Mailinglist Archive: opensuse-bugs (6249 mails)

< Previous Next >
[Bug 551282] Firewall settings to make scanning via network possible with active firewall
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Wed, 16 Dec 2009 08:28:21 +0000
  • Message-id: <20091216082821.484B0CC7CE@xxxxxxxxxxxxxxxxxxxxxx>
http://bugzilla.novell.com/show_bug.cgi?id=551282

http://bugzilla.novell.com/show_bug.cgi?id=551282#c39


--- Comment #39 from Ludwig Nussel <lnussel@xxxxxxxxxx> 2009-12-16 09:28:18 CET
---
(In reply to comment #37)
(In reply to comment #33)
(In reply to comment #32)
data_portrange = min_port - max_port
...
a firewall. If that firewall is a Linux machine, we strongly
recommend using the Netfilter nf_conntrack_sane module instead.
-----------------------------------------------------------------

I do not understand the "instead" therein.
It looks as if usage of nf_conntrack_sane would mean
that one cannot use data_portrange in /etc/sane.d/saned.conf
additionally?

You can. But then using the module doesn't make much sense.

I'd even say it makes much sense and you _should_ use data_portrange.
My understanding (based on firewalling FTP) is:
a) you open (only) the sane port in the firewall
b) you add the data_portrange ports to *_ACCEPT_RELATED_*:
FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000"
These ports will not be open in general. They will only be opened by the
nf_conntrack_sane module to a specific client while accessing the scanner.

Hmm, that could work indeed.

That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support
the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-)

Oh it already does :-)

BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis
on
many systems, and 10025 by postfix taking the mail back from amavis.

That's weird. Amavis shouldn't be using that port either I guess. For ftp
services we use 30000:30100 so that could be used for sane too.

--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >