Results 1 to 6 of 6

Thread: Suse firewall, FW_TRUSTED_NETS ranges of ports?

  1. #1
    Join Date
    Mar 2012
    Location
    West of Detroit
    Posts
    81

    Suse firewall, FW_TRUSTED_NETS ranges of ports?

    Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?

    0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?

    I thought this worked at least under SLES 11sp4 but am now finding it now not to work? If this is a more general iptables question please let me know and I will inquire elsewhere, but since I'm using the included SLES config files I thought I would start here.

    Thanks,
    Matt

  2. #2

    Re:Suse firewall, FW_TRUSTED_NETS ranges of ports?

    skunkboy Wrote in message:

    > Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?
    >
    > 0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?
    >
    > I thought this worked at least under SLES 11sp4 but am now finding it
    > now not to work? If this is a more general iptables question please let
    > me know and I will inquire elsewhere, but since I'm using the included
    > SLES config files I thought I would start here.


    https://en.opensuse.org/SuSEfirewall2 suggests you specify a range
    using colons (.

    If that doesn't work I wonder if you can achieve the desired
    effect using a custom service definition file as covered at

    https://en.opensuse.org/SuSEfirewall...tions_Added_vi
    a_Packages

    HTH.
    --
    Simon Flood
    SUSE Knowledge Partner


    ----Android NewsGroup Reader----
    http://usenet.sinaapp.com/

  3. #3

    Re: Suse firewall, FW_TRUSTED_NETS ranges of ports?

    skunkboy wrote:

    > Is it possible to use ranges of ports? 22:24, or 22-24


    Not according to the documentation in /etc/sysconfig/SuSEfirewall2

    > # Which services should be accessible from 'trusted' hosts or nets?
    > #
    > # Define trusted hosts or networks (doesn't matter whether they are
    > internal or # external) and the services (tcp,udp,icmp) they are
    > allowed to use. This can # be used instead of FW_SERVICES_* for
    > further access restriction. Please note # that this is no replacement
    > for authentication since IP addresses can be # spoofed. Also note
    > that trusted hosts/nets are not allowed to ping the # firewall until
    > you also permit icmp. #
    > # Format: space separated list of network[,protocol[,port]]
    > # in case of icmp, port means the icmp type
    > #
    > # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22"
    > #
    > FW_TRUSTED_NETS=""



    However, it is supported for other config settings:

    > # Format: space separated list of
    > # <source network>[,<destination network>,<protocol>[,port[ort]]


    for FW_MASQ_NETS, FW_NOMASQ_NETS,

    And FW_SERVICES_... config settings that expect ports.

    --
    Kevin Boyle - Knowledge Partner
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below this post.
    Thank you.

  4. #4
    Join Date
    Mar 2012
    Location
    West of Detroit
    Posts
    81

    Re: Suse firewall, FW_TRUSTED_NETS ranges of ports?

    The colon does not appear to be working. The custom service is cool, except that I see no easy way to limit those by IP or range?

    Thanks,
    Matt

  5. #5

    Re: Suse firewall, FW_TRUSTED_NETS ranges of ports?

    On 21/09/17 19:54, skunkboy wrote:

    > The colon does not appear to be working. The custom service is cool,
    > except that I see no easy way to limit those by IP or range?


    After doing some more reading it seems
    FW_TRUSTED_NETS="0.0.0.0/0,tcp,8000:8010" should be valid so I wonder if
    the issue is the 0.0.0.0/0 IP range and instead you should be using
    FW_SERVICES_EXT_TCP="8000:8010" instead?

    Unless of course things have changed with SLES12 yet that still uses
    SuSEfirewall2.

    HTH.
    --
    Simon
    SUSE Knowledge Partner

    ------------------------------------------------------------------------
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below. Thanks.
    ------------------------------------------------------------------------

  6. #6

    Re: Suse firewall, FW_TRUSTED_NETS ranges of ports?

    I added the FW_TRUSTED_NETS line that Simon shared and it seems to work on
    my SLES 12 SP2 box:

    Code:
    -A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m
    tcp --dport 8000:8010 -j LOG --log-prefix "SFW2-INext-ACC-TRUST "
    --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp
    --dport 8000:8010 -j ACCEPT
    The 'iptables-save' output above shows that those ports should be open. I
    tested this by setting up netcat to listen for traffic on two ports in
    that range (8008 and 8010) and then connected to it from netcat on another
    server and it seemed to be just fine.

    With that in mind, I do not know why, when allowing access from anywhere,
    you would not just put these ranges into the Allowed Services section of
    Yast, perhaps under Advanced, or define that services file Simon mentioned
    and then add that to the list of allowed services on the External (or
    whichever) zone, which would allow access to those ports from anything
    assigned to that zone (by default everything unassigned is assigned to the
    External zone).

    --
    Good luck.

    If you find this post helpful and are logged into the web interface,
    show your appreciation and click on the star below.

    If you want to send me a private message, please let me know in the
    forum as I do not use the web interface often.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •