Hi, after a nmap run against my 'wall I found ALL ports except one for UDP wide open!!! here a snippet from /etc/sysconfig/SuSEfirewall2: [2324][Up: 1:29][Load: 1.12][root@celebrimbor:/etc]$ grep UDP sysconfig/SuSEfirewall2 FW_SERVICES_EXT_UDP="ntp auth 1052" FW_SERVICES_DMZ_UDP="" FW_SERVICES_INT_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" any hints? [2324][Up: 1:30][Load: 1.08][root@celebrimbor:/etc]$ uname -a Linux celebrimbor 2.4.19-4GB #1 Mon Oct 21 16:13:17 UTC 2002 i686 unknown [2326][Up: 1:31][Load: 1.30][root@celebrimbor:/etc]$ rpm -q SuSEfirewall2 SuSEfirewall2-2.1-57 -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und §823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt!
* Mathias Homann;
Hi,
here a snippet from /etc/sysconfig/SuSEfirewall2: [2324][Up: 1:29][Load: 1.12][root@celebrimbor:/etc]$ grep UDP sysconfig/SuSEfirewall2 FW_SERVICES_EXT_UDP="ntp auth 1052" FW_SERVICES_DMZ_UDP="" FW_SERVICES_INT_UDP="" FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
any hints?
Are running a name server FW_SERVICE_DNS="yes" if so that is the reason and also from /etc/services domain 53/tcp # Domain Name Server domain 53/udp # Domain Name Server ntp 123/tcp # Network Time Protocol ntp 123/udp # Network Time Protocol so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023 HTH -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024 Anders
* Anders Johansson;
On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023 Maybe I am mistaken -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
-----BEGIN PGP SIGNED MESSAGE----- Hi guys!
FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp"
means: allow UDP traffic coming *from* the domain (53) and ntp (123)
ports to any high UDP port on the firewall machine. At least in 2.1
it does...
Andy
- --
Andreas J. Mueller email:
On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
* Anders Johansson;
on 30 Oct, 2002 wrote: On Wednesday 30 October 2002 23.41, Togan Muftuoglu wrote:
so having FW_ALLOW_INCOMING_HIGHPORTS_UDP="domain ntp" means nothing as they are not >1023
It means incoming traffic on high ports *related* to dns or ntp. Just as a "passive ftp" ftp server accepts incoming high ports despite the ftp port being 21 which is << 1024
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023
[Dd][Nn][Ss]) OPEN_DNS=yes test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535 # guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it) Anders
-----BEGIN PGP SIGNED MESSAGE----- Hi Anders!
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
"DNS" is a special value you can use for
FW_ALLOW_INCOMING_HIGHPORTS_UDP. It will allow access to UDP
ports >= 1023 for the nameservers defined in /etc/resolv.conf only.
As for "UDP wide open": Did you consider the fact that every filtered
UDP port is reported as "open" by an nmap scan?
Andy
- --
Andreas J. Mueller email:
On Thursday 31 October 2002 00.27, Anders Johansson wrote: <snip> Also, if I'm reading this correctly *) test "$DONE_ALL" = yes || for CHAIN in input_int input_dmz input _ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp --sp ort $j --dport 1024:65535 $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABL ISHED,RELATED -p udp --sport $j --dport 1024:65535 done ;; It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open
OK, so many of you have replied but that does not explain why a nmap scan of type -sU (UDP scan) lists ALL ports, even the low ones, as open. anyhow, when I try to actually connect to e.g. samba or the like from the outside I see those packets getting dropped in the firewall log... bye, MH
Hello Andreas On Thursday 31 October 2002 00.32, Andreas J Mueller wrote:
Hi Anders!
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
"DNS" is a special value you can use for FW_ALLOW_INCOMING_HIGHPORTS_UDP. It will allow access to UDP ports >= 1023 for the nameservers defined in /etc/resolv.conf only.
