http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c32
Johannes Meixner changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P5 - None |P4 - Low
Status|REOPENED |NEEDINFO
Info Provider| |lnussel@novell.com
Summary|After whatever software |Firewall settings to make
|update the firewall runs |scanning via network
|which made scanning via |possible with active
|network impossible |firewall
Severity|Normal |Enhancement
--- Comment #32 from Johannes Meixner 2009-12-15 09:10:13 UTC ---
Let's see if reasonable firewall settings are possible
to allowe scanning via network even with active firewall.
Regarding a specific port range for saned, see "man saned":
-----------------------------------------------------------------
The saned.conf configuration file contains both options
for the daemon and the access list.
data_portrange = min_port - max_port
Specify the port range to use for the data connection.
Pick a port range between 1024 and 65535; don't pick a
too large port range, as it may have performance issues.
Use this option if your saned server is sitting behind
a firewall. If that firewall is a Linux machine, we strongly
recommend using the Netfilter nf_conntrack_sane module instead.
-----------------------------------------------------------------
I do not understand the "instead" therein.
It looks as if usage of nf_conntrack_sane would mean
that one cannot use data_portrange in /etc/sane.d/saned.conf
additionally?
By the way:
I do not understand how a (presumably small) port range
could make it more secure.
I would think that the smaller the port range,
the easier it is for an eavesdropper to sniff packages
and the easier for an attacker to attack a system
because he knows the ports of interest in advance?
Regardless of the port range for the data connection:
The saned listens on the well-known port "sane-port" (6566)
and according to "man saned"
------------------------------------------------------------------
First and foremost: saned is not intended to be exposed
to the internet or other non-trusted networks.
Make sure that access is limited by ... a firewall setup.
------------------------------------------------------------------
so that first and foremost our firewall setup must
protect port 6566 against access from the Internet
any any other non-trusted networks.
Ludwig,
wouldn't only the one following manual setting by the user
FW_TRUSTED_NETS="192.168.1.0"
be already sufficient and a reasonable firewall setting
to make scanning via network possible even with active firewall
(provided that the 192.168.1.0 network is trusted by the user)?
If yes,
I could implement in yast2-scanner that the user can enter
his trusted networks and then yast2-scanner would append those
values to FW_TRUSTED_NETS in /etc/sysconfig/SuSEfirewall2.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.