Mailinglist Archive: opensuse-bugs (6249 mails)

< Previous Next >
[Bug 551282] Firewall settings to make scanning via network possible with active firewall
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Tue, 15 Dec 2009 22:04:23 +0000
  • Message-id: <20091215220423.6B5CFCC7CE@xxxxxxxxxxxxxxxxxxxxxx>
http://bugzilla.novell.com/show_bug.cgi?id=551282

http://bugzilla.novell.com/show_bug.cgi?id=551282#c37


--- Comment #37 from Christian Boltz <suse-beta@xxxxxxxxx> 2009-12-15 23:04:20
CET ---
(In reply to comment #33)
(In reply to comment #32)
data_portrange = min_port - max_port
..
a firewall. If that firewall is a Linux machine, we strongly
recommend using the Netfilter nf_conntrack_sane module instead.
-----------------------------------------------------------------

I do not understand the "instead" therein.
It looks as if usage of nf_conntrack_sane would mean
that one cannot use data_portrange in /etc/sane.d/saned.conf
additionally?

You can. But then using the module doesn't make much sense.

I'd even say it makes much sense and you _should_ use data_portrange.
My understanding (based on firewalling FTP) is:
a) you open (only) the sane port in the firewall
b) you add the data_portrange ports to *_ACCEPT_RELATED_*:
FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000"
These ports will not be open in general. They will only be opened by the
nf_conntrack_sane module to a specific client while accessing the scanner.

(Ludwig, please correct me if I'm wrong.)

I guess "man saned" is based on the config / method SuSEfirewall had in
openSUSE 10.x and older: just open the sane port (part "a)") and let the
nf_conntrack_* module open whatever related ports it wants (part "b)" was not
needed in openSUSE <= 10.3).

Since 11.0 you have to specify / allow the related ports in the firewall
explicitely. (If you don't specify data_portrange in saned, you would have to
add something like 1024:65000 to *_ACCEPT_RELATED_* which would potentially
open all highports for RELATED connections.)

That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support
the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-)

BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis on
many systems, and 10025 by postfix taking the mail back from amavis.

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >