[opensuse-security] SuSEfirewall2 behavior with multiple, not configured network interfaces
Hi, There's another behavior with SuSEfirewall2 with multiple network interfaces that I would like to discuss. We're working with an appliance that has six network interfaces. We only need two of those six interfaces, so only two of them are configured, one with DHCP and the other is static. The other interfaces are present and detected by OpenSUSE but they're not configured so ifconfig output only shows those two interfaces (yast2 shows them as not configured). I have configured SuSEfirewall2 like this: FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24" When I start the firewall I get this message: linux-test:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: using default zone 'ext' for interface eth4 SuSEfirewall2: using default zone 'ext' for interface eth5 SuSEfirewall2: Firewall rules successfully set This means that for each rule specified for example in FW_MASQ_NETS or FW_FORWARD, five usless additional rules will be created, one for each of the not configured interfaces. Currently I don't have that appliance at hand so I'm testing on a VM with four interfaces and the previous configuration. With the previous configuration this is the output when starting the firewall: linux-w43c:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: Firewall rules successfully set And the output of SuSEfirewall2 status here: http://pastebin.com/vDvTUYnM Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ? is there a way to avoid this ? Cheers, -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Juan Luis Baptiste schrieb:
There's another behavior with SuSEfirewall2 with multiple network interfaces that I would like to discuss.
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ?
Just a guess: to be on the save side? The interfaces do exist (for example in the udevd-rules), even though they are not configured. And thus the firewall rather adds blocking rules than allowing them to become an open door to your computer.
is there a way to avoid this ?
I do not know. Susan -- Susan Dittmar, CIO - CCD and CMOS devices EURECA Messtechnik GmbH for science, space and military Eupenerstr. 150 customized and standard parts 50933 Köln Germany - lenses and optical filters phone: +49 (0)221 / 952629 - 0 - thermoelectric devices fax: +49 (0)221 / 952629 - 9 email: S.Dittmar@eureca.de - consulting services Handelsreg. Eintrag / Register entry : HRB 28609 Amtsgericht Köln USt.-IdNr. / VAT number : DE 186 063 293 Steuernummer / tax number : 223 / 5805 / 2511 Geschäftsführung / Management : J. Beckers, K. Sengebusch Diese Mitteilung erfolgt vertraulich und nur zur Kenntnisnahme durch die hierfür vorgesehenen Personen. Sollten Sie die Mitteilung irrtümlich erhalten haben, ist jede Weitergabe, Kopie oder Nutzung des Inhalts unzulässig. Bitte benachrichtigen Sie in diesem Fall den Absender und löschen Sie diese Nachricht und alle Anhänge dazu unverzüglich. This message is confidential and intended only for the exclusive use by particular persons. If you have received it by mistake, any review, copying, use or dissemination in whole or in part is strictly prohibited. Please notify the sender and delete this message and all its attachments from your system. -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 30, 2013 at 5:15 AM, Susan Dittmar <S.Dittmar@eureca.de> wrote:
Juan Luis Baptiste schrieb:
There's another behavior with SuSEfirewall2 with multiple network interfaces that I would like to discuss.
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ?
Just a guess: to be on the save side? The interfaces do exist (for example in the udevd-rules), even though they are not configured. And thus the firewall rather adds blocking rules than allowing them to become an open door to your computer.
I suppose, the interfaces are phisically present on the applicance and were detected by the installation, but never configured, only two of them. -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 30, 2013 at 01:03:10AM -0500, Juan Luis Baptiste wrote:
Hi,
There's another behavior with SuSEfirewall2 with multiple network interfaces that I would like to discuss. We're working with an appliance that has six network interfaces. We only need two of those six interfaces, so only two of them are configured, one with DHCP and the other is static. The other interfaces are present and detected by OpenSUSE but they're not configured so ifconfig output only shows those two interfaces (yast2 shows them as not configured).
I have configured SuSEfirewall2 like this:
FW_DEV_EXT="eth0" FW_DEV_INT="eth1" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_MASQ_NETS="192.168.10.0/24"
When I start the firewall I get this message:
linux-test:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: using default zone 'ext' for interface eth4 SuSEfirewall2: using default zone 'ext' for interface eth5 SuSEfirewall2: Firewall rules successfully set
This means that for each rule specified for example in FW_MASQ_NETS or FW_FORWARD, five usless additional rules will be created, one for each of the not configured interfaces. Currently I don't have that appliance at hand so I'm testing on a VM with four interfaces and the previous configuration. With the previous configuration this is the output when starting the firewall:
linux-w43c:~ # SuSEfirewall2 start SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth2 SuSEfirewall2: using default zone 'ext' for interface eth3 SuSEfirewall2: Firewall rules successfully set
And the output of SuSEfirewall2 status here:
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ? is there a way to avoid this ?
You can try avoiding to set a default zone using FW_ZONE_DEFAULT='no' (default is auto) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 30, 2013 at 9:18 AM, Marcus Meissner <meissner@suse.de> wrote:
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ? is there a way to avoid this ?
You can try avoiding to set a default zone using FW_ZONE_DEFAULT='no'
(default is auto)
Thanks, this worked. But just to understand, why SuSEfirewall2 does this by default ? is there any security consideration I should be aware of when changing FW_ZONE_DEFAULT to no ? Cheers, -- JLB -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Tue, Apr 30, 2013 at 09:54:51AM -0500, Juan Luis Baptiste wrote:
On Tue, Apr 30, 2013 at 9:18 AM, Marcus Meissner <meissner@suse.de> wrote:
Why are there rules being created for the not configured interfaces, in other words, why are they being added by default to the external zone if those interfaces aren't being used, not even configured ? is there a way to avoid this ?
You can try avoiding to set a default zone using FW_ZONE_DEFAULT='no'
(default is auto)
Thanks, this worked. But just to understand, why SuSEfirewall2 does this by default ? is there any security consideration I should be aware of when changing FW_ZONE_DEFAULT to no ?
The idea is for dynamically plugged interfaces, as the other poster replied. There should not be any security issues, as the fallback for unconfigured interfaces is "DROP". Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Juan Luis Baptiste -
Marcus Meissner -
Susan Dittmar