[opensuse-security] FW_ALLOW_INCOMING_HIGHPORTS_TCP and SuSEfirewall2
Hi there, in SuSEfirewall2 there is a comment that FW_ALLOW_INCOMING_HIGHPORTS_TCP is now deprecated... I need this option set to "yes" on my server to be able to use my network scanner. If this option becomes obsolete, how the heck do I allow incoming high ports in the future? Finally, why are high ports blocked? Does this makes sense to block more than privileged ports? Regards Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2010-05-24 at 20:53 +0200, Malte Gell wrote:
Hi there,
in SuSEfirewall2 there is a comment that FW_ALLOW_INCOMING_HIGHPORTS_TCP is now deprecated...
] Read this thread in the archive: ] ] | Date: Tue, 21 Jun 2005 14:38:08 +0200 ] | Subject: [suse-security] Bug in Susefirewall FW_ALLOW_INCOMING_HIGHPORTS_UDP ] | X-Message-Number-for-archive: 25524 ] ] You will see there when it was decided to deprecate it and why. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkv7DUIACgkQtTMYHG2NR9UguQCfSq4lSC7wwcxY7iDeqwpuHvtW mGcAnAwEoFTH8/4vrPGCMj5OpbMNQ4UM =XbJT -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
"Carlos E. R." <robin.listas@telefonica.net> wrote
] Read this thread in the archive: ] ] | Date: Tue, 21 Jun 2005 14:38:08 +0200 ] | Subject: [suse-security] Bug in Susefirewall FW_ALLOW_INCOMING_HIGHPORTS_UDP ] | X-Message-Number-for-archive: 25524
Thanx for the hint. I read Ludwig Nussel suggest to mark it as deprecated, but did not explain clearly why. I need it to access the sane daemon on my server, so I hope they will keep this option.... others might need it too. Malte -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Malte Gell wrote:
in SuSEfirewall2 there is a comment that FW_ALLOW_INCOMING_HIGHPORTS_TCP is now deprecated...
I need this option set to "yes" on my server to be able to use my network scanner. If this option becomes obsolete, how the heck do I allow incoming high ports in the future?
see description of data_portrange in man saned
Finally, why are high ports blocked? Does this makes sense to block more than privileged ports?
Does it make sense to run a firewall if you open almost all ports anyways? Also saned clearly is a service for the LAN, which means internal zone ie no filtering at all. If you need to open saned to the internet ie the external zone your setup is probably flawed. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hello, On May 24 20:53 Malte Gell wrote (shortened):
in SuSEfirewall2 there is a comment that FW_ALLOW_INCOMING_HIGHPORTS_TCP is now deprecated...
I need this option set to "yes" on my server to be able to use my network scanner.
Why? You may have a look at http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings Kind Regards Johannes Meixner -- SUSE LINUX Products GmbH, Maxfeldstrasse 5, 90409 Nuernberg, Germany AG Nuernberg, HRB 16746, GF: Markus Rex -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Carlos E. R. -
Johannes Meixner -
Ludwig Nussel -
Malte Gell