[opensuse-security] SuSEfirewall2 and opening high ports
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned. How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible? Regards Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Sat, Apr 02, 2011 at 03:03:22PM +0200, Malte Gell wrote:
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned.
How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible?
They are not generally accessible. You can allow portranges in the generic allow rules like this (to match the highports rule): FW_SERVICES_EXT_TCP="1024:65535" This would allow all ports from 1024-65535 on the external interface. Ciao, MArcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner <meissner@suse.de> wrote
On Sat, Apr 02, 2011 at 03:03:22PM +0200, Malte Gell wrote:
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned.
How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible?
They are not generally accessible.
You can allow portranges in the generic allow rules like this (to match the highports rule):
FW_SERVICES_EXT_TCP="1024:65535"
This would allow all ports from 1024-65535 on the external interface.
OK, I will use that. Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner <meissner@suse.de> wrote
On Sat, Apr 02, 2011 at 03:03:22PM +0200, Malte Gell wrote:
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned.
How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible?
They are not generally accessible.
You can allow portranges in the generic allow rules like this (to match the highports rule):
FW_SERVICES_EXT_TCP="1024:65535"
This would allow all ports from 1024-65535 on the external interface.
By the way, can I make sure these high ports are accessible only from certain IPs like 192.168.x.x? Does that need a new rule? Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2011-04-03 at 13:51 +0200, Malte Gell wrote:
Marcus Meissner <meissner@suse.de> wrote
FW_SERVICES_EXT_TCP="1024:65535"
This would allow all ports from 1024-65535 on the external interface.
By the way, can I make sure these high ports are accessible only from certain IPs like 192.168.x.x? Does that need a new rule?
You would put the range in FW_TRUSTED_NETS, I guess: FW_TRUSTED_NETS="192.168.0.0/16,tcp,1024:65535" I assume port ranges are valid. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAk2YdwYACgkQtTMYHG2NR9UvtwCdEwNSIKttURXy2K3+qw+E0cZV svYAmgOkN2bzzTj5Px/Zj0aBquHJAAIi =oJ41 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On 04/03/2011 03:32 PM, Carlos E. R. wrote:
On Sunday, 2011-04-03 at 13:51 +0200, Malte Gell wrote:
Marcus Meissner <meissner@suse.de> wrote
FW_SERVICES_EXT_TCP="1024:65535"
This would allow all ports from 1024-65535 on the external interface.
By the way, can I make sure these high ports are accessible only from certain IPs like 192.168.x.x? Does that need a new rule?
You would put the range in FW_TRUSTED_NETS, I guess:
FW_TRUSTED_NETS="192.168.0.0/16,tcp,1024:65535"
You can trust the internal lan if you want FW_PROTECT_FROM_INT="no" or if you want to increase performance FW_PROTECT_FROM_INT="notrack" HTH Togan -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Malte Gell wrote:
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned.
How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible?
Why do you run a firewall if you open all ports anyways? What's your use case exactly? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Ludwig Nussel <ludwig.nussel@suse.de> wrote
Malte Gell wrote:
Previous versions of SuSEfirewall2 had the FW_ALLOW_INCOMING_HIGH_PORTS_TCP switch which was now abandoned.
How do I open high ports now on openSUSE 11.4? Or are high ports now generally accessible?
Why do you run a firewall if you open all ports anyways? What's your use case exactly?
I would like to open high ports e.g. for VDR within the LAN and open certain privileged ports e.g. for CUPS within the LAN. To the outside world these ports should be closed. Your question is good... since the router closes at least the privileged ports to the outside world I may not need SuSEfirewall after all.... Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (5)
-
Carlos E. R. -
Ludwig Nussel -
Malte Gell -
Marcus Meissner -
Togan Muftuoglu