[opensuse] saned and firewalls
Hi all, Has anyone used the networked form of sane? I notice that it is seriously firewall unfriendly, opening a data connection on a random port. Since my local network is wireless, it does not suit me to run without a firewall on my machines, so this need for wide-openness really won't work. It looks like this is currently a fixed part of the behavior of saned right now, but does anyone have a workaround, or patch to make it use a fixed port or anything that would actually work on a firewalled system? Cheers, Simon "You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." — Naguib Mahfouz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Wed, Dec 31, 2008 at 13:15, Simon Roberts
Hi all,
Has anyone used the networked form of sane? I notice that it is seriously firewall unfriendly, opening a data connection on a random port. Since my local network is wireless, it does not suit me to run without a firewall on my machines, so this need for wide-openness really won't work.
It looks like this is currently a fixed part of the behavior of saned right now, but does anyone have a workaround, or patch to make it use a fixed port or anything that would actually work on a firewalled system?
It can not be on "random ports" as you say. Or are you saying the client does a portscan of the server each time you want to scan? Does the server then change its listening port after each scanjob? Please do explain what you mean be "random ports." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
----- Original Message ----
From: Andrew Joakimsen
... Has anyone used the networked form of sane? I notice that it is seriously firewall unfriendly, opening a data connection on a random port. Since my local network is wireless, it does not suit me to run without a firewall on my machines, so this need for wide-openness really won't work.
It looks like this is currently a fixed part of the behavior of saned right now, but does anyone have a workaround, or patch to make it use a fixed port or anything that would actually work on a firewalled system?
It can not be on "random ports" as you say. Or are you saying the client does a portscan of the server each time you want to scan? Does the server then change its listening port after each scanjob? Please do explain what you mean be "random ports."
OK, not "random" in the security sense, but "random" in the sense of "not predictable, not controllable by configuration, instead chosen and negotiated between sender and receiver at runtime" From man saned: In addition to the control connection (port 6566) saned also uses a data connection. The port of this socket is selected by the operating system and can't be specified by the user currently. This may be a problem if the connection must go through a firewall (packet filter). If you must use a packet filter, make sure that all ports > 1024 are open on the server for connections from the client. This is the kind of behavior that traditional ftp used to use for its data connection, of course, ftp has since learned to be firewall friendly (the "passive" mode), and I was rather hoping someone might have done the same for saned, but maybe it's not being used in enough "sensitive" environments. Any thoughts? Cheers, Simon "You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." — Naguib Mahfouz -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Am Mittwoch, 31. Dezember 2008 10:15:44 schrieb Simon Roberts:
Hi all,
Has anyone used the networked form of sane? I notice that it is seriously firewall unfriendly, opening a data connection on a random port. Since my local network is wireless, it does not suit me to run without a firewall on my machines, so this need for wide-openness really won't work.
It looks like this is currently a fixed part of the behavior of saned right now, but does anyone have a workaround, or patch to make it use a fixed port or anything that would actually work on a firewalled system?
I checked out the current development code from the sane project, and the new default sane.config file seems to indicate that work has been done about the data connections: --------------------------------------------------------- # saned.conf # Configuration for the saned daemon ## Daemon options # Port range for the data connection. Choose a range inside [1024 - 65535]. # Avoid specifying too large a range, for performance reasons. # # ONLY use this if your saned server is sitting behind a firewall. If your # firewall is a Linux machine, we strongly recommend using the # Netfilter nf_conntrack_sane connection tracking module instead. # # data_portrange = 10000 - 10100 --------------------------------------------------------- For more info, I suggest you ask upstream at http://www.sane-project.org -- Gruß Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-01-01 at 16:44 -0800, Andreas wrote:
I checked out the current development code from the sane project, and the new default sane.config file seems to indicate that work has been done about the data connections: --------------------------------------------------------- # ONLY use this if your saned server is sitting behind a firewall. If your # firewall is a Linux machine, we strongly recommend using the # Netfilter nf_conntrack_sane connection tracking module instead.
That is better advice: the suse linux kernel does contain the nf_conntrack_sane module. We only need to know how to tell the SuSEfirewall2 configuration to use it. Perhaps just adding it to FW_LOAD_MODULES would suffice. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklde90ACgkQtTMYHG2NR9X9EQCglfXT3mDHcZps65Srz6yONYrn 87kAnj42qLY9MCJ0Os6yIzWncSKwGVOh =bmh9 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Well, that's certainly promising, I'll check it out. Vielen Dank, Simon "You can tell whether a man is clever by his answers. You can tell whether a man is wise by his questions." — Naguib Mahfouz ----- Original Message ----
From: Andreas
To: opensuse@opensuse.org Sent: Thursday, January 1, 2009 5:44:00 PM Subject: Re: [opensuse] saned and firewalls Am Mittwoch, 31. Dezember 2008 10:15:44 schrieb Simon Roberts:
Hi all,
Has anyone used the networked form of sane? I notice that it is seriously firewall unfriendly, opening a data connection on a random port. Since my local network is wireless, it does not suit me to run without a firewall on my machines, so this need for wide-openness really won't work.
It looks like this is currently a fixed part of the behavior of saned right now, but does anyone have a workaround, or patch to make it use a fixed port or anything that would actually work on a firewalled system?
I checked out the current development code from the sane project, and the new default sane.config file seems to indicate that work has been done about the data connections: --------------------------------------------------------- # saned.conf # Configuration for the saned daemon
## Daemon options # Port range for the data connection. Choose a range inside [1024 - 65535]. # Avoid specifying too large a range, for performance reasons. # # ONLY use this if your saned server is sitting behind a firewall. If your # firewall is a Linux machine, we strongly recommend using the # Netfilter nf_conntrack_sane connection tracking module instead. # # data_portrange = 10000 - 10100 ---------------------------------------------------------
For more info, I suggest you ask upstream at http://www.sane-project.org
-- Gruß Andreas -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Andreas
-
Andrew Joakimsen
-
Carlos E. R.
-
Simon Roberts