Yes, but the config file says "Common: "DNS" or "domain ntp"", but both "domain" and "ntp" will cause *all* udp ports to be open to *all* hosts, not just those in resolv.conf. Anders
* Anders Johansson;
On Thursday 31 October 2002 00.18, Togan Muftuoglu wrote:
Sorry Anders but I can not make it from the script Where do you read this in the code for this interpretation ? my understanding is the other way around here you need to place ports >1023
Ok Just to make this clear so I can have the documentation accordingly
[Dd][Nn][Ss]) OPEN_DNS=yes
test "$OPEN_DNS" = yes && { test -z "$NAMESERVERS" && \ echo 'Warning: No nameservers in /etc/resolv.conf!' for k in $NAMESERVERS; do test "$k" = 127.0.0.1 || for CHAIN in input_int input_dmz input_ext; do $LAA $IPTABLES -A $CHAIN -j LOG ${LOG}"-ACCEPT " -p udp -s $k --sport 53 --dport 1024:65535
this is when [Dd][Nn][Ss] for FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" which is the default in the config file. Then it will read the $NAMESERVERS array which are the nameserver names that are placed in /etc/resolv.conf and for each of them except 127.0.0.1 allow connection for example when I have 212.156.4.4 in my /etc/resolv.conf this code $LAA $IPTABLES -A $CHAIN -j $LOG ${LOG}"-ACCEPT" -p udp -s 212.1456.4.4 --sport 53 --dport 1024:65535
# guess this has to be state NEW because the outgoing packet was not seen when # doing autodialing... XXX - or? $IPTABLES -A $CHAIN -j "$ACCEPT" -m state --state NEW,ESTABLISHED,REL ATED -p udp -s $k --sport 53 --dport 1024:65535 done done }
again $k would be 212.156.4.4 in this case
Maybe I am mistaken
The documentation in the SuSEfirewall2 script seems to be wrong. It should be "dns" not "domain", and ntp doesn't seem to be supported (at least I can't find it)
no domain is correct just do a grep dns /etc/services Now the second part where the FW_ALLOW_INCOMING_UDP ports are used, I'll try to see the {input_int} chains and try to follow from there on. So This part still not clear -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
* Anders Johansson;
On Thursday 31 October 2002 00.33, Anders Johansson wrote:
It looks like if you have anything unrecognized (like "domain" or "ntp") then all high udp ports will be open
Agh, --sport $j, I'm an idiot. Ignore
Well then ignore my previous post. I was getting lost in trying to get the ESTABLISHED,RELATED combo with FW_ALLOW_HIGHPORT_UDP -- Togan Muftuoglu Unofficial SuSE FAQ Maintainer http://dinamizm.ath.cx
Mathias Homann wrote:
Hi,
after a nmap run against my 'wall I found ALL ports except one for UDP wide open!!!
Hi! The reason for this is the behaviour of udp-Connections and the way nmap handles this. Nmap tries to establish a connection to the udp-ports for the scan. Due to the nature of udp (connectionless) nmap just sends the udp-packet und waits for the RST-Packet returned in "normal" cases. The default behaviour of SuSEfirewalls is to drop the packets. Thus nmap doesn't get the RST-Packet it is waiting for and assumes the port is open und has a listener. You have two choices: 1.) Change the behaviour of the SuSEfirewall from Drop to Reject. 2.) Believe in SuSE :) Regards Ralf Schumacher
On Thu, Oct 31, 2002 at 12:46:37AM +0100, Mathias Homann wrote:
As for "UDP wide open": Did you consider the fact that every filtered UDP port is reported as "open" by an nmap scan?
AH! now THAT is the bit of information I was looking for!
nmap will report everything as "open" for which it doesn't receive an explicit ICMP_PORT_UNREACH. Unless you've configured your firewall to REJECT instead of DROP, nmap will not see any responses at all. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Thu, Oct 31, 2002 at 07:35:29AM +0100, Olaf Kirch wrote:
nmap will report everything as "open" for which it doesn't
Should have been more precise here - this is "every UDP port" of course. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (6)
-
Anders Johansson
-
Andreas J Mueller
-
Mathias Homann
-
Olaf Kirch
-
Ralf Schumacher
-
Togan Muftuoglu