[opensuse] 12.3:susefirewall2: nfs exposed on external interface
Just a preliminary note: found nfs & rpc exposed on the external interface. susefirewall2 appears to be configured not to do that. At least, nfs & rpc are not on the allowed services list for external interface. susefirewall2 allowed external connections to all the mapped nfs ports. Information leaked about internal network configuration, several internal hosts, among other things. Found this because I was investigating many dropped packets logged by sfw2 earlier this morning to udp port 56216, which resembles the pattern seen where sfw2 drops packets from extablished connections. also noted that sfw2 is logging & dropping lots of packets from established connections, which probably explains why transfers are so incredibly slow. Also explains the constant resends and perhaps the many duplicate packets seen w/ wireshark. for the time being, nfs, rpc & portmap services are shut down while I investigate. y'all might want to take a look @ what sfw2 is allowing w/o your knowledge if you use it. Considering dumping sfw2 and using my own firewall configs. -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Dec 01, 2013 at 10:03:06AM -0800, jdebert wrote:
Just a preliminary note:
found nfs & rpc exposed on the external interface.
susefirewall2 appears to be configured not to do that.
At least, nfs & rpc are not on the allowed services list for external interface.
susefirewall2 allowed external connections to all the mapped nfs ports.
Information leaked about internal network configuration, several internal hosts, among other things.
Found this because I was investigating many dropped packets logged by sfw2 earlier this morning to udp port 56216, which resembles the pattern seen where sfw2 drops packets from extablished connections.
also noted that sfw2 is logging & dropping lots of packets from established connections, which probably explains why transfers are so incredibly slow. Also explains the constant resends and perhaps the many duplicate packets seen w/ wireshark.
for the time being, nfs, rpc & portmap services are shut down while I investigate.
y'all might want to take a look @ what sfw2 is allowing w/o your knowledge if you use it.
Considering dumping sfw2 and using my own firewall configs.
What do you see with nmap? WHat is your configuration of SuSEFirewall2? And not, it shouldn't allow that. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner:
On Sun, Dec 01, 2013 at 10:03:06AM -0800, jdebert wrote:
Just a preliminary note:
found nfs & rpc exposed on the external interface.
[snip]
What do you see with nmap? WHat is your configuration of SuSEFirewall2?
And not, it shouldn't allow that.
Ciao, Marcus
Hi, Here's the output of nmap & the SuSEfirewall2 config. Edited to hide identifying info. nmap tells me: Initiating SYN Stealth Scan at 09:25 Scanning $EXTINTERFACE [1000 ports] Discovered open port 111/tcp on $EXTINTERFACE Discovered open port 37/tcp on $EXTINTERFACE Discovered open port 2049/tcp on $EXTINTERFACE Discovered open port 19/tcp on $EXTINTERFACE Discovered open port 13/tcp on $EXTINTERFACE Completed SYN Stealth Scan at 09:25, 0.18s elapsed (1000 total ports) Initiating UDP Scan at 09:25 Scanning $EXTINTERFACE [1000 ports] Discovered open port 111/udp on $EXTINTERFACE Discovered open port 19/udp on $EXTINTERFACE Discovered open port 13/udp on $EXTINTERFACE Discovered open port 37/udp on $EXTINTERFACE Discovered open port 2049/udp on $EXTINTERFACE Completed UDP Scan at 09:25, 1.24s elapsed (1000 total ports) Initiating Service scan at 09:25 Scanning 13 services on $EXTINTERFACE Discovered open port 1023/udp on $EXTINTERFACE Discovered open|filtered port 1023/udp on $EXTINTERFACE is actually open Completed Service scan at 09:27, 82.58s elapsed (13 services on 1 host) (and) Nmap scan report for $EXTINTERFACE Host is up (0.00017s latency). Not shown: 1987 closed ports PORT STATE SERVICE VERSION 13/tcp open daytime |_banner: 01 DEC 2013 09:27:31 PST |_daytime: 01 DEC 2013 09:27:32 PST 19/tcp open chargen xinetd chargen | banner: YZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./0123456789: |_;<=>?@ABC\x0D\x0AZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}!"#$%&'()*+,-./... 37/tcp open time (32 bits) |_banner: \xD6E\xF0\x03 111/tcp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 2049/tcp open nfs 2-3 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 13/udp open daytime |_daytime: 01 DEC 2013 09:27:34 PST 19/udp open chargen 37/udp open time (32 bits) 111/udp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 123/udp open|filtered ntp 631/udp open|filtered ipp 1023/udp open rpcbind 2-4 (RPC #100000) | nfs-ls: | Arguments: | maxfiles: 10 (file listing output limited) | | NFS Export /export/somedir |_ ERROR: Mount failed: Permission denied. | nfs-showmount: |_ /export/somedir nnn.nnn.nnn.nnn, nnn.nnn.nnn.nnn | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl 2049/udp open nfs 2-3 (RPC #100003) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind | 100000 2,3,4 111/udp rpcbind | 100003 2,3 2049/tcp nfs | 100003 2,3 2049/udp nfs | 100005 1,2,3 40638/tcp mountd | 100005 1,2,3 42804/udp mountd | 100021 