Hi!
I have installed several OpenSUSE machines during recent years and I
believe they always enabled the firewall by default. At least I don't
remember having done anything special and the firewall was active. Some
installations were done from promotion DVDs, others from some image
downloaded, not sure which variant.
My last installation I made from a 13.2 KDE Live image. To my surprise
the firewall is not activated. Again I'm quite sure I made no
non-default choices in that direction and I don't remember having seen a
selection in the installer where I could have explicitly chosen to
enable it.
By default the X server does not listen to TCP port at all. That's fine,
especially if there is no firewall. But if I start am additional session
(KDE menu "Switch user") the second X server is listing to TCP port 6001
globally.
$ ps -fp $(pgrep -d , Xorg)
UID PID PPID C STIME TTY TIME CMD
root 1543 1499 0 14:25 tty7 00:00:09 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -seat seat0 -auth /var/lib/kdm/AuthFiles/A:0-kwjL1b
root 2387 1499 0 14:27 tty8 00:00:01 /usr/bin/Xorg -br :1 vt8 -seat seat0 -auth /var/lib/kdm/AuthFiles/A:1-m4GpQa
$ sudo /usr/sbin/ss -ltpn | grep Xorg
LISTEN 0 128 *:6001 *:* users:(("Xorg",pid=2387,fd=3))
LISTEN 0 128 :::6001 :::* users:(("Xorg",pid=2387,fd=1))
Questions: Does everything I see here work as it should?
1.) Firewall not active by default
2.) 2nd X server listening to TCP
Regards,
Uwe
P.S. Apologies for being a bit vague on the installation. But I don't
have spare machines and installation takes quite long, especially when
having to do it on a small virtual machine. So I take the freedeom to
violate the rule of investigate first and ask stupid questions
on the list thereafter...
Uwe Geuder
Nomovok Ltd.
Tampere, Finland
uwe.gxuder(a)nomovok.com (bot test: humans correct 1 obvious spelling error)
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I got no response regarding my first question, maybe my question
is better placed in -security.
So excuse the fullquote and toppost, and I hope gmane does not mess
up the F2up/Reply-To.
(2nd try)
Thanks,
Johannes
On 09.05.15 Johannes Kastl wrote:
> Hi everyone,
>
> as I happen to try this on my tumbleweed machine, I am asking on
> this list. But I think the basics apply to 13.{1,2} as well.
>
> I know I can add 'special' iptables rules in
> /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like
> this:
>
>> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22"
>
> This would allow only the host 192.168.178.2 to reach the machine
> via ssh.
>
> ############################ Question:
> ############################ How do I add such a special rule
> when I want to open the port on the virtual interfaces that
> libvirt uses?
>
> I have setup libvirt with a nat network, which uses virbr0. As
> soon as a VM is startet, another interface vnet0 appears. So
> basically I want to open a port on whichever of these two
> interfaces is the right one.
>
> Assuming that INT, EXT and DMZ are used otherwise, I know I could
> create an additional zone (for each of the interfaces)
>
>> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0"
>> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22"
>
> I would also have to set FW_ROUTE to yes, otherwise the VM does
> not get a connection to the hosts network and no route to the
> whole wide world.
>
> But: This does not work in my setup.
>
> I restarted SuSEfirewall2 and libvirt services, rebooted the VM,
> but no, no open port.
>
> If I stop SuSEfirewall2, then the port can be reached, i.e. the
> ssh service is not the problem.
>
> Any hints? Is there something I'm missing? Some error in my
> thinking?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
iEYEARECAAYFAlVWDI8ACgkQzi3gQ/xETbIOmwCcD76+Ar+AUtX2Pgv+WqOxvTWv
iPAAnRxabA+edlJwdU7OIPmMF6r/Rijp
=dPyN
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
As I got no response regarding my first question, maybe my question
is better placed in -security.
So excuse the fullquote and toppost, and I hope gmane does not mess
up the F2up/Reply-To.
Thanks,
Johannes
On 09.05.15 Johannes Kastl wrote:
> Hi everyone,
>
> as I happen to try this on my tumbleweed machine, I am asking on
> this list. But I think the basics apply to 13.{1,2} as well.
>
> I know I can add 'special' iptables rules in
> /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like
> this:
>
>> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22"
>
> This would allow only the host 192.168.178.2 to reach the
> machine via ssh.
>
> ############################ Question:
> ############################ How do I add such a special rule
> when I want to open the port on the virtual interfaces that
> libvirt uses?
>
> I have setup libvirt with a nat network, which uses virbr0. As
> soon as a VM is startet, another interface vnet0 appears. So
> basically I want to open a port on whichever of these two
> interfaces is the right one.
>
> Assuming that INT, EXT and DMZ are used otherwise, I know I
> could create an additional zone (for each of the interfaces)
>
>> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0"
>> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22"
>
> I would also have to set FW_ROUTE to yes, otherwise the VM does
> not get a connection to the hosts network and no route to the
> whole wide world.
>
> But: This does not work in my setup.
>
> I restarted SuSEfirewall2 and libvirt services, rebooted the VM,
> but no, no open port.
>
> If I stop SuSEfirewall2, then the port can be reached, i.e. the
> ssh service is not the problem.
>
> Any hints? Is there something I'm missing? Some error in my
> thinking?
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/
iEYEARECAAYFAlVU+W8ACgkQzi3gQ/xETbLIRACfe+RnhPKFZMUBb3mYu4lG2rZE
6/8An0Cjv3fttiiJu8odSGCd8uGn1rxL
=OFVB
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org