Suse firewall, FW_TRUSTED_NETS ranges of ports?

Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?

0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?

I thought this worked at least under SLES 11sp4 but am now finding it now not to work? If this is a more general iptables question please let me know and I will inquire elsewhere, but since I’m using the included SLES config files I thought I would start here.

Thanks,
Matt

skunkboy Wrote in message:
[color=blue]

Is it possible to use ranges of ports? 22:24, or 22-24 in stanza?

0.0.0.0/0,tcp,8000:8010 : all ports 8000 through 8010 ?

I thought this worked at least under SLES 11sp4 but am now finding it
now not to work? If this is a more general iptables question please let
me know and I will inquire elsewhere, but since I’m using the included
SLES config files I thought I would start here.[/color]

https://en.opensuse.org/SuSEfirewall2 suggests you specify a range
using colons (:).

If that doesn’t work I wonder if you can achieve the desired
effect using a custom service definition file as covered at

https://en.opensuse.org/SuSEfirewall2/Service_Definitions_Added_vi
a_Packages

HTH.

Simon Flood
SUSE Knowledge Partner

----Android NewsGroup Reader----
http://usenet.sinaapp.com/

skunkboy wrote:
[color=blue]

Is it possible to use ranges of ports? 22:24, or 22-24[/color]

Not according to the documentation in /etc/sysconfig/SuSEfirewall2
[color=blue]

Which services should be accessible from ‘trusted’ hosts or nets?

Define trusted hosts or networks (doesn’t matter whether they are

internal or # external) and the services (tcp,udp,icmp) they are
allowed to use. This can # be used instead of FW_SERVICES_* for
further access restriction. Please note # that this is no replacement
for authentication since IP addresses can be # spoofed. Also note
that trusted hosts/nets are not allowed to ping the # firewall until
you also permit icmp. #

Format: space separated list of network[,protocol[,port]]

in case of icmp, port means the icmp type

Example: “172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22”

FW_TRUSTED_NETS=""[/color]

However, it is supported for other config settings:
[color=blue]

Format: space separated list of

[,,[,port[:port]][/color]

for FW_MASQ_NETS, FW_NOMASQ_NETS,

And FW_SERVICES_… config settings that expect ports.


Kevin Boyle - Knowledge Partner
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below this post.
Thank you.

The colon does not appear to be working. The custom service is cool, except that I see no easy way to limit those by IP or range?

Thanks,
Matt

On 21/09/17 19:54, skunkboy wrote:
[color=blue]

The colon does not appear to be working. The custom service is cool,
except that I see no easy way to limit those by IP or range?[/color]

After doing some more reading it seems
FW_TRUSTED_NETS=“0.0.0.0/0,tcp,8000:8010” should be valid so I wonder if
the issue is the 0.0.0.0/0 IP range and instead you should be using
FW_SERVICES_EXT_TCP=“8000:8010” instead?

Unless of course things have changed with SLES12 yet that still uses
SuSEfirewall2.

HTH.

Simon
SUSE Knowledge Partner


If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

I added the FW_TRUSTED_NETS line that Simon shared and it seems to work on
my SLES 12 SP2 box:

-A input_ext -p tcp -m limit --limit 3/min -m conntrack --ctstate NEW -m
tcp --dport 8000:8010 -j LOG --log-prefix "SFW2-INext-ACC-TRUST "
--log-tcp-options --log-ip-options
-A input_ext -p tcp -m conntrack --ctstate NEW,RELATED,ESTABLISHED -m tcp
--dport 8000:8010 -j ACCEPT

The ‘iptables-save’ output above shows that those ports should be open. I
tested this by setting up netcat to listen for traffic on two ports in
that range (8008 and 8010) and then connected to it from netcat on another
server and it seemed to be just fine.

With that in mind, I do not know why, when allowing access from anywhere,
you would not just put these ranges into the Allowed Services section of
Yast, perhaps under Advanced, or define that services file Simon mentioned
and then add that to the list of allowed services on the External (or
whichever) zone, which would allow access to those ports from anything
assigned to that zone (by default everything unassigned is assigned to the
External zone).


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.