suse防火墙SuSEfirewall2 设置 指定地址访问制定端口

原文地址：http://en.opensuse.org/SuSEfirewall2

Allowing Access to ServicesEvery firewall zone can allow four types of services    TCP - FW_SERVICES_EXT_TCP, FW_SERVICES_INT_TCP, FW_SERVICES_DMZ_TCP    UDP - FW_SERVICES_EXT_UDP, FW_SERVICES_INT_UDP, FW_SERVICES_DMZ_UDP    RPC - FW_SERVICES_EXT_RPC, FW_SERVICES_INT_RPC, FW_SERVICES_DMZ_RPC    IP - FW_SERVICES_EXT_IP, FW_SERVICES_INT_IP, FW_SERVICES_DMZ_IPTCP and UDP services can be entered by the port number, port name (current assignment can be found in /etc/services file on your system) or a port range defined as two port numbers with a colon inbetween.Examples:FW_SERVICES_EXT_TCP="ssh"FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514"FW_SERVICES_EXT_UDP="631 400:405"Alternatively packages may provide a configuration file that describes which ports need to be opened to run a specific service, see SuSEfirewall2/Service_Definitions_Added_via_Packages. Using this method is especially convenient if a service needs multiple ports.More Restricted Access to ServicesThe above mentioned way to allow access to services is not very restrictive, it allows or it does not allow. There is parameter that can be set to allow more restrictive access to a service. However the above definitions of allowed services take precedence over the definitions mentioned below when the same port is used. These are:    FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZFor each service these parameters take 4 positional parameters and additional keyword parameters, also called flags.So the format is a space separated list of net,protocol[,dport[,sport[,flags]]]ExampleFW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"# This 0.0.0.0/0 restricts access via IPv4 onlySupported flags are:    hitcount=NUMBER  : ipt_recent --hitcount parameter    blockseconds=NUMBER : ipt_recent --seconds parameter    recentname=NAME  : ipt_recent --name parameterExample:# Allow max three ssh connects per minute from the same IP address somewhere in the Internet:FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"# This 0/0 allows access via both IPv4 and IPv6

这段说的是指定允许访问的端口的方法有2个：

FW_SERVICES_ACCEPT_EXT

<pre name="code" class="plain">FW_SERVICES_EXT_TCP

第一个允许你指定你指定的原地址、端口等额外参数

第二个只允许你指定端口，也就是说必须允许所有地址、所有协议都可以访问，原文也说了，这有些不严谨！

一开始，我理解错误了，举个例子：

我的需求是允许所有地址访问80端口，只允许指定的地址访问22端口

所以我就在FW_SERVICES_EXT_TCP里面写了80，在FW_SERVICES_ACCEPT_EXT里面写了xxxxx（指定地址），tcp，22 结果发现只有80可以访问，22无法访问！！！

纠结了半天发现原文说的FW_SERVICES_EXT_TCP配置会覆盖FW_SERVICES_ACCEPT_EXT配置指的是2种配置方法无法共存的意思。也就是说你只能选择一种方法，而不能一个端口用第一种方法，另一个端口用第二种方法！！

原文：. However the above definitions of allowed services take precedence over the definitions mentioned below when the same port is used.

（感觉我理解的没错啊，后面有条件是when the same port is used!,但是我测试的结果就是你只能选一个，whatever，第2种方法我更喜欢！）

想明白这一点之后，感觉suse的防火墙设置还真是挺简单的！！！