[Bug 551282] New: After latest kernel update (as of 2009-10-30) network scanning broken
http://bugzilla.novell.com/show_bug.cgi?id=551282 Summary: After latest kernel update (as of 2009-10-30) network scanning broken Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: i686 OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: pagan13@estreet.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.4) Gecko/20091016 SUSE/3.5.4-6.1 Firefox/3.5.4 After performing a kernel update today, I lost the ability to use my networked scanner (HP Officejet 6310 all-in-one) that I have connected to my server. I am working from my laptop. It delivers a "Failed to determine the active scanners" error message which includes some arcane (and, as far as I can tell, useless chatter) about a "net metadriver" then simply fails to detect any scanners. The scanner in question works fine on the server itself using the normal xsane stuff. If I shut down the firewalls, it skips the "Failed to determine..." error message and goes straight to "No scanner recognized by this driver." Reproducible: Always Steps to Reproduce: 1. Update kernel to newest (currently, I think, "Linux 2.6.27.37-0.1-default i686" from sysinfo:/) 2. Try to scan 3. Go into Yast and try to detect scanner. Actual Results: It acts like there is no scanner. It worked perfectly before this update. Expected Results: I expected to find a scanner and be able to use it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
User pagan13@estreet.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c1
--- Comment #1 from Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
User meissner@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c2
Marcus Meissner
http://bugzilla.novell.com/show_bug.cgi?id=551282
User pagan13@estreet.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c3
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
zhu rensheng
http://bugzilla.novell.com/show_bug.cgi?id=551282
User jsmeix@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c4
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
zhu rensheng
http://bugzilla.novell.com/show_bug.cgi?id=551282
User mmarek@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c5
Michal Marek
http://bugzilla.novell.com/show_bug.cgi?id=551282
User pagan13@estreet.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c6
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
User mmarek@novell.com added comment
http://bugzilla.novell.com/show_bug.cgi?id=551282#c7
Michal Marek
http://bugzilla.novell.com/show_bug.cgi?id=551282#c8
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282#c9
Michal Marek
http://bugzilla.novell.com/show_bug.cgi?id=551282#c10
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282#c
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c11
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c12
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c13
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c14
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c17
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c18
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c19
--- Comment #19 from Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c20
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c21
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c22
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c23
Joseph Short
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c24
Christian Boltz
Before the update, network scanning worked with an active firewall. Now, unless I disable the firewall and open my server to hackers, I can not use network scanning.
I had the same issues with FTP after an update (10.2->11.1) - after some config changes in /etc/sysconfig/SuSEfirewall2 (see below) it works again. Details on http://www.suse.com/relnotes/i386/openSUSE/11.0/RELEASE-NOTES.en.html#10
If you can't fix a broken saned, could you at least allow me to download and use the version that's NOT broken, the one that worked before the update?
If I'm right, the change is in the firewall... (In reply to comment #23)
browsing, you must manually open port TCP 6566 and open the Dynamic ports 49152:65535 on TCP, UDP, and RPC. If you don't, scanning will not work.
These ports can hopefully be tracked as "related" ports so that they don't have to be open always and for everybody. For example, my FTP daemon needs FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" FW_LOAD_MODULES="ip_conntrack_ftp" I just see that there is also a nf_conntrack_sane module - try adding it to FW_LOAD_MODULES and put the dynamic ports to FW_SERVICES_ACCEPT_RELATED_EXT. If you don't get the firewall config running as described above, asking on the opensuse-security mailinglist might be a good idea ;-) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c25
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c26
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c30
--- Comment #30 from Christian Boltz
There is no special conntrack module as for ftp
Hmmm, Ludwig, what's this then? ;-) # lsmod |grep sane nf_conntrack_sane 7892 0 nf_conntrack 102912 6 nf_conntrack_sane,nf_conntrack_ipv6,[...] (I never tested if it works, but it exists.) Joseph, does scanning work if you setup your firewall as I described in comment #24? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c31
--- Comment #31 from Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c32
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c33
Ludwig Nussel
Let's see if reasonable firewall settings are possible to allowe scanning via network even with active firewall.
Regarding a specific port range for saned, see "man saned": ----------------------------------------------------------------- The saned.conf configuration file contains both options for the daemon and the access list.
data_portrange = min_port - max_port
Specify the port range to use for the data connection. Pick a port range between 1024 and 65535; don't pick a too large port range, as it may have performance issues. Use this option if your saned server is sitting behind a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead. -----------------------------------------------------------------
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I do not understand how a (presumably small) port range could make it more secure.
Opening ports never make anything more secure :-) Restricting the ports to a range that is not used automatically prevents accidental access to local services.
I would think that the smaller the port range, the easier it is for an eavesdropper to sniff packages and the easier for an attacker to attack a system because he knows the ports of interest in advance?
Doesn't matter.
Regardless of the port range for the data connection: The saned listens on the well-known port "sane-port" (6566) and according to "man saned" ------------------------------------------------------------------ First and foremost: saned is not intended to be exposed to the internet or other non-trusted networks. Make sure that access is limited by ... a firewall setup. ------------------------------------------------------------------ so that first and foremost our firewall setup must protect port 6566 against access from the Internet any any other non-trusted networks.
Ludwig, wouldn't only the one following manual setting by the user FW_TRUSTED_NETS="192.168.1.0" be already sufficient and a reasonable firewall setting to make scanning via network possible even with active firewall (provided that the 192.168.1.0 network is trusted by the user)?
It would be FW_TRUSTED_NETS="192.168.1.0/24"
If yes, I could implement in yast2-scanner that the user can enter his trusted networks and then yast2-scanner would append those values to FW_TRUSTED_NETS in /etc/sysconfig/SuSEfirewall2.
