openSUSE Security May 2015

security@lists.opensuse.org

5 participants
3 discussions

[opensuse-security] No firewall and X server listening globally

by Uwe Geuder

Hi! I have installed several OpenSUSE machines during recent years and I believe they always enabled the firewall by default. At least I don't remember having done anything special and the firewall was active. Some installations were done from promotion DVDs, others from some image downloaded, not sure which variant. My last installation I made from a 13.2 KDE Live image. To my surprise the firewall is not activated. Again I'm quite sure I made no non-default choices in that direction and I don't remember having seen a selection in the installer where I could have explicitly chosen to enable it. By default the X server does not listen to TCP port at all. That's fine, especially if there is no firewall. But if I start am additional session (KDE menu "Switch user") the second X server is listing to TCP port 6001 globally. $ ps -fp $(pgrep -d , Xorg) UID PID PPID C STIME TTY TIME CMD root 1543 1499 0 14:25 tty7 00:00:09 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -seat seat0 -auth /var/lib/kdm/AuthFiles/A:0-kwjL1b root 2387 1499 0 14:27 tty8 00:00:01 /usr/bin/Xorg -br :1 vt8 -seat seat0 -auth /var/lib/kdm/AuthFiles/A:1-m4GpQa $ sudo /usr/sbin/ss -ltpn | grep Xorg LISTEN 0 128 *:6001 *:* users:(("Xorg",pid=2387,fd=3)) LISTEN 0 128 :::6001 :::* users:(("Xorg",pid=2387,fd=1)) Questions: Does everything I see here work as it should? 1.) Firewall not active by default 2.) 2nd X server listening to TCP Regards, Uwe P.S. Apologies for being a bit vague on the installation. But I don't have spare machines and installation takes quite long, especially when having to do it on a small virtual machine. So I take the freedeom to violate the rule of investigate first and ask stupid questions on the list thereafter... Uwe Geuder Nomovok Ltd. Tampere, Finland uwe.gxuder(a)nomovok.com (bot test: humans correct 1 obvious spelling error) -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

7 years, 1 month

[opensuse-security] Re: SuSEFirewall2, libvirtd and opening ports with restrictions

by Johannes Kastl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. (2nd try) Thanks, Johannes On 09.05.15 Johannes Kastl wrote: > Hi everyone, > > as I happen to try this on my tumbleweed machine, I am asking on > this list. But I think the basics apply to 13.{1,2} as well. > > I know I can add 'special' iptables rules in > /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like > this: > >> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22" > > This would allow only the host 192.168.178.2 to reach the machine > via ssh. > > ############################ Question: > ############################ How do I add such a special rule > when I want to open the port on the virtual interfaces that > libvirt uses? > > I have setup libvirt with a nat network, which uses virbr0. As > soon as a VM is startet, another interface vnet0 appears. So > basically I want to open a port on whichever of these two > interfaces is the right one. > > Assuming that INT, EXT and DMZ are used otherwise, I know I could > create an additional zone (for each of the interfaces) > >> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" >> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22" > > I would also have to set FW_ROUTE to yes, otherwise the VM does > not get a connection to the hosts network and no route to the > whole wide world. > > But: This does not work in my setup. > > I restarted SuSEfirewall2 and libvirt services, rebooted the VM, > but no, no open port. > > If I stop SuSEfirewall2, then the port can be reached, i.e. the > ssh service is not the problem. > > Any hints? Is there something I'm missing? Some error in my > thinking? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVWDI8ACgkQzi3gQ/xETbIOmwCcD76+Ar+AUtX2Pgv+WqOxvTWv iPAAnRxabA+edlJwdU7OIPmMF6r/Rijp =dPyN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

7 years, 1 month

[opensuse-security] Re: SuSEFirewall2, libvirtd and opening ports with restrictions

by Johannes Kastl

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As I got no response regarding my first question, maybe my question is better placed in -security. So excuse the fullquote and toppost, and I hope gmane does not mess up the F2up/Reply-To. Thanks, Johannes On 09.05.15 Johannes Kastl wrote: > Hi everyone, > > as I happen to try this on my tumbleweed machine, I am asking on > this list. But I think the basics apply to 13.{1,2} as well. > > I know I can add 'special' iptables rules in > /etc/sysconfig/SuSEFirewall2 for the EXT firewall zone like > this: > >> FW_SERVICES_ACCEPT_EXT="192.168.178.2,tcp,22" > > This would allow only the host 192.168.178.2 to reach the > machine via ssh. > > ############################ Question: > ############################ How do I add such a special rule > when I want to open the port on the virtual interfaces that > libvirt uses? > > I have setup libvirt with a nat network, which uses virbr0. As > soon as a VM is startet, another interface vnet0 appears. So > basically I want to open a port on whichever of these two > interfaces is the right one. > > Assuming that INT, EXT and DMZ are used otherwise, I know I > could create an additional zone (for each of the interfaces) > >> FW_ZONES="libvirt" FW_DEV_libvirt="vnet0" >> FW_SERVICES_ACCEPT_libvirt="192.168.2.2,tcp,22" > > I would also have to set FW_ROUTE to yes, otherwise the VM does > not get a connection to the hosts network and no route to the > whole wide world. > > But: This does not work in my setup. > > I restarted SuSEfirewall2 and libvirt services, rebooted the VM, > but no, no open port. > > If I stop SuSEfirewall2, then the port can be reached, i.e. the > ssh service is not the problem. > > Any hints? Is there something I'm missing? Some error in my > thinking? > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlVU+W8ACgkQzi3gQ/xETbLIRACfe+RnhPKFZMUBb3mYu4lG2rZE 6/8An0Cjv3fttiiJu8odSGCd8uGn1rxL =OFVB -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe(a)opensuse.org To contact the owner, e-mail: opensuse-security+owner(a)opensuse.org

7 years, 1 month

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

2000

1999

1998

1997

1996

openSUSE Security May 2015