[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Help seeting SuSEfirewall2



On Fri, Oct 03, 2003 at 08:59:46PM -0400, Rafael E. Herrera wrote:
> Hello,
> 
> I would like to be able to have a machine with that allows remote 
> connections through SSH. It should also accept traffic through 15 UDP ports.
> 
> The SSH and 15 UPD ports traffic should be limited to two subnets: in 
> the example below, they are 12.203.150.0/24 and 12.203.162.0/26. All 
> other traffic should be rejected.
> 
> The machine will not act as a router, I just want to use SuSEfirewall2 
> as a personal firewall. I only has one network card.
> 
> Will the configuration file below satisfy the requirements I've stated?
> 
> I suspect I'm allowing anybody to connect suing ssh by setting 
> FW_SERVICES_EXT_TCP, is that correct?

Yes, you are right. You have to use FW_TRUSTED_NETS if you want to 
allow access from those nets only.

> 
> I'd appreciate any suggestion.
> 
>    Rafael
> 
> 
> --------------------------
> FW_QUICKMODE="no"
> FW_DEV_EXT="eth0"
> FW_DEV_INT=""
> FW_DEV_DMZ=""
> FW_ROUTE="no"
> FW_MASQUERADE="no"
> FW_MASQ_DEV="$FW_DEV_EXT"
> FW_MASQ_NETS=""
> FW_PROTECT_FROM_INTERNAL="yes"
> FW_AUTOPROTECT_SERVICES="yes"
> FW_SERVICES_EXT_TCP="ssh"

FW_SERVICES_EXT_TCP=""

> FW_SERVICES_EXT_UDP="40001:40015"

FW_SERVICES_EXT_UDP=""

> FW_SERVICES_EXT_IP=""
> FW_SERVICES_DMZ_TCP=""
> FW_SERVICES_DMZ_UDP=""
> FW_SERVICES_DMZ_IP=""
> FW_SERVICES_INT_TCP=""
> FW_SERVICES_INT_UDP=""
> FW_SERVICES_INT_IP=""
> FW_SERVICES_QUICK_TCP=""
> FW_SERVICES_QUICK_UDP=""
> FW_SERVICES_QUICK_IP=""
> FW_TRUSTED_NETS="12.203.150.0/24 12.203.162.0/26"

FW_TRUSTED_NETS="12.203.150.0/24,tcp,ssh 12.203.162.0/26,tcp,ssh 12.203.150.0/24,udp,40001:40015 12.203.162.0/26,udp,40001:40015"

Regards, -Kastus

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here