[opensuse] Cups and Susefirewall don't work together, why ?
Hi, I upgraded my desktop computer to OS13.1. I have a problem with SuSEfirewall2. My NIC is in the "External zone". To have available the printers of my CUPS-server I want to open the IPP-port of the firewall. This seems not to work. When I disable the firewall, I see the printers. When I enable the firewall, they disappear. For my that's a problem with the firewall. This is what I did : In /etc/sysconfig/SuSEfirewall2.d/services I added ipp: ## Name: IPP (cups) ## Description: Opens ports for Internet Prining Protocol (CUPS). # # For a more detailed description of the individual variables see # the comments for FW_SERVICES_*_EXT in /etc/sysconfig/SuSEfirewall2 # # space separated list of allowed TCP ports TCP="ipp" # space separated list of allowed UDP ports UDP="ipp" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" Then in Yast/Firewall/Allowed Services I did add IPP(cups) to the allowed services for the external zone. I save that configuration. This is the result (/etc/sysconfig/SuSEfirewall2 : # grep -v \# SuSEfirewall2 FW_DEV_EXT="enp2s0" FW_DEV_INT="" FW_DEV_DMZ="" FW_ROUTE="no" FW_MASQUERADE="no" FW_MASQ_DEV="" FW_MASQ_NETS="" FW_NOMASQ_NETS="" FW_PROTECT_FROM_INT="no" FW_SERVICES_EXT_TCP="" FW_SERVICES_EXT_UDP="" FW_SERVICES_EXT_IP="" FW_SERVICES_EXT_RPC="" FW_CONFIGURATIONS_EXT="ipp sshd" FW_SERVICES_DMZ_TCP="" FW_SERVICES_DMZ_UDP="" FW_SERVICES_DMZ_IP="" FW_SERVICES_DMZ_RPC="" FW_CONFIGURATIONS_DMZ="sshd" FW_SERVICES_INT_TCP="" FW_SERVICES_INT_UDP="" FW_SERVICES_INT_IP="" FW_SERVICES_INT_RPC="" FW_CONFIGURATIONS_INT="sshd" FW_SERVICES_DROP_EXT="" FW_SERVICES_DROP_DMZ="" FW_SERVICES_DROP_INT="" FW_SERVICES_REJECT_EXT="" FW_SERVICES_REJECT_DMZ="" FW_SERVICES_REJECT_INT="" FW_SERVICES_ACCEPT_EXT="" FW_SERVICES_ACCEPT_DMZ="" FW_SERVICES_ACCEPT_INT="" FW_SERVICES_ACCEPT_RELATED_EXT="" FW_SERVICES_ACCEPT_RELATED_DMZ="" FW_SERVICES_ACCEPT_RELATED_INT="" FW_TRUSTED_NETS="" FW_FORWARD="" FW_FORWARD_REJECT="" FW_FORWARD_DROP="" FW_FORWARD_MASQ="" FW_REDIRECT="" FW_LOG_DROP_CRIT="yes" FW_LOG_DROP_ALL="yes" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_LOG_LIMIT="" FW_LOG="" FW_KERNEL_SECURITY="" FW_STOP_KEEP_ROUTING_STATE="" FW_ALLOW_PING_FW="" FW_ALLOW_PING_DMZ="" FW_ALLOW_PING_EXT="" FW_ALLOW_FW_SOURCEQUENCH="" FW_ALLOW_FW_BROADCAST_EXT="no" FW_ALLOW_FW_BROADCAST_INT="no" FW_ALLOW_FW_BROADCAST_DMZ="no" FW_IGNORE_FW_BROADCAST_EXT="yes" FW_IGNORE_FW_BROADCAST_INT="no" FW_IGNORE_FW_BROADCAST_DMZ="no" FW_ALLOW_CLASS_ROUTING="" FW_CUSTOMRULES="" FW_REJECT="" FW_REJECT_INT="" FW_HTB_TUNE_DEV="" FW_IPv6="" FW_IPv6_REJECT_OUTGOING="" FW_IPSEC_TRUST="no" FW_ZONES="" FW_ZONE_DEFAULT='' FW_USE_IPTABLES_BATCH="" FW_LOAD_MODULES="nf_conntrack_netbios_ns" FW_FORWARD_ALWAYS_INOUT_DEV="" FW_FORWARD_ALLOW_BRIDGING="" FW_WRITE_STATUS="" FW_RUNTIME_OVERRIDE="" FW_LO_NOTRACK="" FW_BOOT_FULL_INIT="" # iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate ESTABLISHED ACCEPT icmp -- anywhere anywhere ctstate RELATED input_ext all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-IN-ILL-TARGET " DROP all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-FWD-ILL-ROUTING " Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere Chain forward_ext (0 references) target prot opt source destination Chain input_ext (1 references) target prot opt source destination DROP all -- anywhere anywhere PKTTYPE = broadcast ACCEPT icmp -- anywhere anywhere icmp source-quench ACCEPT icmp -- anywhere anywhere icmp echo-request LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ipp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:ipp LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp