http://bugzilla.novell.com/show_bug.cgi?id=551282 http://bugzilla.novell.com/show_bug.cgi?id=551282#c35 --- Comment #35 from Ludwig Nussel <lnussel@novell.com> 2009-12-15 13:58:34 CET --- (In reply to comment #34)
I assume you mean something like having in /etc/sane.d/saned.conf
data_portrange = 10000 - 10100
together with a /etc/sysconfig/SuSEfirewall2.d/services/sane which contains accordingly
TCP="sane-port 10000:10100"
But this alone is not sufficiently secure because this alone just opens ports 6566 and 10000 - 10100 for any access from any host or network.
.. in that zone
Therefore additionally I need a firewall setup to protect access to those posts from any non-trusted hosts and networks i.e. I need a firewall setup to allow access to those posts only from explicitely stated trusted hosts and/or networks.
How can I do the latter?
Manually. Comment #26.
Meanwhile I think the whole basic firewall setup based upon ports is mostly useless.
I think the basic firewall setup might be better based "first and foremost" upon trusted hosts and networks.
Depends on the network setup. If you trust IP addresses you have to trust your router to not forward forged addresses. That's not the case e.g. if you have a laptop that connects to different wlans and has FW_TRUSTED_NETS=something. Anyone in the wlan could configure itself with an address of that range.
Opening ports in the EXT zone does also make not much sense because allow any access from any host or network to particular ports does not provide any protection for this ports.
Yes. Open port means open port. That's what people get by clicking on "open port" :-)
As far as I see the only reason for a firewall setup based upon ports is when certain services are listening but access should be allowed only to some of them (e.g. allow access to the HTTP server but do not allow access to whatever other running server). But when no access is allowed to a service, why is its server process listening at all on the outer network (e.g. why is the server not only listening on the loopback interface)?
Who knows why people configure their system one way or another. In any case SuSEfirewall2 primarily works based on interfaces and zones rather than trusting IP address ranges. So if you want a configuration that makes sense use separate zones. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.