Re: [suse-security] SuSE Firewall and CUPS (UDP rules)?
No, my question is *much* simpler, sorry :) The 4 steps of configuring the firewall with Yast: Step 1: select interface. I have no trusted net, no "internal" interface. So eth0 is the only one, and it's set to external. Step 2: Services. Additional services is set to: 631. This is what's causing my confusion. It drops UDP packets destined for port 631. And in fact, in that dialog box it says "TCP services". What am I missing in the Yast firewall setup tool? :P I've normally set iptables rules by hand, but decided to try the Yast setup, and... I feel I'm missing a lot of things :) So my question amounts to: can the Yast tools do it? it's a very simple rule, seriously! Or do I need to insert it by hand? In which case I might as well trash all the rules Yast set up in there and put in my own standard set. - Vfrc - barrulus wrote:
------------------------------------------------------------------------
On Friday 17 September 2004 09:05, Maxim A Belushkin wrote:
a print server on the network is bcasting queue names to UDP port 631. SuSE firewall seems to only have exceptions for TCP ports, and not UDP. Any "clean" workaround for this avoiding digging into the iptables rules the firewall creates?
???
You can set up trusted nets with UDP, allow interfaces to listen with UDP, forward UDP traffic and masquerade UDP traffic?
When you say "exceptions" what do you mean? Do you want the local CUPS server to be listening on that port to pick up the broadcasts, or do you want the broadcasts to be forwarded into your LAN from your DMZ?
(from my subscribed address this time) On Friday 17 September 2004 09:19, Maxim A Belushkin wrote:
No, my question is *much* simpler, sorry :)
The 4 steps of configuring the firewall with Yast: Step 1: select interface. I have no trusted net, no "internal" interface. So eth0 is the only one, and it's set to external. Step 2: Services. Additional services is set to: 631.
This is what's causing my confusion. It drops UDP packets destined for port 631. And in fact, in that dialog box it says "TCP services".
What am I missing in the Yast firewall setup tool? :P I've normally set iptables rules by hand, but decided to try the Yast setup, and... I feel I'm missing a lot of things :)
So my question amounts to: can the Yast tools do it? it's a very simple rule, seriously! Or do I need to insert it by hand? In which case I might as well trash all the rules Yast set up in there and put in my own standard set.
No, the YaST interface is too simple for that. I usually click through yast to make sure that the Firewall is started, then I edit /etc/sysconfig/SuSEfirewall2 by hand. It is a very well structured file and certainly loads better than playing with IPTables directly. All the rules you originally create in YaST will still be there abnd YaST will not autotrash anything you change. Remember to rcSuSEfirewall2 restart when you are done. Barry
barrulus wrote:
------------------------------------------------------------------------
On Friday 17 September 2004 09:05, Maxim A Belushkin wrote:
a print server on the network is bcasting queue names to UDP port 631. SuSE firewall seems to only have exceptions for TCP ports, and not UDP. Any "clean" workaround for this avoiding digging into the iptables rules the firewall creates?
???
You can set up trusted nets with UDP, allow interfaces to listen with UDP, forward UDP traffic and masquerade UDP traffic?
When you say "exceptions" what do you mean? Do you want the local CUPS server to be listening on that port to pick up the broadcasts, or do you want the broadcasts to be forwarded into your LAN from your DMZ?
I set FW_SERVICES_EXT_UDP="631" and FW_SERVICES_QUICK_UDP="631" (this one just-in-case), the rest default from what the Yast tool left it at, in /etc/sysconfig/SuSEfirewall2, and ran /sbin/rcSuSEfirewall2 restart. In the messages: SFW2-DROP-BCASTe IN=eth0 OUT= MAC=<snip> SRC=<snip> DST=<snip> LEN=187 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=167 *faint whining* What am I missing? :( Thanks :) b@rry.co.za wrote:
------------------------------------------------------------------------
(from my subscribed address this time)
On Friday 17 September 2004 09:19, Maxim A Belushkin wrote:
No, my question is *much* simpler, sorry :)
The 4 steps of configuring the firewall with Yast: Step 1: select interface. I have no trusted net, no "internal" interface. So eth0 is the only one, and it's set to external. Step 2: Services. Additional services is set to: 631.
This is what's causing my confusion. It drops UDP packets destined for port 631. And in fact, in that dialog box it says "TCP services".
What am I missing in the Yast firewall setup tool? :P I've normally set iptables rules by hand, but decided to try the Yast setup, and... I feel I'm missing a lot of things :)
So my question amounts to: can the Yast tools do it? it's a very simple rule, seriously! Or do I need to insert it by hand? In which case I might as well trash all the rules Yast set up in there and put in my own standard set.
No, the YaST interface is too simple for that. I usually click through yast to make sure that the Firewall is started, then I edit /etc/sysconfig/SuSEfirewall2 by hand.
It is a very well structured file and certainly loads better than playing with IPTables directly.
All the rules you originally create in YaST will still be there abnd YaST will not autotrash anything you change.
Remember to rcSuSEfirewall2 restart when you are done.
Barry
barrulus wrote:
------------------------------------------------------------------------
On Friday 17 September 2004 09:05, Maxim A Belushkin wrote:
a print server on the network is bcasting queue names to UDP port 631. SuSE firewall seems to only have exceptions for TCP ports, and not UDP. Any "clean" workaround for this avoiding digging into the iptables rules the firewall creates?
???
You can set up trusted nets with UDP, allow interfaces to listen with UDP, forward UDP traffic and masquerade UDP traffic?
When you say "exceptions" what do you mean? Do you want the local CUPS server to be listening on that port to pick up the broadcasts, or do you want the broadcasts to be forwarded into your LAN from your DMZ?
Maxim A Belushkin wrote:
I set FW_SERVICES_EXT_UDP="631" and FW_SERVICES_QUICK_UDP="631" (this one just-in-case), the rest default from what the Yast tool left it at, in /etc/sysconfig/SuSEfirewall2, and ran /sbin/rcSuSEfirewall2 restart.
*faint whining* What am I missing? :(
Try clearing the rules with SuSEfirewall2 stop SuSEfirewall2 start
Remember to rcSuSEfirewall2 restart when you are done.
Sometimes I have found this not as good as the above. YMMV -- Joe Morris New Tribes Mission Email Address: Joe_Morris@ntm.org Registered Linux user 231871
Oh, this actually solved it, thanks! But... isn't "restart" supposed to do the same thing as a "stop->start", and if so, wouldn't this be a bug? :) Thanks again for the help! :) - Vfrc - Joe Morris (NTM) wrote:
Maxim A Belushkin wrote:
I set FW_SERVICES_EXT_UDP="631" and FW_SERVICES_QUICK_UDP="631" (this one just-in-case), the rest default from what the Yast tool left it at, in /etc/sysconfig/SuSEfirewall2, and ran /sbin/rcSuSEfirewall2 restart.
*faint whining* What am I missing? :(
Try clearing the rules with SuSEfirewall2 stop SuSEfirewall2 start
Remember to rcSuSEfirewall2 restart when you are done.
Sometimes I have found this not as good as the above. YMMV
On Fri, 17 Sep 2004, Maxim A Belushkin wrote:
I set FW_SERVICES_EXT_UDP="631" and FW_SERVICES_QUICK_UDP="631" (this one just-in-case), the rest default from what the Yast tool left it at, in /etc/sysconfig/SuSEfirewall2, and ran /sbin/rcSuSEfirewall2 restart.
In the messages:
SFW2-DROP-BCASTe IN=eth0 OUT= MAC=<snip> SRC=<snip> DST=<snip> LEN=187 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=167
*faint whining* What am I missing? :(
SFW2-DROP-BCASTe means "SuSEfirewall2 DROP Broadcast so i would suggest checking for FW_ALLOW_FW_BROADCAST and DEV_EXT_BCAST ? you could also start "/sbin/SuSEfirewall2 test" if you are in a secure environment (test mode lets anything pass but logs). cheers -- BINGO: work smarter --- Engelbert Gruber -------+ SSG Fintl,Gruber,Lassnig / A6170 Zirl Innweg 5b / Tel. ++43-5238-93535 ---+
participants (4)
-
b@rry.co.za -
engelbert.gruber@ssg.co.at -
Joe Morris (NTM) -
Maxim A Belushkin