http://bugzilla.novell.com/show_bug.cgi?id=551282 http://bugzilla.novell.com/show_bug.cgi?id=551282#c39 --- Comment #39 from Ludwig Nussel <lnussel@novell.com> 2009-12-16 09:28:18 CET --- (In reply to comment #37)
(In reply to comment #33)
(In reply to comment #32)
data_portrange = min_port - max_port ... a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead.
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I'd even say it makes much sense and you _should_ use data_portrange. My understanding (based on firewalling FTP) is: a) you open (only) the sane port in the firewall b) you add the data_portrange ports to *_ACCEPT_RELATED_*: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" These ports will not be open in general. They will only be opened by the nf_conntrack_sane module to a specific client while accessing the scanner.
Hmm, that could work indeed.
That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-)
Oh it already does :-)
BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis on many systems, and 10025 by postfix taking the mail back from amavis.
That's weird. Amavis shouldn't be using that port either I guess. For ftp services we use 30000:30100 so that could be used for sane too. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.