[opensuse-security] No firewall and X server listening globally
Hi! I have installed several OpenSUSE machines during recent years and I believe they always enabled the firewall by default. At least I don't remember having done anything special and the firewall was active. Some installations were done from promotion DVDs, others from some image downloaded, not sure which variant. My last installation I made from a 13.2 KDE Live image. To my surprise the firewall is not activated. Again I'm quite sure I made no non-default choices in that direction and I don't remember having seen a selection in the installer where I could have explicitly chosen to enable it. By default the X server does not listen to TCP port at all. That's fine, especially if there is no firewall. But if I start am additional session (KDE menu "Switch user") the second X server is listing to TCP port 6001 globally. $ ps -fp $(pgrep -d , Xorg) UID PID PPID C STIME TTY TIME CMD root 1543 1499 0 14:25 tty7 00:00:09 /usr/bin/Xorg -br :0 vt7 -nolisten tcp -seat seat0 -auth /var/lib/kdm/AuthFiles/A:0-kwjL1b root 2387 1499 0 14:27 tty8 00:00:01 /usr/bin/Xorg -br :1 vt8 -seat seat0 -auth /var/lib/kdm/AuthFiles/A:1-m4GpQa $ sudo /usr/sbin/ss -ltpn | grep Xorg LISTEN 0 128 *:6001 *:* users:(("Xorg",pid=2387,fd=3)) LISTEN 0 128 :::6001 :::* users:(("Xorg",pid=2387,fd=1)) Questions: Does everything I see here work as it should? 1.) Firewall not active by default 2.) 2nd X server listening to TCP Regards, Uwe P.S. Apologies for being a bit vague on the installation. But I don't have spare machines and installation takes quite long, especially when having to do it on a small virtual machine. So I take the freedeom to violate the rule of investigate first and ask stupid questions on the list thereafter... Uwe Geuder Nomovok Ltd. Tampere, Finland uwe.gxuder@nomovok.com (bot test: humans correct 1 obvious spelling error) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2015-04-29 a las 15:47 +0300, Uwe Geuder escribió:
My last installation I made from a 13.2 KDE Live image. To my surprise the firewall is not activated.
An issue has come up to light recently. If the network insterface is not up, the firewall configuration fails and it doesn't start. People do not even notice the firewall is down. View this thread: <http://forums.opensuse.org/showthread.php?t=507151> - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlVJf7EACgkQja8UbcUWM1yyEgD/arGbVF+kfvuIYc6jhQiCaKH7 DdMf620ZiwZbWVol9oIA/138WnCqGpH1rcXS1sWwd8ZFVetFcddJiPskc52Qckha =zX87 -----END PGP SIGNATURE-----
is that firewall up when installed or when the machine is rebooted? I've had 2 installs recently (1 clean, 1 an upgrade), both double NIC machines, where the install process failed to configure any working NICs. I'll check their firewalls :-( David On Wednesday 06 May 2015 04:42:50 Carlos E. R. wrote:
El 2015-04-29 a las 15:47 +0300, Uwe Geuder escribió:
My last installation I made from a 13.2 KDE Live image. To my surprise the firewall is not activated.
An issue has come up to light recently. If the network insterface is not up, the firewall configuration fails and it doesn't start. People do not even notice the firewall is down.
View this thread: <http://forums.opensuse.org/showthread.php?t=507151>
-- Cheers Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith)) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Apr 29, 2015 at 03:47:07PM +0300, Uwe Geuder wrote:
I have installed several OpenSUSE machines during recent years and I believe they always enabled the firewall by default.
The are in the default install, but apparently not on the live CDs. I'm currently working on enabling the firewall by default. For now the firewall has to be enabled manually either before installing or after the install. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE LINUX GmbH Maxfeldstraße 5 90409 Nürnberg, Germany GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Thank you for your report On Wed, May 06, 2015 at 12:06:05PM +0200, Johannes Segitz wrote:
On Wed, Apr 29, 2015 at 03:47:07PM +0300, Uwe Geuder wrote:
I have installed several OpenSUSE machines during recent years and I believe they always enabled the firewall by default.
The are in the default install, but apparently not on the live CDs. I'm currently working on enabling the firewall by default. For now the firewall has to be enabled manually either before installing or after the install.
For the live DVDs (at least for KDE) the firewall is not active, so if you install it uses this configuration. Changing the existing live DVDs is problematic (and there is already a warning message "Some alternative media (eg. live and rescue systems) are also available, although they are less tested and recommended for only limited use. "). I submitted a fix so that the next version will enable the firewall by default and also submitted changed release notes, that warn of this problem and show how to enable the firewall. Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
participants (5)
-
Administrator -
Carlos E. R. -
Johannes Segitz -
jsegitz@suse.de -
Uwe Geuder