Hi, I believe I meesed up a little and are asking you for help. I re- installed shorewall from scratch and have following network ISP provides DHCP "net" in Shorewall $FW = my firewall loc is my local network with the server being the firewall also at address 192.168.2.1 My server (Soekris Net5501 with Centos 4.6) is acting as firewall, dhcp server, ssh, web, etc... I used the 2 port template for setting up the basic shorewall config and everything works fine. I only need to open SSH to the outside world and to my local network: this works fine with the ssh/ACCEPT in rules However I would like to use another port for SSH since my ISP blocks all ports lower then a certain number. I would like to use a port such as 29999 When I change the port in SSHD_CONFIG to 29999 and protocol being 2. then I can not get the SSH running. Neither via local network, neither via wan. Which rules should I add to "rules"? Thank you for helping a newbie Erwin ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
Erwin Geuens wrote:> > When I change the port in SSHD_CONFIG to 29999 and protocol being 2. > then I can not get the SSH running. Neither via local network, neither > via wan. > > Which rules should I add to "rules"?This is covered in the two-interface HOWTO at http://www.shorewall.net/two-interface.htm. I suggest this rule: ACCEPT all $FW tcp 29999 -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/
> ...I only need to open SSH to the outside world and to my local > network: this works fine with the ssh/ACCEPT in rules > However I would like to use another port for SSH since my ISP blocks > all ports lower then a certain number. I would like to use a port such > as 29999 ...Although the chances of an SSH penetration on an alternate port are fairly small, the costs could be _extremely_ high. So I suggest not only moving to an alternate port, but also doing all of the following: 1) Modify the ACCEPT to only allow connections from possible legitimate addresses (all nearby ISP netblocks for example), rather than from anywhere in the whole world. 2) Configure sshd to not accept "root" logins no matter what. 3) Configure sshd to only allow public/private key connections and disallow use of regular passwords for all accounts no matter what. 4) Either by policy or by an explicit DROP, close and stealth the regular SSH port. (You could go even further and 5) Use DNAT rather than ACCEPT to route ssh connections from outside to some other internal host, and configure the firewall''s sshd to only listen on the internal interface (when necessary doublehop-ssh back to the firewall from the internal system) 6) Explicitly DROP all connection requests to the new port number that aren''t caught by the ACCEPT/DNAT) thanks! -Chuck Kollars ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer''s challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/