Firewall - Can I open all ports for one IP address?

quantamm · April 27, 2010, 2:16pm

I have a couple of openSUSE 11.2 machines and each is directly connected to the Internet (they are not behind a router, firewall, etc). I want them to be able to communicate without any firewall restrictions, but keep the firewall rules for all other IP addresses. Is this possible?

If it helps, the software package I’m trying to use randomly chooses a port to use in the range of 32768-61000 and I don’t feel comfortable having a port range that wide open on both machines.

Akoellh · April 27, 2010, 2:47pm

There are several possibilities to do this, read /etc/sysconfig/SuSEfirewall2 carefully, it is well documented.

quantamm · April 28, 2010, 4:54am

Excellent! Thank you!

swerdna · April 28, 2010, 2:57pm

Probably would work if you added the IP to FW_TRUSTED_NETS

quantamm · April 28, 2010, 9:25pm

Thanks to the both of you for your replies. This was my first time working with the firewall outside of YaST. For anyone who has the same problem, this is what worked:

Edit /etc/sysconfig/SuSEfirewall2 changing:

FW_TRUSTED_NETS=""

to

FW_TRUSTED_NETS=“trusted_ip_address1 trusted_ip_address2”

And then running:

SuSEfirewall2 stop
SuSEfirewall2 start

to restart the firewall with the new rules.

Akoellh · April 28, 2010, 10:45pm

Well, I was also thinking of this here:

## Type: string
## Default:
#
# Services to allow. This is a more generic form of FW_SERVICES_{IP,UDP,TCP}
# and more specific than FW_TRUSTED_NETS
#
# Format: space separated list of net,protocol,dport,sport,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
#   hitcount=NUMBER     : ipt_recent --hitcount parameter
#   blockseconds=NUMBER : ipt_recent --seconds parameter
#   recentname=NAME     : ipt_recent --name parameter
# Example:
#    Allow max three ssh connects per minute from the same IP address:
#      "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
#
# The special value _rpc_ is recognized as protocol and means that dport is
# interpreted as rpc service name. See FW_SERVICES_EXT_RPC for
# details.
#
# Note1: keep in mind that FW_SERVICES_EXT_TCP, FW_SERVICES_EXT_UDP
# take precedence over FW_SERVICES_ACCEPT_EXT so don't open the same
# port with both options.
#
# Note2: the iptables recent module may not be available for ipv6. To
# avoid an error message use 0.0.0.0/0 instead of 0/0. This will
# install the rule for ipv4 only.
#
FW_SERVICES_ACCEPT_EXT=""

Instead of using IP adresses, sizing down the “net” to one IP (by netmask) and then being able to forward only those services/ports you explicitly want to allow instead of allowing them all.

Never tried this, but should work.