openSUSE Security June 2003

security@lists.opensuse.org

156 participants
147 discussions

SuSeFirewall2 problems after reconnect (Suse 8.2)
by volkersp＠gmx.net 24 Jun '03

24 Jun '03

(This message was also postet in the alt.os.linux.suse newsgroup) Hello everybody, after installing Suse 8.2 and the latest updates I'm having some troubles with SuSeFirewall2. My ISP disconnects my DSL-line every 24h and rp-pppoe then automatically reconnects the line. Now if an application that is listening on highports (>1024) is already running before the reconnect takes place (e.G. mldonkey and hts), after the reconnection SuSefirewall2 is dropping packets to these highports which were accessable before the reconnection. E.G. mldonkey then only gets lo-ids and I can't access my machine via hts which is running @ port 4xxx. I'm not sure if SuSefirewall2 blocks all highports or only these on which the applications are listening. Lowports aren't affected. I still can connect to Apache and SSH after the reconnect. If I close these two applications mldonkey and hts, restart the firewall and then restart the applications, everything works fine until the next reconnection takes place. Using Suse 8.1 I had no problems. In the SuSefirewall2 config file all highport are enabled. (I can post the whole config file later on if somebody needs it). Is this a new feature/bug? Can I get rid of it somehow? Thanks! Best regards, Volker -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

2 1

SuSE Firewall2 and DMZ
by Sandor Toth 22 Jun '03

22 Jun '03

Hi! I am in trouble because of my SuSE firewall2 settings. I have a firewall with six network adapters. One of them points to the DMZ, one of them points to the internal network and the others point to untrusted external worlds. There is a web server and a mail server running on the DMZ. Everybody can access the web server and the mail server (from the external world or from the internal network). The DMZ has a private IP address. Everybody use the proper IP address of the firewall to access the services on the DMZ server. It works fine. I wanted to use the same method for the internal network. And there is a strange behaviour. I know thta the firewall does not route between the DMZ and the internal net by default (bot he the DMZ and the internal net are masqueraded) so I used the FW_FORWARD optiona to access mail and web services from internal on DMZ. The IP address of the DMZ server is 192.168.122.2 and the internal net is 192.168.120.0/24 where 192.168.120.1 point to the interface of the firewall. I tried the 192.168.120.1 in my WEB browser (from the internal network) and it did not work. After that I tried the 192.168.122.2 and it worked. But why? I think I must use the IP address of the firewall to access services behind the firewall with FW_FORWARD and FW_FORWARD_MASQ options. Can anobody explain how it works? I already checked the relevant pdf documentations but they did not help. If I try to access theWEB server from the internet and I specify the IP address of the firewall, then it works fine. But it does not work from the internal network on the same