http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c23
Joseph Short changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |REOPENED
Info Provider|pagan13@estreet.com |
--- Comment #23 from Joseph Short 2009-12-04 07:46:17 UTC ---
Johannes,
I spent the entire day on this. I got it to work, but I need for you to read
the entire post. It contains some very important information.
You were right that the network scanning will only work if the Internal Zone is
active on the network interface. Please remember that most people only have
one interface, and only one Zone can connect to that one interface. This is
important because the Internal Zone is set up by default with every service,
port and protocol enabled and wide open. The Internal Zone is essentially a
fire-gaping-hole rather than a firewall.
The way to correct this is to uncheck that little box at the bottom of the
"Allowed Services" page labeled "Protect Firewall from Internal Zone." This
clears all that greyed-out stuff and lets you put in all the stuff you want to
allow while blocking all the rest. Otherwise, you have no firewall. Remember,
most people, like me, have only one network interface to work with -- we cannot
connect outside services to a separate interface.
The other part is VERY IMPORTANT! When working with an environment where
network scanning takes place on the same interface/zone as, for example, web
browsing, you must manually open port TCP 6566 and open the Dynamic ports
49152:65535 on TCP, UDP, and RPC. If you don't, scanning will not work. I
found the Dynamic ports reference at:
http://www.iana.org/assignments/port-numbers
The random ports that saned uses are in there.
(Prior to my problems, I didn't have to set any ports, nor did I have to use
Internal Zone. Something changed between the firewall, saned and Yast2 and
broke my network scanning. It is now restored.)
Another very important point is this: Sometimes when something gets changed
(usually through Yast2), no change becomes active until the computer is
rebooted. For example, during my testing, I changed the firewall back to
External from Internal. Network scanning still worked -- until I rebooted the
server. It took another hour or so of testing before I realized that the
change from Internal to External did not register until the reboot. I'd be
surprised if no one else noticed this, but maybe most people just note it and
don't say anything.
I have some recommendations here:
1. Either have the network scanning setup in Yast2 make the necessary changes
to the firewall, or at least inform the user that those firewall changes need
to be made -- what they are and how to do it. I realize that this incurs a
slight security risk, but remember, most people have only one interface, and
saned is designed to accept only requests from the trusted, and specified,
subnet (usually 192.168.x.x).
2. Include an option for opening the Dynamic Ports (49152:65535) with an
explanation as to why you might need to do that and with the usual security
warnings.
3. If this problem won't or can't be fixed, at least provide documentation
accessible from a "help" button to help a user patch it together and make it
work. I'll be happy to write something to help out (most of it is right here).
4. Recommend (with a pop-up box) a reboot after changes in network operations
and services to make sure those changes become active. This will save a lot of
hair-pulling and gnashing of teeth by people who haven't yet discovered this
"feature."
Thank you
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.