Hi,

I want to allow e.g. SSH on to my computer, running opensuse 11.4.

When i try to open up the firewall, too allow this, the options to allow a service appear limited and impossible to add a new service. Also, the “name” field doesnt appear anywhere.

Firewall tool has these options to the left:

Here, enter additional ports or protocols to enable in the firewall zone.

TCP Ports and UDP Ports can be entered as a list of port numbers, port names, or port ranges separated by spaces, such as 22, http, or 137:139.

RPC Ports is a list of RPC services, such as nlockmgr, ypbind, or portmap, separated by spaces.

IP Protocols is a list of protocols, such as esp, smp, or chaos, separated by spaces. Find the current list of protocols at http://www.iana.org/assignments/protocol-numbers.

The Port Range consists of two colon-separated numbers that represent all numbers inside the range including the numbers themselves. The first port number must be lower than the second one, for example, 200:215.

The Port Name is a name assigned to a port number by the IANA organisation. One port number can have multiple port names assigned. Find the assignment currently in use in the /etc/services file.

And fields to the right, but on the right, there are no spaces for:

**
The Port Range
The Port Name
**

When i click next/finish, no additional services are added to the allowed services for the firewall.

It seems very difficult to use.

Appreciate any help.

Regards, samwootton

Is it not showing “Secure Shell Server” in the list of “Allowed Services”?

If I am correct, when you start a service like SSH using YaST, Yast will also see that the firewall is configured for that purpose.

I looked for ssh in network services to see what you mean Henk – can’t find it, is it somewhere else?

The SSH daemon (sshd) is in YaST > Software > Software services (runlevel).

Thanks Henk, now I found it.

However the TCP port 22 isn’t activated automatically IMO. I believe one must manually add “Secure Shell Server” to the list of “Allowed Services” in Yast’s firewall module. [This allows the config tab buried at /etc/sysconfig/SuSEfirewall2.d/services/sshd to be switched on via an entry that Yast’s “Allowed Services” inserts in the firewall script at /etc/sysconfig/SuSEfirewall2 on the line FW_CONFIGURATIONS_EXT]

Well, I wasn’t sure (as I said), but I remember YaST doing things with the firewall configuration at least at “some” points. Espcialy I remember YaST asking if it should adapt the firewall. But it is long ago and I do not remember the exact circumstances.

Just add TCP port 22 manualy to the firewall.

By having the service sshd you already can ssh from another machine to this. You don’t need to add port 22. I verified on my home network.
The problem I have with ssh is that this will make you the target of some hackers which will bombard you via ssh with lists of names hoping to hack into your computer. I was able in the past to configure the network to eliminate these attacks but I don’t remember how and now I’m bombarded again.
I tried to have my router redirect sshd requests from outside to be directed to another port in a higher range and have that port added in the list of ports for the computer i want in my home network. That is still not working as I’m still finding lots of requests on the /var/log/messages(grep for Invalid user). I have thousands of attempts in there(not verified the period of time). I think that on swerdna’s site there are some info I will have to verify.
Maybe removing the service sshd altogether will allow me to connect from other computers if i use the new ssh port? I will check that now

These are all new facts you did not mention earlier. We all thought you were only talking about your own LAN.

You misunderstand the solution you tried with a higher portnumber.
You should not forward port 22 from the router to a high number on your system, you should forward a high numberon your router to port 22 on your system.
That means that an SSH user from outside must try to connect to that high number (and hackers probably would not do that because they will not knoww which high number you use) and usera will then arrive at port 22 of your system.

I was trying just to make the user samwootton aware that opening port 22 can create some other issues for him, and not stole the thread. Unfortunately I was not able to provide a solution which you did(hcvv). Thank you, it make lots of sense and I hope that I will remember this in the future and be able to set my home network this way.
My router which is an old one allows me just port forwarding and port triggering. I setup Port forwarding to have the sshd service for a high port and forward it to the desired computer in the network( I have static addresses in my home network) and I will test from work tomorrow on how that works. This might help others to understand how to protect themselves as it can be annoying and slow down the internet connection without knowing why.

On 2011-03-17 15:06, hcvv wrote:
>
> Well, I wasn’t sure (as I said), but I remember YaST doing things with
> the firewall configuration at least at “some” points. Espcialy I
> remember YaST asking if it should adapt the firewall. But it is long ago
> and I do not remember the exact circumstances.

During system installation it asks.

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

On 2011-03-17 16:36, dmera wrote:

> I was able in the past to configure the
> network to eliminate these attacks but I don’t remember how and now I’m
> bombarded again.

Code:

Example:

Allow max three ssh connects per minute from the same IP address:

“0/0,tcp,22,hitcount=3,blockseconds=60,recentname=ssh”

FW_SERVICES_ACCEPT_EXT=“0/0,tcp,22,hitcount=3,blockseconds=60,recentname=ssh”

–
Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)