way. And there is a second more serious problem. OK, I use the 192.168.122.2 from internal network to access web and mail. I tried to check my e-mails with IMAP from the internal network. It worked but there were a long delay. The firewall log showed: Jun 18 00:28:49 (none) kernel: SuSE-FW-ACCEPT-TRUST IN=eth0 OUT=eth1 SRC=192.168.120.30 DST=192.168.122.2 LEN=44 TOS=0x00 PREC=0x00 TTL=127 ID=19187 DF PROTO=TCP SPT=4177 DPT=143 WINDOW=44032 RES=0x00 SYN URGP=0 OPT (020405B4) Jun 18 00:28:49 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57671 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034647B10000000001030300) Jun 18 00:28:52 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57672 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A034648DD0000000001030300) Jun 18 00:28:58 (none) kernel: SuSE-FW-DROP-DEFAULT IN=eth1 OUT=eth0 SRC=192.168.122.2 DST=192.168.120.30 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57673 DF PROTO=TCP SPT=40188 DPT=113 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03464B350000000001030300) I think the SuSE-FW-DROP-DEFAULT cause the delay. Any help would be apprecieted. Best regards, Sandor Toth Ps: I use SuSE 8.2 Prof My routing table is: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.12.2.64 0.0.0.0 255.255.255.248 U 0 0 0 eth2 192.168.102.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5 192.168.14.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.120.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.121.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4 192.168.106.0 192.168.121.254 255.255.255.0 UG 0 0 0 eth4 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 0.0.0.0 10.12.2.65 0.0.0.0 UG 0 0 0 eth2 My SuSE firewall settings are: FW_QUICKMODE="no" FW_DEV_EXT="eth2 eth3 eth4 eth5 ppp0" FW_DEV_INT="eth0" FW_DEV_DMZ="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.120.0/24 192.168.122.0/24" FW_PROTECT_FROM_INTERNAL="yes" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_DMZ_TCP="domain" FW_SERVICES_DMZ_UDP="domain" FW_SERVICES_DMZ_IP="tcp" FW_SERVICES_INT_TCP="domain ssh 224" FW_SERVICES_INT_UDP="domain" FW_SERVICES_INT_IP="tcp" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="192.168.120.0/24,192.168.122.2,tcp,23 \ 192.168.120.0/24,192.168.122.2,tcp,80 \ 192.168.120.0/24,192.168.122.2,tcp,139 \ 192.168.120.0/24,192.168.122.2,tcp,25 \ 192.168.120.0/24,192.168.122.2,tcp,110 \ 192.168.120.0/24,192.168.122.2,tcp,143" FW_FORWARD_MASQ="\ 192.168.14.0/24,192.168.120.19,tcp,3389 \ 192.168.14.0/24,192.168.120.18,tcp,7781 \ 192.168.14.0/24,192.168.120.18,tcp,445 \ 192.168.14.0/24,192.168.122.2,tcp,23 \ 192.168.14.0/24,192.168.120.18,tcp,1522 \ 192.168.14.0/24,192.168.120.13,tcp,80 \ 192.168.14.0/24,192.168.120.30,tcp,6000 \ 192.168.14.0/24,192.168.120.18,tcp,139 \ 0/0,192.168.122.2,tcp,25 \ 0/0,192.168.122.2,tcp,110 \ 0/0,192.168.122.2,tcp,143 \ 0/0,192.168.122.2,tcp,80 \ 192.168.102.101,192.168.120.30,tcp,6000 \ 192.168.102.102,192.168.120.30,tcp,6000" # Beware to use this! FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="no" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV=""