1,3,4 44864/tcp nlockmgr | 100021 1,3,4 50771/udp nlockmgr | 100024 1 47924/tcp status | 100024 1 52634/udp status | 100227 2,3 2049/tcp nfs_acl |_ 100227 2,3 2049/udp nfs_acl zennmap also detailed connections made to each port listed in rpcinfo above in a graphic report I couldn't copy. (and after stopping nfsserver) Nmap scan report for $EXTINTERFACE Host is up (0.00015s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 13/tcp open daytime 19/tcp open chargen xinetd chargen 37/tcp open time (32 bits) 111/tcp open rpcbind 2-4 (RPC #100000) | rpcinfo: | program version port/proto service | 100000 2,3,4 111/tcp rpcbind |_ 100000 2,3,4 111/udp rpcbind No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ). (/etc/sysconfig/SuSEfirewall2, sans comments) FW_DEV_EXT="modem0 modem1 modem2 modem3" FW_DEV_INT="eth0 eth1 eth2 eth3" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="($INTINTERFACE),tcp,time FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="" FW_FORWARD="" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="" FW_STOP_KEEP_ROUTING_STATE="" FW_ALLOW_PING_FW="" FW_ALLOW_PING_DMZ="" FW_ALLOW_PING_EXT="" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="no" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="no" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_ZONE_DEFAULT='' FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="nf_conntrack_netbios_ns" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" FW_WRITE_STATUS="" FW_RUNTIME_OVERRIDE="" FW_LO_NOTRACK="" FW_BOOT_FULL_INIT="" -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
I'm dropping SuSEfirewall2 in favour of my own firewall scripts, which provide a much stricter policy with better control of the finer details and does not drop packets from established connections. Adding shorewall & fail2ban should cover pretty much everything. As far as I can tell. -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/7/2013 10:05 AM, jdebert wrote:
I'm dropping SuSEfirewall2 in favour of my own firewall scripts, which provide a much stricter policy with better control of the finer details and does not drop packets from established connections.
Adding shorewall & fail2ban should cover pretty much everything. As far as I can tell.
-- jd
I just use Shorewall. The documentation is excellent, comes with most scripts you will ever need, but it is so easy to add your own. I found the suse firewall pretty obtuse an unwieldy for anything but the basics like allowing samba etc. Unless you are routing, there is very little need for a firewall at all, other than the recent depressing tendency for some linux services to listen on all interfaces by default. Looking at netstat -anp these days can give nightmares. Lazy programming has pretty much forced us all to run firewalls these days. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 07/12/2013 19:27, John Andersen a écrit :
Lazy programming has pretty much forced us all to run firewalls these days.
wkan also, that makes all lans publics jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 07/12/2013 19:58, jdd a écrit :
wkan also, that makes all lans publics
wlans... sorry jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/7/2013 10:58 AM, jdd wrote:
Le 07/12/2013 19:27, John Andersen a �crit :
Lazy programming has pretty much forced us all to run firewalls these days.
wkan also, that makes all lans publics
jdd
I fail to see your point here. I feel quite safe in putting my Linux box directly on the public network, whether hard wired or wifi. Without a firewall in place. In fact that has never been an issue, since not listening on a port makes it a closed port. And listening on a port only on a specific interface means that port is closed on other interfaces. Its only the case that some things I can't control insist on listening on ALL interfaces that cause me to run a firewall. Things like Spideroak, vmware dropbox, etc. I periodically look at netstat to see if I can explain and justify all those open ports. Some things, like Samba ought to be smart enough to listen to wlan only when wlan is connected to your home/office network, and not when you take your laptop to Starbucks. (Or maybe it already does this and I'm doing it wrong?). -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 07/12/2013 21:40, John Andersen a écrit :
I fail to see your point here. I feel quite safe in putting my Linux box directly on the public network, whether hard wired or wifi. Without a firewall in place.
you and me may have run netstat (and I can't say I always understand what I see), but most people don't and, for example, I started ktorrent to get 13.1 and let in run to seed, netstat is no more innocent :-)
Some things, like Samba ought to be smart enough to listen to wlan only when wlan is connected to your home/office network, and not when you take your laptop to Starbucks. (Or maybe it already does this and I'm doing it wrong?).
no idea. I know SuSEfirewall2 guys are prtty paranoid, and I trust them :) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen:
I just use Shorewall. The documentation is excellent, comes with most scripts you will ever need, but it is so easy to add your own.
