PDA

View Full Version : SLES 12 SP2 Suse firewall, FW_TRUSTED_NETS ranges of ports?



skunkboy
20-Sep-2017, 20:04
Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?

0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?

I thought this worked at least under SLES 11sp4 but am now finding it now not to work? If this is a more general iptables question please let me know and I will inquire elsewhere, but since I'm using the included SLES config files I thought I would start here.

Thanks,
Matt

smflood
20-Sep-2017, 23:03
skunkboy Wrote in message:

> Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?
>
> 0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?
>
> I thought this worked at least under SLES 11sp4 but am now finding it
> now not to work? If this is a more general iptables question please let
> me know and I will inquire elsewhere, but since I'm using the included
> SLES config files I thought I would start here.

https://en.opensuse.org/SuSEfirewall2 suggests you specify a range
using colons (:).

If that doesn't work I wonder if you can achieve the desired
effect using a custom service definition file as covered at

https://en.opensuse.org/SuSEfirewall2/Service_Definitions_Added_vi
a_Packages

HTH.
--
Simon Flood
SUSE Knowledge Partner


----Android NewsGroup Reader----
http://usenet.sinaapp.com/

KBOYLE
20-Sep-2017, 23:53
skunkboy wrote:

> Is it possible to use ranges of ports? 22:24, or 22-24

Not according to the documentation in /etc/sysconfig/SuSEfirewall2

> # Which services should be accessible from 'trusted' hosts or nets?
> #
> # Define trusted hosts or networks (doesn't matter whether they are
> internal or # external) and the services (tcp,udp,icmp) they are
> allowed to use. This can # be used instead of FW_SERVICES_* for
> further access restriction. Please note # that this is no replacement
> for authentication since IP addresses can be # spoofed. Also note
> that trusted hosts/nets are not allowed to ping the # firewall until
> you also permit icmp. #
> # Format: space separated list of network[,protocol[,port]]
> # in case of icmp, port means the icmp type
> #
> # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
> #
> FW_TRUSTED_NETS=""


However, it is supported for other config settings:

> # Format: space separated list of
> # <source network>[,<destination network>,<protocol>[,port[:port]]

for FW_MASQ_NETS, FW_NOMASQ_NETS,

And FW_SERVICES_... config settings that expect ports.

--
Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

skunkboy
21-Sep-2017, 19:44
The colon does not appear to be working. The custom service is cool, except that I see no easy way to limit those by IP or range?

Thanks,
Matt

smflood
22-Sep-2017, 12:13
On 21/09/17 19:54, skunkboy wrote:

> The colon does not appear to be working. The custom service is cool,
> except that I see no easy way to limit those by IP or range?

After doing some more reading it seems
FW_TRUSTED_NETS="0.0.0.0/0,tcp,8000:8010" should be valid so I wonder if
the issue is the 0.0.0.0/0 IP range and instead you should be using
FW_SERVICES_EXT_TCP="8000:8010" instead?

Unless of course things have changed with SLES12 yet that still uses
SuSEfirewall2.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

ab
22-Sep-2017, 15:55
I added the FW_TRUSTED_NETS line that Simon shared and it seems to work on
my SLES 12 SP2 box:



-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m
tcp --dport 8000:8010 -j LOG --log-prefix "SFW2-INext-ACC-TRUST "
--log-tcp-options --log-ip-options
-A input_ext -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp
--dport 8000:8010 -j ACCEPT


The 'iptables-save' output above shows that those ports should be open. I
tested this by setting up netcat to listen for traffic on two ports in
that range (8008 and 8010) and then connected to it from netcat on another
server and it seemed to be just fine.

With that in mind, I do not know why, when allowing access from anywhere,
you would not just put these ranges into the Allowed Services section of
Yast, perhaps under Advanced, or define that services file Simon mentioned
and then add that to the list of allowed services on the External (or
whichever) zone, which would allow access to those ports from anything
assigned to that zone (by default everything unassigned is assigned to the
External zone).

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.