NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SuSE Linux> 2004-q1

Re: [suse-security] Allow a list of services to a list of networks using SuSEFirewall2

From: Lars Ellenberg (l.g.eweb.de)
Date: Wed Mar 17 2004 - 07:13:21 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

/ 2004-03-17 15:28:08 +1100
\ Michael James:
> I have a sudden need to firewall a machine
> to allow a list of ports to a list of subnets.
>
> FW_SERVICES_EXT_TCP="ftp ftp-data ssh smtp domain
> http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap
> https smtps rsync ftps-data ftps imaps pop3s sunrpc"
>
> FW_TRUSTED_NETS=<8 distinct class C networks>
>
> So effectively I want to say,
> "Only trusted nets get anything,
> and then only services on the list".
>
> Trouble is, using the trusted nets concept
> I have to list the entire cross product,
> every possible combination.
>
> Without that uglyness,
> can I do it within SuSEFirewall2 or am I down to ipchains?

iptables is it now adays, iirc :)

The /etc/sysconfig/SuSEfirewall2 config file
is bash syntax, and it is "source"d from within the real
SuSEfirewall2 script.

So you can "simply" let bash "calculate" the "cross product" for
you, by means of two nested for loops.
Yes, within that very same config file.

This is the power you get by not inventing some new config file
language, but let the programming language you use do the parsing
for you ;)

Lars Ellenberg

something like:
__my_SERVICES_TCP="ftp ftp-data ssh smtp domain
        http pop3 sftp netbios-ns netbios-dgm netbios-ssn ldap
        https smtps rsync ftps-data ftps imaps pop3s sunrpc"
# udp
__my_TRUSTED_NETS="1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8"
FW_TRUSTED_NETS=""
for n in __my_TRUSTED_NETS; do
  FW_TRUSTED_NETS="$FW_TRUSTED_NETS
        $n,icmp" # add icmp type, if needed
  for s in __my_SERVICES_TCP; do
    FW_TRUSTED_NETS="$FW_TRUSTED_NETS $n,tcp,$s"
  done
  # UDP
  # etc.
done
unset n s ${!__my*}
# echo > some.where "$FW_TRUSTED_NETS"

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-helpsuse.com
Security-related bug reports go to securitysuse.de, not here

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]