http://bugzilla.novell.com/show_bug.cgi?id=551282 http://bugzilla.novell.com/show_bug.cgi?id=551282#c37 --- Comment #37 from Christian Boltz <suse-beta@cboltz.de> 2009-12-15 23:04:20 CET --- (In reply to comment #33)
(In reply to comment #32)
data_portrange = min_port - max_port .. a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead.
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I'd even say it makes much sense and you _should_ use data_portrange. My understanding (based on firewalling FTP) is: a) you open (only) the sane port in the firewall b) you add the data_portrange ports to *_ACCEPT_RELATED_*: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" These ports will not be open in general. They will only be opened by the nf_conntrack_sane module to a specific client while accessing the scanner. (Ludwig, please correct me if I'm wrong.) I guess "man saned" is based on the config / method SuSEfirewall had in openSUSE 10.x and older: just open the sane port (part "a)") and let the nf_conntrack_* module open whatever related ports it wants (part "b)" was not needed in openSUSE <= 10.3). Since 11.0 you have to specify / allow the related ports in the firewall explicitely. (If you don't specify data_portrange in saned, you would have to add something like 1024:65000 to *_ACCEPT_RELATED_* which would potentially open all highports for RELATED connections.) That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-) BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis on many systems, and 10025 by postfix taking the mail back from amavis. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.