May 2015 - openSUSE Security - openSUSE Mailing Lists

[opensuse-security] No firewall and X server listening globally
by Uwe Geuder 22 May '15

22 May '15

Hi! I have installed several OpenSUSE machines during recent years and I believe they always enabled the firewall by default. At least I don't remember having done anything special and the firewall was active. Some installations were done from promotion DVDs, others from some image downloaded, not sure which variant. My last installation I made from a 13.2 KDE Live image. To my surprise the firewall is not activated. Again I'm quite sure I made no non-default choices in that direction and I don't remember having seen a selection in the installer where I could have explicitly chosen to enable it. By default the X server does not listen to TCP port at all. That's fine, especially if there is no firewall. But if I start am additional session (KDE menu "Switch user") the second X server is listing to TCP port 6001 globally. $ ps -fp $(pgrep -d , Xorg) UID PID PPID C STIME TTY TIME CMD root 1543 1499 0 14:25 tty7 00:00:09 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -seat seat0 -auth /var/lib/kdm/AuthFiles/A:0-kwjL1b root 2387 1499 0 14:27 tty8 00:00:01 /usr/bin/Xorg -br :1 vt8 -seat seat0 -auth /var/lib/kdm/AuthFiles/A:1-m4GpQa $ sudo /usr/sbin/ss -ltpn | grep Xorg LISTEN 0 128 *:6001 *:* users:(("Xorg",pid=2387,fd=3)) LISTEN 0 128 :::6001 :::* users:(("Xorg",pid=2387,fd=1)) Questions: Does everything I see here work as it should? 1.) Firewall not active by default 2.) 2nd X server listening to TCP Regards, Uwe P.S. Apologies for being a bit vague on the installation. But I don't have spare machines and installation takes quite long, especially when having to do it on a small virtual machine. So I take the freedeom to violate the rule of investigate first and ask stupid questions on the list thereafter... Uwe Geuder Nomovok Ltd. Tampere, Finland uwe.gxuder(a)nomovok.com (bot test: humans correct 1 obvious spelling error) -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

5 4

[opensuse-security] Re: SuSEFirewall2, libvirtd and opening ports with restrictions
by Johannes Kastl 15 May '15

15 May '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. (2nd try) Thanks, Johannes On 09.05.15 Johannes Kastl wrote: > Hi everyone, > > as I happen to try this on my tumbleweed machine, I am asking on > this list. But I think the basics apply to 13.{1,2} as well. > > I know I can add 'special' iptables rules in > /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like > this: > >> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22" > > This would allow only the host 192.168.178.2 to reach the machine > via ssh. > > ############################ Question: > ############################ How do I add such a special rule > when I want to open the port on the virtual interfaces that > libvirt uses? > > I have setup libvirt with a nat network, which uses virbr0. As > soon as a VM is startet, another interface vnet0 appears. So > basically I want to open a port on whichever of these two > interfaces is the right one. > > Assuming that INT, EXT and DMZ are used otherwise, I know I could > create an additional zone (for each of the interfaces) > >> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" >> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22" > > I would also have to set FW_ROUTE to yes, otherwise the VM does > not get a connection to the hosts network and no route to the > whole wide world. > > But: This does not work in my setup. > > I restarted SuSEfirewall2 and libvirt services, rebooted the VM, > but no, no open port. > > If I stop SuSEfirewall2, then the port can be reached, i.e. the > ssh service is not the problem. > > Any hints? Is there something I'm missing? Some error in my > thinking? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVWDI8ACgkQzi3gQ/xETbIOmwCcD76+Ar+AUtX2Pgv+WqOxvTWv iPAAnRxabA+edlJwdU7OIPmMF6r/Rijp =dPyN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0

[opensuse-security] Re: SuSEFirewall2, libvirtd and opening ports with restrictions
by Johannes Kastl 14 May '15

14 May '15

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. Thanks, Johannes On 09.05.15 Johannes Kastl wrote: > Hi everyone, > > as I happen to try this on my tumbleweed machine, I am asking on > this list. But I think the basics apply to 13.{1,2} as well. > > I know I can add 'special' iptables rules in > /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like > this: > >> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22" > > This would allow only the host 192.168.178.2 to reach the > machine via ssh. > > ############################ Question: > ############################ How do I add such a special rule > when I want to open the port on the virtual interfaces that > libvirt uses? > > I have setup libvirt with a nat network, which uses virbr0. As > soon as a VM is startet, another interface vnet0 appears. So > basically I want to open a port on whichever of these two > interfaces is the right one. > > Assuming that INT, EXT and DMZ are used otherwise, I know I > could create an additional zone (for each of the interfaces) > >> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" >> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22" > > I would also have to set FW_ROUTE to yes, otherwise the VM does > not get a connection to the hosts network and no route to the > whole wide world. > > But: This does not work in my setup. > > I restarted SuSEfirewall2 and libvirt services, rebooted the VM, > but no, no open port. > > If I stop SuSEfirewall2, then the port can be reached, i.e. the > ssh service is not the problem. > > Any hints? Is there something I'm missing? Some error in my > thinking? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVU+W8ACgkQzi3gQ/xETbLIRACfe+RnhPKFZMUBb3mYu4lG2rZE 6/8An0Cjv3fttiiJu8odSGCd8uGn1rxL =OFVB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

1 0