-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I'm using SuSE Linux 7.3 (2.4.10-4GB) and running SuSEfirewall 2.1. Today I used the online security scanner at http://www.symantec.com/securitycheck/ and noticed that it was possible to connect to my samba-server using UDP port 137-138 and read the servername and domainname. I revised my firewallconfig but didn't find a clue: /etc/rc.config.d/firewall2.rc.config: ************************************************************************ FW_DEV_EXT="ppp0" # dsl via pppoe on eth1 FW_DEV_INT="eth0" # internal net 192.168.0.0/255.255.255.0 FW_DEV_DMZ="eth2" # internal net 192.168.1.0/255.255.255.0 FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" # masq eth0 FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_UDP="" # thought it must have been here FW_SERVICES_DMZ_TCP="8080 ftp" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" # same effect if turned off FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option - - --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" ************************************************************************ Then "iptables -L -n | grep 137" supplied the following: ************************************************************************ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:137:138 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ************************************************************************ According to "SuSEfirewall2 debug" the top line results from "iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 137:138" and seems to be the problem. Is it a bug in SuSEfirewall2 or where is the problem?! Thanks, Florian Flad -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.6 iEYEARECAAYFAjyeaYkACgkQk+lziOWgzw3AcgCgvsSp68pmXXFTqxYVVMvwCBka z38AoPJjjR+2tCBqJlrzKxf5vhVgYO2T =VvAI -----END PGP SIGNATURE-----
Make sure to restart the firewall after you made a change to it. FW_SERVICE_SAMBA="no" /etc/rc.d/SuSEfirewall2_final reload
I'm using SuSE Linux 7.3 (2.4.10-4GB) and running SuSEfirewall 2.1. Today I used the online security scanner at http://www.symantec.com/securitycheck/ and noticed that it was possible to connect to my samba-server using UDP port 137-138 and read the servername and domainname. I revised my firewallconfig but didn't find a clue:
/etc/rc.config.d/firewall2.rc.config: ************************************************************************ FW_DEV_EXT="ppp0" # dsl via pppoe on eth1 FW_DEV_INT="eth0" # internal net 192.168.0.0/255.255.255.0 FW_DEV_DMZ="eth2" # internal net 192.168.1.0/255.255.255.0 FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_DEV="$FW_DEV_EXT" FW_MASQ_NETS="192.168.0.0/24" # masq eth0 FW_PROTECT_FROM_INTERNAL="no" FW_AUTOPROTECT_SERVICES="yes" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_UDP="" # thought it must have been here FW_SERVICES_DMZ_TCP="8080 ftp" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_TRUSTED_NETS="" FW_ALLOW_INCOMING_HIGHPORTS_TCP="yes" FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS" FW_SERVICE_DNS="yes" FW_SERVICE_DHCLIENT="no" FW_SERVICE_DHCPD="yes" FW_SERVICE_SQUID="yes" FW_SERVICE_SAMBA="yes" # same effect if turned off FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG="--log-level warning --log-tcp-options --log-ip-option - - --log-prefix SuSE-FW" FW_KERNEL_SECURITY="yes" FW_STOP_KEEP_ROUTING_STATE="no" FW_ALLOW_PING_FW="no" FW_ALLOW_PING_DMZ="no" FW_ALLOW_PING_EXT="no" FW_ALLOW_FW_TRACEROUTE="yes" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_ALLOW_FW_BROADCAST="no" FW_IGNORE_FW_BROADCAST="yes" FW_ALLOW_CLASS_ROUTING="no" ************************************************************************
Then "iptables -L -n | grep 137" supplied the following: ************************************************************************ ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW,RELATED,ESTABLISHED udp dpts:137:138 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:137 ************************************************************************
According to "SuSEfirewall2 debug" the top line results from "iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 137:138" and seems to be the problem.
Is it a bug in SuSEfirewall2 or where is the problem?!
Thanks, Florian Flad
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (MingW32) - WinPT 0.5.6
iEYEARECAAYFAjyeaYkACgkQk+lziOWgzw3AcgCgvsSp68pmXXFTqxYVVMvwCBka z38AoPJjjR+2tCBqJlrzKxf5vhVgYO2T =VvAI -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
I'm using SuSE Linux 7.3 (2.4.10-4GB) and running SuSEfirewall 2.1. Today I used the online security scanner at http://www.symantec.com/securitycheck/ and noticed that it was possible to connect to my samba-server using UDP port 137-138 and read the servername and domainname. I revised my firewallconfig but didn't find a clue:
FW_SERVICE_SAMBA="yes"
Thats the point where in /sbin/SuSEfirewall the udp ports will be enabled if it yes. Simple way is to go there and add an interface with -i option to determine that only traffic from internal is ok.
FW_SERVICE_DHCPD="yes"
Check that too - nobody from outside should be enabled to get an ip from yaou. add -i "$internal_device" to make more secure. Yours Michael Appeldorn
participants (3)
-
Alex Levit
-
Florian flad
-
Michael Appeldorn