this post was submitted on 07 Oct 2023
5 points (77.8% liked)

openSUSE

618 readers
2 users here now

openSUSE is an open, free and secure operating system for PC, laptops, servers and ARM devices. Managing your emails, browsing the web, watching online streams, playing games, serving websites or doing office work never felt this empowering. And best part? It's not only backed by one of the leaders in open source industry, but also driven by lively community.

founded 1 year ago
MODERATORS
stimmer
5
firewalld (self.opensuse)
submitted 1 year ago* (last edited 1 year ago) by ichbinjasokreativ to c/opensuse
2 comments fedilink hide all child comments
 

Hi everybody, I recently installed OpenSuse Leap, but I have trouble working with firewalld. The goal is to accept incoming ssh and vnc connections from two IPs exclusively, but it just does'nt work. I removed all interfaces from zone public, set the internal zone up so that it has only the two IPs as sources and only the ssh and vnc services, but I still get asked for password when I try to ssh into the machine from an IP that is not listed. Any hints?

firewall-cmd --get-active-zones returns this: docker interfaces: docker0 internal sources: 192.168.0.3/24 192.168.0.2/24

firewall-cmd --zone=internal --list-all returns this: internal (active) target: default icmp-block-inversion: no interfaces: sources: 192.168.0.3/24 192.168.0.2/24 services: ssh vnc-server ports: 22/tcp 5900/tcp 5901/tcp protocols: forward: no masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:

edit: Even with this configuration here, incoming ssh connections from an unlisted address still ask for password: firewall-cmd --get-active-zones
docker interfaces: docker0 drop interfaces: eth0 br0 internal sources: 192.168.0.3/24 192.168.0.2/24

top 2 comments
sorted by: hot top controversial new old
[โ€“] [email protected] 2 points 1 year ago (1 children)

I think the problem is that you're adding a subnet mask (/24) to your IPs. They should either be bare or have a /32 mask. The /24 mask is allowing the whole 192.168.0.1-254 address range.

[โ€“] ichbinjasokreativ 1 points 1 year ago

Thank you so much, removing the subnet part actually fixed it!! I thought I'd have to be more specific than just the IP, but listing them bare is apparently how you do it.