[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [suse-security] Blocking ports and services
> From: Dietmar Stein [mailto:DStein@xxxxxxxxxxxxxxxxxx]
> I am new to the list but I have gone through archives and
> several internet
> resources before, but I can't find a detailed answer, so I am
> asking ...
> I have a machine running SLES7 (fully updated), which has
> only one ethernet
> interface (eth0). The machine is running SAP and Oracle and I want to
> ensure that only some IP addresses can connect to SAP (which
> is running on
> ports 3200, 3300, 4800, 3600); all other services except ssh should be
> unavailable to the local network.
FW_TRUSTED_NETS="a.b.c.d/0,tcp,3200 a.b.c.d/0,tcp,3300 a.b.c.d/0,tcp,4800 a.b.c.d/0,tcp,3600"
If you can find a subnet for all "allowed" ip addresses this will be very easy. E.g.
FW_TRUSTED_NETS="10.100.0.0/16,tcp,80" enables HTTP-access for every ip within the 10.100.0.0 subnet.
> What do I want? I want to have access to SAP/Oracle from only a few IP
> addresses and all other services blocked (except ssh which should be
> public). I have tried to use SuSEfirewall without success (it
> won't start
> if I do not specify an extrenal device and if I specify it, I
> lock myself).
A trick of not locking oneself out of the box is to add the ip-address to the FW_TRUSTED_NETS variable ;-)
> Any suggestions?
> Thanks, Dietmar
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here