http://bugzilla.novell.com/show_bug.cgi?id=551282 http://bugzilla.novell.com/show_bug.cgi?id=551282#c33 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED Info Provider|lnussel@novell.com | --- Comment #33 from Ludwig Nussel <lnussel@novell.com> 2009-12-15 10:48:14 CET --- (In reply to comment #32)
Let's see if reasonable firewall settings are possible to allowe scanning via network even with active firewall.
Regarding a specific port range for saned, see "man saned":
The saned.conf configuration file contains both options for the daemon and the access list.
data_portrange = min_port - max_port
Specify the port range to use for the data connection. Pick a port range between 1024 and 65535; don't pick a too large port range, as it may have performance issues. Use this option if your saned server is sitting behind a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead.
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I do not understand how a (presumably small) port range could make it more secure.
Opening ports never make anything more secure :-) Restricting the ports to a range that is not used automatically prevents accidental access to local services.
I would think that the smaller the port range, the easier it is for an eavesdropper to sniff packages and the easier for an attacker to attack a system because he knows the ports of interest in advance?
Doesn't matter.
Regardless of the port range for the data connection: The saned listens on the well-known port "sane-port" (6566) and according to "man saned"
First and foremost: saned is not intended to be exposed to the internet or other non-trusted networks. Make sure that access is limited by ... a firewall setup.
so that first and foremost our firewall setup must protect port 6566 against access from the Internet any any other non-trusted networks.
Ludwig, wouldn't only the one following manual setting by the user FW_TRUSTED_NETS="192.168.1.0" be already sufficient and a reasonable firewall setting to make scanning via network possible even with active firewall (provided that the 192.168.1.0 network is trusted by the user)?
It would be FW_TRUSTED_NETS="192.168.1.0/24"
If yes, I could implement in yast2-scanner that the user can enter his trusted networks and then yast2-scanner would append those values to FW_TRUSTED_NETS in /etc/sysconfig/SuSEfirewall2.
The yast2-scanner module would be the only one doing such things so I'd not recommend that. IMO the service file with port range specification is the simplest way. The UI could still warn if the user choses that option. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.