http://bugzilla.novell.com/show_bug.cgi?id=551282 http://bugzilla.novell.com/show_bug.cgi?id=551282#c32 Johannes Meixner <jsmeix@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P4 - Low Status|REOPENED |NEEDINFO Info Provider| |lnussel@novell.com Summary|After whatever software |Firewall settings to make |update the firewall runs |scanning via network |which made scanning via |possible with active |network impossible |firewall Severity|Normal |Enhancement --- Comment #32 from Johannes Meixner <jsmeix@novell.com> 2009-12-15 09:10:13 UTC --- Let's see if reasonable firewall settings are possible to allowe scanning via network even with active firewall. Regarding a specific port range for saned, see "man saned": ----------------------------------------------------------------- The saned.conf configuration file contains both options for the daemon and the access list. data_portrange = min_port - max_port Specify the port range to use for the data connection. Pick a port range between 1024 and 65535; don't pick a too large port range, as it may have performance issues. Use this option if your saned server is sitting behind a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead. ----------------------------------------------------------------- I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally? By the way: I do not understand how a (presumably small) port range could make it more secure. I would think that the smaller the port range, the easier it is for an eavesdropper to sniff packages and the easier for an attacker to attack a system because he knows the ports of interest in advance? Regardless of the port range for the data connection: The saned listens on the well-known port "sane-port" (6566) and according to "man saned" ------------------------------------------------------------------ First and foremost: saned is not intended to be exposed to the internet or other non-trusted networks. Make sure that access is limited by ... a firewall setup. ------------------------------------------------------------------ so that first and foremost our firewall setup must protect port 6566 against access from the Internet any any other non-trusted networks. Ludwig, wouldn't only the one following manual setting by the user FW_TRUSTED_NETS="192.168.1.0" be already sufficient and a reasonable firewall setting to make scanning via network possible even with active firewall (provided that the 192.168.1.0 network is trusted by the user)? If yes, I could implement in yast2-scanner that the user can enter his trusted networks and then yast2-scanner would append those values to FW_TRUSTED_NETS in /etc/sysconfig/SuSEfirewall2. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.