dpt:ssh flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix "SFW2-INext-ACC-TCP " ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT udp -- anywhere anywhere udp dpt:ipp LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " DROP all -- anywhere anywhere PKTTYPE = multicast DROP all -- anywhere anywhere PKTTYPE = broadcast LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix "SFW2-INext-DROP-DEFLT " DROP all -- anywhere anywhere Chain reject_func (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable What is wrong ? A while ago I already asked this, but then it was on OS12.3. Thanks for any pointers. Koenraad -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
"Koenraad" == Koenraad Lelong <k.lelong@ace-electronics.be> writes:
Koenraad> Hi, Koenraad> I upgraded my desktop computer to OS13.1. Koenraad> I have a problem with SuSEfirewall2. My NIC is in the "External zone". Koenraad> To have available the printers of my CUPS-server I want to open the Koenraad> IPP-port of the firewall. This seems not to work. Koenraad> When I disable the firewall, I see the printers. When I enable the Koenraad> firewall, they disappear. For my that's a problem with the firewall. Have you looked http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings -- Life is endless possibilities -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
op 05-04-14 10:43, Togan Muftuoglu schreef:
"Koenraad" == Koenraad Lelong <k.lelong@ace-electronics.be> writes:
Koenraad> Hi, Koenraad> I upgraded my desktop computer to OS13.1. Koenraad> I have a problem with SuSEfirewall2. My NIC is in the "External zone". Koenraad> To have available the printers of my CUPS-server I want to open the Koenraad> IPP-port of the firewall. This seems not to work. Koenraad> When I disable the firewall, I see the printers. When I enable the Koenraad> firewall, they disappear. For my that's a problem with the firewall.
Have you looked http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Hi, My desktop is in many cases a test-case to setup other computers. I know it's a bit less secure when opening up those ports, but how do you distinguish between internal (trusted) and external (untrusted) zones ? When I connect my laptop somehow (cable/wireless) to my home-network that network is trusted. When I say somehow it is because cables are not availbable everywhere in my house. When I go "on the road" and connect my laptop (mostly wireless, but not always !), how do I specify that the network is now untrusted, as non-root user ? Network-manager _could_ do this by asking, but AFAIK it's not possible now. As root-user I have to go to yast and set the right interface to the external zone. And I have to remember to do the opposite when I connect to a trusted network again. Etc. I can do this, but my wife ? When I explain it she could do this of course, but does she remember after a few weeks, when she takes her netbook to a conference ? I work around this by losing a bit of security and using common sense, by not printing everywhere. Remains the fact that susefirewall2 does not do what I tell it to do. B.T.W. is CUPS so leaky that "opening its IPP port 631 removes effectively any firewall protection from the workstation" ? Which is what that web-page says. If so, I will reconsider and go the Windows-way : install every printer locally. Thanks, Koenraad. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2014-04-05 11:41, Koenraad Lelong wrote:
When I go "on the road" and connect my laptop (mostly wireless, but not always !), how do I specify that the network is now untrusted, as non-root user ? Network-manager _could_ do this by asking, but AFAIK it's not possible now.
