[opensuse-security] Keep FW_ALLOW_INCOMING_HIGHPORTS_UDP in SuSEfirewall2
Hello List, While I currently don't really have the time to properly install the DCC anti-spam software (http://www.dcc-servers.net/dcc/) on my boxn the occasion of preparing the firewall setup for it, I encountered the following output from SuSEfirewall2: --- <snip> --- 8< --- Jan 16 11:59:35 apollo SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... Jan 16 11:59:36 apollo SuSEfirewall2: Warning: FW_ALLOW_INCOMING_HIGHPORTS_UDP is deprecated and will likely be removed in the future. Jan 16 11:59:36 apollo SuSEfirewall2: Warning: If you think it should be kept please report your use case at Jan 16 11:59:36 apollo SuSEfirewall2: Warning: http://forge.novell.com/modules/xfmod/project/?susefirewall2 Jan 16 11:59:36 apollo SuSEfirewall2: batch committing... --- <snap> --- >8 --- So here I am (the url mentioned this mlist). Heading over to http://www.dcc-servers.net/dcc/dcc-tree/FAQ.html#firewall-ports, you find the following instructions: --- <snip> --- 8< --- Which ports do I need to open in my firewall? DCC traffic is like DNS traffic. You should tQreat port 6277 like port 53. Allow outgoing packets to distant UDP port 6277 and incoming packets from distant UDP port 6277. If `dccproc` fails or the command `cdcc info` says no DCC servers are answering, you may need to adjust your firewall. If you run a DCC server, open incoming connections to local TCP port 6277 from your flooding peers, and outgoing connections to your flooding peers from your TCP port 6277. Also open UDP port 6277 to IP addresses 204.152.184.184 and 192.188.61.3 for the DCC server status web page. --- <snap> --- >8 --- I took this to mean thatI had to specify FW_ALLOW_INCOMING_HIGHPORTS_UDP="20 6277" (and possibly FW_SERVICES_EXT_UDP="ntp 6277") in /etc/sysconfig/SuSEfirewall2, which brought up the alerts above. Can you tell me if I got it right and if this would be considered a reason to keep FW_ALLOW_INCOMING_HOGHPORTS_UDP? Thanks a lot, Andreas -- Very funny Scotty. Now beam down my clothes. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Andreas Wagner wrote:
[...] I took this to mean thatI had to specify
FW_ALLOW_INCOMING_HIGHPORTS_UDP="20 6277" (and possibly FW_SERVICES_EXT_UDP="ntp 6277")
in /etc/sysconfig/SuSEfirewall2, which brought up the alerts above.
Can you tell me if I got it right and if this would be considered a reason to keep FW_ALLOW_INCOMING_HOGHPORTS_UDP?
I didn't understand the description that way. FW_SERVICES_EXT_UDP should be sufficient. If you use FW_SERVICES_ACCEPT_EXT instead you can also limit the IP addresses that have access to the port. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello Ludwig, hello list, * Ludwig Nussel wrote on Jan/18/2007:
Andreas Wagner wrote:
[...] I took this to mean thatI had to specify
FW_ALLOW_INCOMING_HIGHPORTS_UDP="20 6277" (and possibly FW_SERVICES_EXT_UDP="ntp 6277")
in /etc/sysconfig/SuSEfirewall2, which brought up the alerts above.
Can you tell me if I got it right and if this would be considered a reason to keep FW_ALLOW_INCOMING_HOGHPORTS_UDP?
I didn't understand the description that way. FW_SERVICES_EXT_UDP should be sufficient. If you use FW_SERVICES_ACCEPT_EXT instead you can also limit the IP addresses that have access to the port.
oh, I see. I was -- and actually still am -- confused with regards to client and server setup. (I'd only want a client running.) I guess I'll just have to try what works and what doesn't when I get to installing it. But maybe I'm not the only one who is keeping an eye on it. AFAIU, it's one of the more popular online checksum services (dcc can be integrated in spamassassin, too). Thanks a lot so far anyway, Andreas -- The past is present in the future. -- My Public PGP Keys: 1024 Bit DH/DSS: 0x869F81BA 768 Bit RSA: 0x1AD97BA5 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (2)
-
Andreas Wagner -
Ludwig Nussel