2 1

MD5 and shadow for a soft migration
by r_2＠gmx.de 21 Jun '03

21 Jun '03

Hello List, I'm using shadow for auth on my SuSE 7.2pro. Now some modules need md5. Is it possible to use MD5 and shadow parallel on one system? I think something like following should run? sufficent md5-module (don't know which module) required shadow (don't know which module) Here should be a md5 password enought to auth to the system, else the shadow will be used. Is it possible? If so are there any security concerns? Which module should I use? (please add some example config) best regards, Hans -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage!

2 3

Problems with VPN and SuSEfirewall2
by John Lederer 20 Jun '03

20 Jun '03

I have spent some time head banging in this one with no answer I would sure appreciate some help. ================== General Setup: Suse version is 8.2 Ipsec is used to connect two networks office (10.1.x.x) and home(192.168.x.x) Ipsec works fine without the firewall running. 10.1.x.x, the office network, is behind the SuSEfirewall2 The external ipsecced home network is 192.168.x.x The internal ethernet interface is eth1 The external internet interface and ipsec is eth0 The external ipaddress for the firewall machine is 208.171.49.111 ======================= Problem: An internal office client machine, 10.1.1.55 is able to successfully ping 192.168.204.72 a client machine on the home ipsecced network, so all seems well there. However, an internal home network machine cannot ping an internal 10.1.x.x. address. The /var/log/warn file shows the following: Jun 20 09:22:22 stpeter kernel: SuSE-FW-DROP-DEFAULT IN=ipsec0 OUT=eth1 SRC=192.168.204.72 DST=10.1.1.55 LEN=84 TOS=0x00 PREC=0x00 TTL=62 ID=7868 DF PROTO=ICMP TYPE=8 CODE=0 ID=54372 SEQ=69 ============================ Configuration: I followed the suggested configuration in examples (the only difference I could see between my setup and Secenario 4 was that my internal and external networks (192- and 10-) were reversed. I also added ssh and allowed the internal network full access. The following is my SuSEfirewall2 configuration: FW_QUICKMODE="no" FW_DEV_EXT="eth0 ipsec0" FW_DEV_INT="eth1" FW_DEV_DMZ="" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="10.1.0.0/16" FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_EXT_UDP="500" FW_SERVICES_EXT_IP="50 51" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_QUICK_TCP="" FW_SERVICES_QUICK_UDP="" FW_SERVICES_QUICK_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="no" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_AUTODETECT="yes" FW_SERVICE_DNS="no" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="no" FW_SERVICE_SQUID="no" FW_SERVICE_SAMBA="no" FW_FORWARD="10.0.0.0/16,192.168.0.0/16 192.168.0.0/16,10.0.0.0/16" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="yes" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" FW_CUSTOMRULES="" FW_REJECT="no" FW_HTB_TUNE_DEV="" ===================================== Any suggestions would be very welcome! Regards, John Lederer

2 1

Re: [suse-security] kernel updates
by Marcos Rojas 20 Jun '03

20 Jun '03

Hi all Im running a server with SuSE Linux 8.0, System Linux hera 2.4.18-4GB - i686, with the followin services: - Apache - OpenSSL 0.9.6c (updated with yast for 60 days) - Qmail, ProFTPD - MySQL 3.23.51 - PHP 4.2.2 I dont use telnet, only SSH, SuSEfirewall2 is on, only the ports i use are open, highports for ftp and so ... -> I don´t use the system for nothing else ... did i need this kernel update? -> If i do, where can i get the best howto? I read here that kernel updates with yast doesnt work with SuSE 8.0 Thanks in advance, Marcos > Sent: Wednesday, June 18, 2003 10:02 AM > Subject: [suse-security] kernel updates > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, > > this is a brief heads-up concerning kernel updates: SuSE Linux 8.1 and 8.2 > will have kernel-updates within the next few minutes (maybe an hour) on > the ftp server in the directories known for regular updates. > > These updates are the first kernel updates that are installable via YOU. > > SuSE Linux 8.0 has a small bug in Yast2 that causes some information in > /etc/sysconfig/bootloader to be unreliable after installation. This > information cannot be retrieved from the system, and manual interaction > might be necessary. By consequence, it is not reliable enough to provide > kernel updates for this distribution. > > I will create directories in the kernel directory in > /pub/suse/i386/update/* with appropriate notices/READMEs there. --------------------------------- Internet GRATIS es Yahoo! Conexión. Usuario: yahoo; contraseña: yahoo Desde Buenos Aires: 4004-1010 Más ciudades: clic aquí.

1 0

Re: [suse-security] kernel updates
by Saravanaraj A N 20 Jun '03

20 Jun '03

Hello Everybody Are there any kernel updates for SuSe 8.0. I see a directory in the ftp server under updates/kernel dated 6/18/03 but there are no files in there. So was wondering what's going on. Thanks -Raj -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/

1 0

YOU updates Vanilla-Kernel
by Al Bogner 20 Jun '03

20 Jun '03

I have a multikernel-system, which uses a Vanilla-kernel at the moment. IMO YOU should only do a kernel-update, when a SuSE-kernel is running. Al