The yast2-scanner module would be the only one doing such things so I'd not recommend that. IMO the service file with port range specification is the simplest way. The UI could still warn if the user choses that option. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c34
--- Comment #34 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c35
--- Comment #35 from Ludwig Nussel
I assume you mean something like having in /etc/sane.d/saned.conf ------------------------------------------------------------------- data_portrange = 10000 - 10100 ------------------------------------------------------------------- together with a /etc/sysconfig/SuSEfirewall2.d/services/sane which contains accordingly ------------------------------------------------------------------- TCP="sane-port 10000:10100" -------------------------------------------------------------------
But this alone is not sufficiently secure because this alone just opens ports 6566 and 10000 - 10100 for any access from any host or network.
.. in that zone
Therefore additionally I need a firewall setup to protect access to those posts from any non-trusted hosts and networks i.e. I need a firewall setup to allow access to those posts only from explicitely stated trusted hosts and/or networks.
How can I do the latter?
Manually. Comment #26.
Meanwhile I think the whole basic firewall setup based upon ports is mostly useless.
I think the basic firewall setup might be better based "first and foremost" upon trusted hosts and networks.
Depends on the network setup. If you trust IP addresses you have to trust your router to not forward forged addresses. That's not the case e.g. if you have a laptop that connects to different wlans and has FW_TRUSTED_NETS=something. Anyone in the wlan could configure itself with an address of that range.
Opening ports in the EXT zone does also make not much sense because allow any access from any host or network to particular ports does not provide any protection for this ports.
Yes. Open port means open port. That's what people get by clicking on "open port" :-)
As far as I see the only reason for a firewall setup based upon ports is when certain services are listening but access should be allowed only to some of them (e.g. allow access to the HTTP server but do not allow access to whatever other running server). But when no access is allowed to a service, why is its server process listening at all on the outer network (e.g. why is the server not only listening on the loopback interface)?
Who knows why people configure their system one way or another. In any case SuSEfirewall2 primarily works based on interfaces and zones rather than trusting IP address ranges. So if you want a configuration that makes sense use separate zones. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c36
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c37
--- Comment #37 from Christian Boltz
(In reply to comment #32)
data_portrange = min_port - max_port .. a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead. -----------------------------------------------------------------
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I'd even say it makes much sense and you _should_ use data_portrange. My understanding (based on firewalling FTP) is: a) you open (only) the sane port in the firewall b) you add the data_portrange ports to *_ACCEPT_RELATED_*: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" These ports will not be open in general. They will only be opened by the nf_conntrack_sane module to a specific client while accessing the scanner. (Ludwig, please correct me if I'm wrong.) I guess "man saned" is based on the config / method SuSEfirewall had in openSUSE 10.x and older: just open the sane port (part "a)") and let the nf_conntrack_* module open whatever related ports it wants (part "b)" was not needed in openSUSE <= 10.3). Since 11.0 you have to specify / allow the related ports in the firewall explicitely. (If you don't specify data_portrange in saned, you would have to add something like 1024:65000 to *_ACCEPT_RELATED_* which would potentially open all highports for RELATED connections.) That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-) BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis on many systems, and 10025 by postfix taking the mail back from amavis. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c38
--- Comment #38 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c39
--- Comment #39 from Ludwig Nussel
(In reply to comment #33)
(In reply to comment #32)
data_portrange = min_port - max_port ... a firewall. If that firewall is a Linux machine, we strongly recommend using the Netfilter nf_conntrack_sane module instead. -----------------------------------------------------------------
I do not understand the "instead" therein. It looks as if usage of nf_conntrack_sane would mean that one cannot use data_portrange in /etc/sane.d/saned.conf additionally?
You can. But then using the module doesn't make much sense.
I'd even say it makes much sense and you _should_ use data_portrange. My understanding (based on firewalling FTP) is: a) you open (only) the sane port in the firewall b) you add the data_portrange ports to *_ACCEPT_RELATED_*: FW_SERVICES_ACCEPT_RELATED_EXT="0/0,tcp,,20000:21000" These ports will not be open in general. They will only be opened by the nf_conntrack_sane module to a specific client while accessing the scanner.
Hmm, that could work indeed.
That said: AFAIK /etc/sysconfig/SuSEfirewall2.d/services/* files don't support the *_ACCEPT_RELATED_* part - but that would be a separate feature request ;-)
Oh it already does :-)
BTW: I don't recommend using the 10000:10100 range - 10024 is used by amavis on many systems, and 10025 by postfix taking the mail back from amavis.
That's weird. Amavis shouldn't be using that port either I guess. For ftp services we use 30000:30100 so that could be used for sane too. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c40
--- Comment #40 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c41
--- Comment #41 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c42
--- Comment #42 from Ludwig Nussel
Ludwig, could you describe or point to documentation how /etc/sysconfig/SuSEfirewall2.d/services/* files do support *_ACCEPT_RELATED_* because /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE reads "Only the variables TCP, UDP, RPC, IP and BROADCAST are allowed" and the only possible values for each of those variables is a "space separated list of allowed ... ports".
Gotcha! :-) You are not on 11.2 and you didn't install the updates for 11.1. Meanwhile that paragraph looks like this: # Only the variables TCP, UDP, RPC, IP, BROADCAST, RELATED and # MODULES are allowed. More may be supported in the future. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c43
--- Comment #43 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c44
Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c45
--- Comment #45 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c46
--- Comment #46 from Johannes Meixner
http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c47
--- Comment #47 from Johannes Meixner
participants (1)
-
bugzilla_noreply@novell.com