I define the port as "external" even at home. I use "FW_TRUSTED_NETS" to allow specific machines to connect on specific ports only. However, changing this requires all hosts to have fixed IPs, and that you are root... -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
On 2014-04-05 11:41, Koenraad Lelong wrote:
B.T.W. is CUPS so leaky that "opening its IPP port 631 removes effectively any firewall protection from the workstation" ? Which is what that web-page says. If so, I will reconsider and go the Windows-way : install every printer locally.
If I remember correctly (I might not) CUPS uses passwords in clear, and by default, those passwords are the same as the user login password. A sniffer would capture those easily on the network. If you only print, there is no problem. But if you use the CUPS control web page to cancel a job, or configure a printer, it asks for the user, or even root password. That's the danger. I'm not sure if using CLI to a networked CUPS server also has this problem. However, you can setup up different passwords for CUPS for each user, and perhaps disallow the normal passwords - but that would not stop users from trying their login password, or them setting the same password, because it is one less to remember. This is what I understood, and I could be wrong. Better try to verify! -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar)
Koenraad Lelong wrote:
I know it's a bit less secure when opening up those ports, but how do you distinguish between internal (trusted) and external (untrusted) zones ? When I connect my laptop somehow (cable/wireless) to my home-network that network is trusted. When I say somehow it is because cables are not availbable everywhere in my house. When I go "on the road" and connect my laptop (mostly wireless, but not always !), how do I specify that the network is now untrusted, as non-root user ? Network-manager _could_ do this by asking, but AFAIK it's not possible now.
What I have done in the past, to have home & away configs, is to ping an IP address, such as for my firewall/router on my home network and then check the MAC address for that address. If it's there, you could have a script run a command to shut down the firewall. For example, the script could contain: ping router arp -a|grep <mac address> && rcSuSEfirewall2 stop etc. You'd have the firewall always start and then if your router is detected, shut it down. You could include that script in /etc/init.d/after.local, which runs after pretty much everything else, including network. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
op 05-04-14 10:43, Togan Muftuoglu schreef:
"Koenraad" == Koenraad Lelong <k.lelong@ace-electronics.be> writes:
Koenraad> Hi, Koenraad> I upgraded my desktop computer to OS13.1. Koenraad> I have a problem with SuSEfirewall2. My NIC is in the "External zone". Koenraad> To have available the printers of my CUPS-server I want to open the Koenraad> IPP-port of the firewall. This seems not to work. Koenraad> When I disable the firewall, I see the printers. When I enable the Koenraad> firewall, they disappear. For my that's a problem with the firewall.
Have you looked http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Hi, I didn't read to the bottom of the page. So I missed fwzs. I will try that. Koenraad. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
op 05-04-14 11:55, Koenraad Lelong schreef:
op 05-04-14 10:43, Togan Muftuoglu schreef:
> "Koenraad" == Koenraad Lelong <k.lelong@ace-electronics.be> writes:
Koenraad> Hi, Koenraad> I upgraded my desktop computer to OS13.1. Koenraad> I have a problem with SuSEfirewall2. My NIC is in the "External zone". Koenraad> To have available the printers of my CUPS-server I want to open the Koenraad> IPP-port of the firewall. This seems not to work. Koenraad> When I disable the firewall, I see the printers. When I enable the Koenraad> firewall, they disappear. For my that's a problem with the firewall.
Have you looked http://en.opensuse.org/SDB:CUPS_and_SANE_Firewall_settings
Hi,
I didn't read to the bottom of the page. So I missed fwzs. I will try that.
Koenraad.
This seems to work fine. I need more info though. Koenraad -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Carlos E. R.
-
James Knott
-
Koenraad Lelong
-
Togan Muftuoglu