[opensuse-security] SUSEfirewall udp broadcast
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add e.g. BROADCAST="123,456" to the rules or is there more to add? I ask, because in my set UDP broadcast may have been dropped, despite using BROADCAST="123".... thanksx -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hello, On 03/21/2017 09:45 AM, Malte Gell wrote:
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add e.g. BROADCAST="123,456" to the rules or is there more to add?
I ask, because in my set UDP broadcast may have been dropped, despite using BROADCAST="123"....
There is no setting with this name for SuSEfirewall2. To continue discussion, please give your actual configuration and actual observation, thank you. Andreas -- Andreas Stieger <astieger@suse.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
Hello,
On 03/21/2017 09:45 AM, Malte Gell wrote:
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add e.g. BROADCAST="123,456" to the rules or is there more to add?
I ask, because in my set UDP broadcast may have been dropped, despite using BROADCAST="123"....
There is no setting with this name for SuSEfirewall2
From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
# space separated list of allowed UDP ports that accept broadcasts BROADCAST="" I tried to get KDE Connect to working, a KDE application on the Linux machine and an Android app with the same name on a Android device to connect a droid with a Linux box. It requires to have access to UDP/TCP ports from 1714-1764 KDE Connect comes wiht a preinstalled rule set for SUSEfirewall2 which I paste below. This rule set seem to open these required ports, nevertheless it did not work. Only disabling SUSEfirewall2 made both apps connect each other. This is why I asked if there is more to do than opening tcp/udp ports. I disabled SUSEfirewall2, connected the apps, enabled SUSEfirewall2 again and it worked.... You don´t need to dig deep here, since this workaround made it working now. This is the rule set for KDE Connect that comes with the app´s rpm: # space separated list of allowed TCP ports TCP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764" # space separated list of allowed UDP ports UDP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764" # space separated list of allowed UDP ports that accept broadcasts BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764" -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi, On 03/21/2017 10:53 AM, Malte Gell wrote:
Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
On 03/21/2017 09:45 AM, Malte Gell wrote:
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add e.g. BROADCAST="123,456" to the rules or is there more to add?
I ask, because in my set UDP broadcast may have been dropped, despite using BROADCAST="123".... There is no setting with this name for SuSEfirewall2 From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
# space separated list of allowed UDP ports that accept broadcasts BROADCAST=""
So it's a service. You'll need to first allow broadcast in general in /etc/sysconfig/SuSEfirewall2 via FW_ALLOW_FW_BROADCAST_EXT, _INT, _DMZ. Andreas -- Andreas Stieger <astieger@suse.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 21.03.2017 um 11:44 schrieb Andreas Stieger:
Hi,
On 03/21/2017 10:53 AM, Malte Gell wrote:
Am 21.03.2017 um 09:57 schrieb Andreas Stieger:
On 03/21/2017 09:45 AM, Malte Gell wrote:
In order to allow UDP broadcast with the SUSEfirewall, is it enough to add e.g. BROADCAST="123,456" to the rules or is there more to add?
I ask, because in my set UDP broadcast may have been dropped, despite using BROADCAST="123".... There is no setting with this name for SuSEfirewall2 From /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
# space separated list of allowed UDP ports that accept broadcasts BROADCAST=""
So it's a service. You'll need to first allow broadcast in general in /etc/sysconfig/SuSEfirewall2 via FW_ALLOW_FW_BROADCAST_EXT, _INT, _DMZ.
Ah, okay. Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ? Doesn´t it get overwritten with software updates? Thanks -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 2017-03-22 09:09, Malte Gell wrote:
Ah, okay. Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ? Doesn´t it get overwritten with software updates?
No. Over the years I have only experienced problems with some distribution upgrades. The common problem was with multiline vars, but I did not experience it with 42.2. So, yes, of course you can write to the file. -- Cheers / Saludos, Carlos E. R. (from 42.2 x86_64 "Malachite" (Minas Tirith))
Hello, On 03/22/2017 09:09 AM, Malte Gell wrote:
Is it okay to make changes in /etc/sysconfig/SuSEfirewall2 ?
Yes.
Doesn´t it get overwritten with software updates?
No, normal rpm rules for edited config files apply, as do the fillup-templates mechanisms. Andreas -- Andreas Stieger <astieger@suse.com> Project Manager Security SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Am 21.03.2017 um 10:53 schrieb Malte Gell:
# space separated list of allowed TCP ports TCP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764" to ease typing: TCP="1714:1764"
# space separated list of allowed UDP ports UDP="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing: UDP="1714:1764"
# space separated list of allowed UDP ports that accept broadcasts BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing: BROADCAST="1714:1764" -- Christian ------------------------------------------------------------ https://join.worldcommunitygrid.org?recruiterId=177038 ------------------------------------------------------------ http://www.sc24.de - Sportbekleidung ------------------------------------------------------------
Am 22.03.2017 um 11:39 schrieb Christian:
Am 21.03.2017 um 10:53 schrieb Malte Gell:
(....) # space separated list of allowed UDP ports that accept broadcasts BROADCAST="1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748 1749 1750 1751 1752 1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764"
to ease typing: BROADCAST="1714:1764" Yes, indeed ;-)
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (4)
-
Andreas Stieger -
Carlos E. R. -
Christian -
Malte Gell