i want SSH in local network only: but only works when the host firewall is disabled?

English Network/Internet
1

Hello,
i want to access a pc from other pcs in my local network via SSH. All pcs are connected to the internet router, which blocks probably everything from the internet which is not explicitly allowed. This includes SSH (port 22) also (i do not want any SSH access from outside of my local network).

So i started the ssh service on the host pc:

systemctl start sshd.service

and then tried to access the host from another pc in the local network:

ssh user@192.168.178.10

but i got no reaction (it was probably just waiting for an answer so i stopped the process).

Then i disabled the opensuse firewall via yast on the host, and everything worked fine!
But are not the two following statements true:

  1. the local network (i thought that is the ip range 192.168..) is handled by the so called “internal zone”
  2. the internal zone has not restrictions, no blocked ports and so on

I guess this is just a configuration problem, i do not what to open port 22 for any other than the internal zone (i do not want the port open for the external zone, i just want local network ssh).
Can someone help me with this?

2

Actually, it is the network card that is put in either internal zone or external zone. You cannot restrict it to just a range of IP addresses – and that’s a good thing, because there are tricks that hackers can use to spoof ip addresses.

I just open the firewall for ssh.

I do not forward the ssh port on my router, so the router firewall protects me from ssh connections from outside the LAN. Additionally, I have it restricted to using publickey authentication.

3

Just allow ssh service in your computer firewall. This will enable ssh service external to the computer. Anyways your router blocks all services external to your home network. Hence simply speaking you can access ssh service within your network, but not outside.

4

Have you set FW_DEV_INT to the network interface pointing to your intranet? If not, the firewall assigns every interface that isn’t assigned to any zone to the external zone.