8 9

kernel updates
by Roman Drahtmueller 20 Jun '03

20 Jun '03

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, this is a brief heads-up concerning kernel updates: SuSE Linux 8.1 and 8.2 will have kernel-updates within the next few minutes (maybe an hour) on the ftp server in the directories known for regular updates. These updates are the first kernel updates that are installable via YOU. SuSE Linux 8.0 has a small bug in Yast2 that causes some information in /etc/sysconfig/bootloader to be unreliable after installation. This information cannot be retrieved from the system, and manual interaction might be necessary. By consequence, it is not reliable enough to provide kernel updates for this distribution. I will create directories in the kernel directory in /pub/suse/i386/update/* with appropriate notices/READMEs there. The updates for 7.2 and 7.3 are still about to be built and tested right now. Some userspace update packages are necessary for these distributions. We will publish an announcement as soon as all update packages are available. Thanks, Roman. - -- - - | Roman Drahtmüller <draht(a)suse.de> // Nail here | SuSE Linux AG - Security Phone: // for a new | Nürnberg, Germany +49-911-740530 // monitor! --> [x] | - - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: SuSE Security iD8DBQE+8GLZnkDjEAAKq6QRAouQAJ9J2fiUMutjryp7klQuoT3rXBiMYwCgtsWc sWOng/AH6KYE13FwF9AGvlU= =dMuE -----END PGP SIGNATURE-----

4 6

Since grsec no SuSE-FW-DROP-DEFAULT IN
by Al Bogner 20 Jun '03

20 Jun '03

There is a SuSE 8.2 pc with SuSE-Firewall 2 and a 2.4.21-rc7-grsec Kernel, with the following options: CONFIG_GRKERNSEC=y CONFIG_GRKERNSEC_LOW=y CONFIG_GRKERNSEC_ACL_MAXTRIES=3 CONFIG_GRKERNSEC_ACL_TIMEOUT=30 CONFIG_GRKERNSEC_FLOODTIME=10 CONFIG_GRKERNSEC_FLOODBURST=4 CONFIG_GRKERNSEC_LINK=y CONFIG_GRKERNSEC_FIFO=y CONFIG_GRKERNSEC_RANDPID=y CONFIG_GRKERNSEC_EXECVE=y CONFIG_GRKERNSEC_RANDNET=y CONFIG_GRKERNSEC_DMESG=y CONFIG_GRKERNSEC_RANDID=y CONFIG_GRKERNSEC_CHROOT_CHDIR=y I have to mention too, that there is no need for a special security. All external ports are closed and the ip-adress is dynamic. Before I got a lot of messages like: fw kernel: SuSE-FW-DROP-DEFAULT IN=ippp0 OUT= MAC= SRC=213.23.18.107 DST=62.46.154.238 LEN=60 TOS=0x00 PREC=0x00 TTL=52 ID=38567 DF PROTO=TCP SPT=56414 DPT=4662 WINDOW=5808 RES=0x00 SYN URGP=0 OPT (020405840402080A207010A30000000001030300) But now I can't see any like this. Is this a misconfiguration or does grsec prevent me from portscans? Al

4 4

Re: [suse-security] YOU behind a proxy
by Lukacs Zsolt 20 Jun '03

20 Jun '03

Hi Thank you very much. It's working just fine. I do not know why YOU is not working. I have changed the /etc/sysconfig/onlineupdate file and have written to it the proxy user name and password but it does not work. I have set the enviroment variables http_proxy and ftp_proxy, and i have updated the wgetrc, but it's not working. It's a mistery :) Zsolt Markus Gaugusch wrote: >On Jun 17, Lukacs Zsolt <zsolt.lukacs(a)siemens.com> wrote: > > > >>I have tried to set the http_proxy variable to "http://proxyserver:port" >> >> >The http_proxy must end with a / (e.g. "http://proxy:8080/" ). I had weird >effects without the / at the end. > > > >>Anybody experienved the same problem or can anybody tell me some a >>solution to my problem? >> >> >You may want to try fou4s (http://fou4s.gaugusch.at/), an alternative to >YOU with good proxy support (it uses wget, so if it works with wget, fou4s >works) > >kind regards, >Markus > >

1 0

← Newer
1
2
3
4
5
6
7
...
15
Older →

Jump to page:

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security June 2003