Allow source network in Suse 10.2 Firewall script "SuSEfirewall2? - Suse

This is a discussion on Allow source network in Suse 10.2 Firewall script "SuSEfirewall2? - Suse ; Hi, I am setting up a two interface firewall using Suse 10.2 and want to allow SSH connections (using a non-standard port) from a single network. I am also using the firewall script (/etc/sysconfig/ SuSEfirewall2) provided by Suse. Does anyone ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Allow source network in Suse 10.2 Firewall script "SuSEfirewall2?

  1. Allow source network in Suse 10.2 Firewall script "SuSEfirewall2?

    Hi,

    I am setting up a two interface firewall using Suse 10.2 and want to
    allow SSH connections (using a non-standard port) from a single
    network. I am also using the firewall script (/etc/sysconfig/
    SuSEfirewall2) provided by Suse.

    Does anyone know which variable will allow me to do this?

    I have tried adding information to section 10 FW_TRUSTED_NETS

    ex. FW_TRUSTED_NETS="1.1.1.1,tcp,3000" <- 3000 is the ssh port I
    chose to use for this example. I would also modify /etc/services and
    change ssh to port 3000.

    This doesn't work.

    I have also tried FW_SERVICES_ACCEPT_EXT

    ex. FW_SERVICES_ACCEPT_EXT="1.1.1.1,tcp,3000"

    This doesn't work.


    The only entry that works is:

    FW_SERVICES_EXT_TCP="3000"

    This does not allow me to specify the source network though.

    Thanks in advance.....


  2. Re: Allow source network in Suse 10.2 Firewall script "SuSEfirewall2?

    mostro713@gmail.com wrote:
    > Hi,
    >
    > I am setting up a two interface firewall using Suse 10.2 and want to
    > allow SSH connections (using a non-standard port) from a single
    > network. I am also using the firewall script (/etc/sysconfig/
    > SuSEfirewall2) provided by Suse.
    >
    > Does anyone know which variable will allow me to do this?
    >
    > I have tried adding information to section 10 FW_TRUSTED_NETS
    >
    > ex. FW_TRUSTED_NETS="1.1.1.1,tcp,3000" <- 3000 is the ssh port I
    > chose to use for this example. I would also modify /etc/services and
    > change ssh to port 3000.
    >
    > This doesn't work.


    It should. After editing /etc/sysconfig/SuSEfirewall2, run
    rcSuSEfirewall2, which will effect the change.

    Then, ssh from the trusted network to port 3000. Then check
    /var/log/firewall to see if the connection has been accepted or
    rejected. If it has been accepted, check /var/log/messages to determine
    if you have an ssh config problem.

    Regards,

    Gary

  3. Re: Allow source network in Suse 10.2 Firewall script "SuSEfirewall2?

    On Oct 2, 7:01 am, Gary Gapinski wrote:
    > mostro...@gmail.com wrote:
    > > Hi,

    >
    > > I am setting up a two interface firewall using Suse 10.2 and want to
    > > allow SSH connections (using a non-standard port) from a single
    > > network. I am also using the firewall script (/etc/sysconfig/
    > > SuSEfirewall2) provided by Suse.

    >
    > > Does anyone know which variable will allow me to do this?

    >
    > > I have tried adding information to section 10 FW_TRUSTED_NETS

    >
    > > ex. FW_TRUSTED_NETS="1.1.1.1,tcp,3000" <- 3000 is the ssh port I
    > > chose to use for this example. I would also modify /etc/services and
    > > change ssh to port 3000.

    >
    > > This doesn't work.

    >
    > It should. After editing /etc/sysconfig/SuSEfirewall2, run
    > rcSuSEfirewall2, which will effect the change.
    >
    > Then, ssh from the trusted network to port 3000. Then check
    > /var/log/firewall to see if the connection has been accepted or
    > rejected. If it has been accepted, check /var/log/messages to determine
    > if you have an ssh config problem.
    >
    > Regards,
    >
    > Gary


    I usually reload the firewall /etc/init.d/SuSEfirewall_setup reload

    I can only get it to work when I use FW_SERVICES_EXT_TCP="3000"

    This allows access from anywhere though.

    I'm wondering if I should use an external file with:

    FW_CUSTOMRULES=""

    It looks like I can use standard IPTABLES rules here.

    Has anyone used this before?

    Thank again....



  4. Re: Allow source network in Suse 10.2 Firewall script "SuSEfirewall2?

    On Oct 2, 9:02 am, "mostro...@gmail.com" wrote:
    > On Oct 2, 7:01 am, Gary Gapinski wrote:
    >
    >
    >
    > > mostro...@gmail.com wrote:
    > > > Hi,

    >
    > > > I am setting up a two interface firewall using Suse 10.2 and want to
    > > > allow SSH connections (using a non-standard port) from a single
    > > > network. I am also using the firewall script (/etc/sysconfig/
    > > > SuSEfirewall2) provided by Suse.

    >
    > > > Does anyone know which variable will allow me to do this?

    >
    > > > I have tried adding information to section 10 FW_TRUSTED_NETS

    >
    > > > ex. FW_TRUSTED_NETS="1.1.1.1,tcp,3000" <- 3000 is the ssh port I
    > > > chose to use for this example. I would also modify /etc/services and
    > > > change ssh to port 3000.

    >
    > > > This doesn't work.

    >
    > > It should. After editing /etc/sysconfig/SuSEfirewall2, run
    > > rcSuSEfirewall2, which will effect the change.

    >
    > > Then, ssh from the trusted network to port 3000. Then check
    > > /var/log/firewall to see if the connection has been accepted or
    > > rejected. If it has been accepted, check /var/log/messages to determine
    > > if you have an ssh config problem.

    >
    > > Regards,

    >
    > > Gary

    >
    > I usually reload the firewall /etc/init.d/SuSEfirewall_setup reload
    >
    > I can only get it to work when I use FW_SERVICES_EXT_TCP="3000"
    >
    > This allows access from anywhere though.
    >
    > I'm wondering if I should use an external file with:
    >
    > FW_CUSTOMRULES=""
    >
    > It looks like I can use standard IPTABLES rules here.
    >
    > Has anyone used this before?
    >
    > Thank again....


    I cleared FW_SERVICES_EXT_TCP="3000" to FW_SERVICES_EXT_TCP=""

    and added FW_TRUSTED_NETS="1.1.1.1/25,tcp,3000" <- 1.1.1.1 would be
    the public source network.

    It worked!...

    Thanks


+ Reply to Thread