeps exam papers on that machine. Second, our printer is attached to the docking station for the laptops, but due constraints in the building, there is no wired Ethernet connection in our office room (otherwise I would place our server in the office room and connect the printer to the server). Nevertheless I want to share the printer, since often my wife is working on the office with her laptop docked, while I want to print something while sitting with my laptop in the living room - or vice versa.

On 11/28/2011 10:36 AM, STurtle wrote:
>
> Well, I tried to keep it simple since the reason does not really matter
> for the problem at hand. Windows7 allows different firewall settings
> according to the network connection, and I thought Linux, being good
> with network stuff, ought to offer something similar. However, according
> to what I could learn thus far, Linux only differentiates firewall
> settings between physical network devices by assigning them to
> external/demilitarized/internal zone. :frowning:
>
> Anyway, if you must know, here is the real scenario: I am talking about
> our laptops. I usually keep the SSH port open on my wife’s machine so
> that I can run updates remotely, install software and look after things
> whenever there is a problem. I can also tunnel home into her machine
> through our server in case of urgent emergencies. However, she also
> takes the laptop to work and to town, using open wireless connections in
> the latter case, so open ports might be bad idea when connected to those
> networks, especially since she keeps exam papers on that machine.
> Second, our printer is attached to the docking station for the laptops,
> but due constraints in the building, there is no wired Ethernet
> connection in our office room (otherwise I would place our server in the
> office room and connect the printer to the server). Nevertheless I want
> to share the printer, since often my wife is working on the office with
> her laptop docked, while I want to print something while sitting with my
> laptop in the living room - or vice versa.

Check /etc/hosts.allow and /etc/hosts.deny.

The firewall dialogue in YAST offers a section “CUSTOM RULES”, but it does not seem to work. Any ideas why?

On my wife’s machine, for the external zone, to which the machine’s WLAN interface is assigned, I added the fixe IP for my laptop (192.168.0.122 - which is assigned by the DHCP-server on my router) and as source and destination port I set 22 and as protocol TCP. I closed the dialogue and reopened it again, also restarted the firewall through that Yast->Firewall dialogue.

However, if I try to ssh into her machine, I just get a time out. I verified that my machine does indeed get the local IP above when I am in the WLAN at home. Both machines have no other network connection (they do have wired interfaces, but those were not connected).

I can successfully ssh into her machine if I generally open up port 22 for the external zone on her machine, so it is not the router or my machine that is blocking the communication.

What am I doing wrong? Or does YAST->Firewall->CustomRules maybe not work as advertised?

On 12/15/2011 5:16 PM, STurtle wrote:
>
> The firewall dialogue in YAST offer a section “CUSTOM RULES”, but it
> does not seem to work. Any ideas why?
>
> On my wife’s machine, for the External zone, to which the WLAN
> interface is assigned, I added the IP assigned by the DHCP-server on my
> router (192.168.0.122) and a source and destination port I set 22 and as
> protocal TCP. I closed the dialogue and reopened it again, also
> restarted the firewall through that dialogue.
>
> However, if I try to ssh into her machine, it fails now. I verified
> that my machine does indeed get the local IP above when I am at home.
>
> I can successfully ssh into her machine if I open up port 22 for the
> external zone, so it is not the router or my machine that is blocking
> the communication.
>
> Could anyone please check wheter YAST->Firewall->CustomRules works as
> intended?
>
>
STurtle

I’ve not tested this, but have you checked out the “Firewall Zone Switcher”. It was
designed for this type of situation. See /usr/share/doc/packages/SuSEfirewall2/FAQ. Here
is another reference that’s a bit long in the tooth, but should still apply:
http://lizards.opensuse.org/2009/07/10/1453/


P.V.
“We’re all in this together, I’m pulling for you” Red Green

On 12/15/2011 7:41 PM, PV wrote:
> On 12/15/2011 5:16 PM, STurtle wrote:
>>
>> The firewall dialogue in YAST offer a section “CUSTOM RULES”, but it
>> does not seem to work. Any ideas why?
<snip>
>>
>> Could anyone please check wheter YAST->Firewall->CustomRules works as
>> intended?
>>
>>
> STurtle
>
> I’ve not tested this, but have you checked out the “Firewall Zone Switcher”.
<snip>

Search for the package “fwzs”


P.V.
“We’re all in this together, I’m pulling for you” Red Green