[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Can't open any port



All is well, finally, thanks to so many for jumping in to help a fellow
struggler.  Especially to Mario Nubert who, in a private email exchange,
caught the fact that I was TESTING the thing all wrong!  SuSEfirewall2,
unlike that OTHER firewall I was using, protects against spoofed IP
addresses.  Since I was testing access from a workstation INSIDE the
firewall, going to the OUTSIDE address, that was the rule being
enforced.  So I was configured right all along, just didn't know how to
test it.

Daryl

On Sat, 2003-12-13 at 00:13, Daryl Lee wrote:
> I have temporarily worked around my problem by reinstating the script
> (not SuSEfirewall2) that worked for me before installing SuSE.  It may
> not be as encompassing (for example, it allows SSH connections on the
> internet interface from a workstation inside the firewall).  But it will
> get me "over the hump" until a more elegant solution presents itself.
> 
> Thanks for all the attempts to help.
> 
> Daryl
> 
> On Fri, 2003-12-12 at 07:27, Daryl Lee wrote:
> > I am trying to configure my firewall to accept remote SSH logins, but it
> > will not.  Configuration: Linux server (combination internet gateway,
> > router, and primary workstation) running SuSE 9.0 (brand new install;
> > replaced RedHat 8.0 a week ago, where this problem did not exist). 
> > Windows 2000 laptop (my employer's), and Windows XP laptop (my wife's). 
> > All internal LAN access is fine, SMB file and printer sharing works,
> > workstations can all get out to the internet, no problems there.  But
> > when I try to come in from the internet and open a SSH session with the
> > firewall up, it will not connect.  When I try with the "SuSEfirewall
> > test" command, it goes through okay (so I know sshd is running
> > correctly).  Here's my /etc/sysconfig/SuSEfirewall2, with all the
> > comments and blank lines stripped, my comments added:
> > 
> > FW_QUICKMODE="no"
> > FW_DEV_EXT="ppp0"  # I use DSL
> > FW_DEV_INT="eth1"
> > FW_DEV_DMZ=""
> > FW_ROUTE="yes"
> > FW_MASQUERADE="yes"
> > FW_MASQ_DEV="$FW_DEV_EXT"
> > FW_MASQ_NETS="0/0"
> > FW_PROTECT_FROM_INTERNAL="no"
> > FW_AUTOPROTECT_SERVICES="yes"
> > FW_SERVICES_EXT_TCP="ssh http 5800:5805"  # 580x, 590x: VNC
> > FW_SERVICES_EXT_UDP=""
> > FW_SERVICES_EXT_IP=""
> > FW_SERVICES_DMZ_TCP=""
> > FW_SERVICES_DMZ_UDP=""
> > FW_SERVICES_DMZ_IP=""
> > FW_SERVICES_INT_TCP="ssh domain netbios-ssn"   # netbios-ssn for SAMBA
> > FW_SERVICES_INT_UDP=""
> > FW_SERVICES_INT_IP=""
> > FW_SERVICES_QUICK_TCP=""
> > FW_SERVICES_QUICK_UDP=""
> > FW_SERVICES_QUICK_IP=""
> > FW_TRUSTED_NETS=""
> > FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
> > FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
> > FW_SERVICE_AUTODETECT="yes"
> > FW_SERVICE_DNS="yes"
> > FW_SERVICE_DHCLIENT="no"
> > FW_SERVICE_DHCPD="yes"
> > FW_SERVICE_SQUID="no"
> > FW_SERVICE_SAMBA="yes"
> > FW_FORWARD=""
> > FW_FORWARD_MASQ=""
> > FW_REDIRECT=""
> > FW_LOG_DROP_CRIT="yes"
> > FW_LOG_DROP_ALL="no"
> > FW_LOG_ACCEPT_CRIT="yes"
> > FW_LOG_ACCEPT_ALL="no"
> > FW_LOG="--log-level warning --log-tcp-options --log-ip-option
> > --log-prefix SuSE-FW"
> > FW_KERNEL_SECURITY="yes"
> > FW_STOP_KEEP_ROUTING_STATE="no"
> > FW_ALLOW_PING_FW="yes"
> > FW_ALLOW_PING_DMZ="no"
> > FW_ALLOW_PING_EXT="no"
> > FW_ALLOW_FW_TRACEROUTE="yes"
> > FW_ALLOW_FW_SOURCEQUENCH="yes"
> > FW_ALLOW_FW_BROADCAST="no"
> > FW_IGNORE_FW_BROADCAST="yes"
> > FW_ALLOW_CLASS_ROUTING="no"
> > FW_CUSTOMRULES=""
> > FW_REJECT="no"
> > FW_HTB_TUNE_DEV=""
> > 
> 


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here