Hi, after a nmap run against my 'wall I found ALL ports except one for UDP wide open!!! here a snippet from /etc/sysconfig/SuSEfirewall2: [2324][Up: 1:29][Load: 1.12][root@celebrimbor:/etc]$ grep UDP sysconfig/SuSEfirewall2 FW_SERVICES_EXT_UDP="ntp auth 1052" FW_SERVICES_DMZ_UDP="" FW_SERVICES_INT_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" any hints? [2324][Up: 1:30][Load: 1.08][root@celebrimbor:/etc]$ uname -a Linux celebrimbor 2.4.19-4GB #1 Mon Oct 21 16:13:17 UTC 2002 i686 unknown [2326][Up: 1:31][Load: 1.30][root@celebrimbor:/etc]$ rpm -q SuSEfirewall2 SuSEfirewall2-2.1-57 -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und §823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!
* Mathias Homann;
Hi,
here a snippet from /etc/sysconfig/SuSEfirewall2: [2324][Up: 1:29][Load: 1.12][root@celebrimbor:/etc]$ grep UDP sysconfig/SuSEfirewall2 FW_SERVICES_EXT_UDP="ntp auth 1052" FW_SERVICES_DMZ_UDP="" FW_SERVICES_INT_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
any hints?
Are running a name server FW_SERVICE_DNS="yes" if so that is the reason and also from /etc/services domain 53/tcp # Domain Name Server domain 53/udp # Domain Name Server ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023 HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024 Anders
* Anders Johansson;
On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023 Maybe I am mistaken -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----BEGIN PGP SIGNED MESSAGE----- Hi guys!
FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
means: allow UDP traffic coming *from* the domain (53) and ntp (123)
ports to any high UDP port on the firewall machine. At least in 2.1
it does...
Andy
- --
Andreas J. Mueller email:
OK, so many of you have replied but that does not explain why a nmap scan of type -sU (UDP scan) lists ALL ports, even the low ones, as open. anyhow, when I try to actually connect to e.g. samba or the like from the outside I see those packets getting dropped in the firewall log... bye, MH
On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
* Anders Johansson;
on 30 Oct, 2002 wrote: On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023
[Dd][Nn][Ss]) OPEN_DNS=yes test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535 # guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it) Anders
-----BEGIN PGP SIGNED MESSAGE----- Hi Anders!
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
"DNS" is a special value you can use for
FW_ALLOW_INCOMING_HIGHPORTS_UDP. It will allow access to UDP
ports >= 1023 for the nameservers defined in /etc/resolv.conf only.
As for "UDP wide open": Did you consider the fact that every filtered
UDP port is reported as "open" by an nmap scan?
Andy
- --
Andreas J. Mueller email:
Hello Andreas On Thursday 31 October 2002 00.32, Andreas J Mueller wrote:
Hi Anders!
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
"DNS" is a special value you can use for FW_ALLOW_INCOMING_HIGHPORTS_UDP. It will allow access to UDP ports >= 1023 for the nameservers defined in /etc/resolv.conf only.
Yes, but the config file says "Common: "DNS" or "domain ntp"", but both "domain" and "ntp" will cause *all* udp ports to be open to *all* hosts, not just those in resolv.conf. Anders
On Thu, Oct 31, 2002 at 12:46:37AM +0100, Mathias Homann wrote:
As for "UDP wide open": Did you consider the fact that every filtered UDP port is reported as "open" by an nmap scan?
AH! now THAT is the bit of information I was looking for!
nmap will report everything as "open" for which it doesn't receive an explicit ICMP_PORT_UNREACH. Unless you've configured your firewall to REJECT instead of DROP, nmap will not see any responses at all. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Thu, Oct 31, 2002 at 07:35:29AM +0100, Olaf Kirch wrote:
nmap will report everything as "open" for which it doesn't
Should have been more precise here - this is "every UDP port" of course. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Thursday 31 October 2002 00.27, Anders Johansson wrote: <snip> Also, if I'm reading this correctly *) test "$DONE_ALL" = yes || for CHAIN in input_int input_dmz input _ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp --sp ort $j --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABL ISHED,RELATED -p udp --sport $j --dport 1024:65535 done ;; It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open
* Anders Johansson;
On Thursday 31 October 2002 00.33, Anders Johansson wrote:
It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open
Agh, --sport $j, I'm an idiot. Ignore
Well then ignore my previous post. I was getting lost in trying to get the ESTABLISHED,RELATED combo with FW_ALLOW_HIGHPORT_UDP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
* Anders Johansson;
On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023
Ok Just to make this clear so I can have the documentation accordingly
[Dd][Nn][Ss]) OPEN_DNS=yes
test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535
this is when [Dd][Nn][Ss] for FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" which is the default in the config file. Then it will read the $NAMESERVERS array which are the nameserver names that are placed in /etc/resolv.conf and for each of them except 127.0.0.1 allow connection for example when I have 212.156.4.4 in my /etc/resolv.conf this code $LAA $IPTABLES -A $CHAIN -j $LOG ${LOG}"-ACCEPT" -p udp -s 212.1456.4.4 --sport 53 --dport 1024:65535
# guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }
again $k would be 212.156.4.4 in this case
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
no domain is correct just do a grep dns /etc/services Now the second part where the FW_ALLOW_INCOMING_UDP ports are used, I'll try to see the {input_int} chains and try to follow from there on. So This part still not clear -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Mathias Homann wrote:
Hi,
after a nmap run against my 'wall I found ALL ports except one for UDP wide open!!!
Hi! The reason for this is the behaviour of udp-Connections and the way nmap handles this. Nmap tries to establish a connection to the udp-ports for the scan. Due to the nature of udp (connectionless) nmap just sends the udp-packet und waits for the RST-Packet returned in "normal" cases. The default behaviour of SuSEfirewalls is to drop the packets. Thus nmap doesn't get the RST-Packet it is waiting for and assumes the port is open und has a listener. You have two choices: 1.) Change the behaviour of the SuSEfirewall from Drop to Reject. 2.) Believe in SuSE :) Regards Ralf Schumacher
participants (6)
-
Anders Johansson
-
Andreas J Mueller
-
Mathias Homann
-
Olaf Kirch
-
Ralf Schumacher
-
Togan Muftuoglu