RE: [suse-security] Blocking ports and services

["Peer Stefan" <stefan.peer@xxxxxxxx>]

Hi Dietmar,

> From: Dietmar Stein [mailto:DStein@xxxxxxxxxxxxxxxxxx]
> Hi
> 
> I am new to the list but I have gone through archives and 
> several internet
> resources before, but I can't find a detailed answer, so I am 
> asking ...
> 
> I have a machine running SLES7 (fully updated), which has 
> only one ethernet
> interface (eth0). The machine is running SAP and Oracle and I want to
> ensure that only some IP addresses can connect to SAP (which 
> is running on
> ports 3200, 3300, 4800, 3600); all other services except ssh should be
> unavailable to the local network.

FW_DEV_EXT="eth0"
FW_EXT_SERVICES="ssh"
FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600"

If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g. 
FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet.

> What do I want? I want to have access to SAP/Oracle from only a few IP
> addresses and all other services blocked (except ssh which should be
> public). I have tried to use SuSEfirewall without success (it 
> won't start
> if I do not specify an extrenal device and if I specify it, I 
> lock myself).

A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-)
 
> Any suggestions?
>
> Thanks, Dietmar

You're welcome,
Stefan


--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here