Already have the scripts. That's even easier! The scripts take care of all the static stuff & shorewall can handle the dynamic bits with fail2ban's help. Additional benefit to scripts is that there are no surprises on updates. Not long ago an unsupervised system update elsewhere removed shorewall, etc., & installed SuSEFirewall2 because of an error in a chain of dependencies.
I found the suse firewall pretty obtuse an unwieldy for anything but the basics like allowing samba etc.
It doesn't seem to behave as expected. And seems too inflexible as well. -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sun, Dec 08, 2013 at 09:43:48AM -0800, jdebert wrote:
John Andersen:
I just use Shorewall. The documentation is excellent, comes with most scripts you will ever need, but it is so easy to add your own.
Already have the scripts. That's even easier!
The scripts take care of all the static stuff & shorewall can handle the dynamic bits with fail2ban's help.
Additional benefit to scripts is that there are no surprises on updates.
Not long ago an unsupervised system update elsewhere removed shorewall, etc., & installed SuSEFirewall2 because of an error in a chain of dependencies.
I found the suse firewall pretty obtuse an unwieldy for anything but the basics like allowing samba etc.
It doesn't seem to behave as expected. And seems too inflexible as well.
Did you file a bugreport? Then I can look at it. Samba network browsing is kind of hard to do sadly. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner:
On Sun, Dec 08, 2013 at 09:43:48AM -0800, jdebert wrote:
It doesn't seem to behave as expected. And seems too inflexible as well.
Did you file a bugreport? Then I can look at it.
No. Simply assumed I expected too much and that it was supposed to work that way. A bugreport would have likely sounded like unhelpful whinging. As for the dependency error, that was apparently fixed because it never happened again. IIRC, it was a package that had absolutely nothing to do with networks. -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"jdebert" == jdebert <jdebert@garlic.com> writes:
jdebert> John Andersen: >> >> I just use Shorewall. The documentation is excellent, comes with most scripts >> you will ever need, but it is so easy to add your own. jdebert> Already have the scripts. That's even easier! jdebert> The scripts take care of all the static stuff & shorewall can jdebert> handle the dynamic bits with fail2ban's help. jdebert> Additional benefit to scripts is that there are no surprises on jdebert> updates. jdebert> Not long ago an unsupervised system update elsewhere removed jdebert> shorewall, etc., & installed SuSEFirewall2 because of an error in jdebert> a chain of dependencies. Are we talking shorewall packaged by opensuse or Tom Eastep provided rpms. ? In the former case it conflict with SuSEfirewall2 and this should have brought a solver question regarding the conflict. If that is the case I suggest you file a bug report against SuSEfirewall2 or the installation process. However if you used Tom Eastep provided rpms then you are on your own, because those rpms have no clue about a conflict with SuSEfirewall2 >> I found the suse firewall pretty obtuse an unwieldy for anything but >> the basics like allowing samba etc. jdebert> It doesn't seem to behave as expected. And seems too inflexible jdebert> as well. Well it is not an enterprise level firewall true, but it is flexible when one knows the internals of how those functions work, and how one can tweak the SuSEfirewall2-custom script. For example for a multi isp setup the easiest way is just use shorewall and follow the guides. To achieve the same thing with SuSEfirewall2 is a bit tricky and tiresome but doable. At the end of the day it depends what one wants to achieve Togan -- Life is endless possibilities -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Togan Muftuoglu:
Are we talking shorewall packaged by opensuse or Tom Eastep provided rpms. ? In the former case it conflict with SuSEfirewall2 and this should have brought a solver question regarding the conflict.
opensuse of course. Apparently automating the update process so it can run unsupervised somehow allowed the removal of shorewall & installation of SuSEfirewall2. I'm no longer in a position to follow up on it. -- jd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
jdd -
jdebert -
John Andersen -
Marcus Meissner -
Togan Muftuoglu