http://bugzilla.novell.com/show_bug.cgi?id=551282
http://bugzilla.novell.com/show_bug.cgi?id=551282#c34
--- Comment #34 from Johannes Meixner 2009-12-15 10:53:03 UTC ---
I assume you mean something like
having in /etc/sane.d/saned.conf
-------------------------------------------------------------------
data_portrange = 10000 - 10100
-------------------------------------------------------------------
together with a
/etc/sysconfig/SuSEfirewall2.d/services/sane
which contains accordingly
-------------------------------------------------------------------
TCP="sane-port 10000:10100"
-------------------------------------------------------------------
But this alone is not sufficiently secure because
this alone just opens ports 6566 and 10000 - 10100
for any access from any host or network.
Therefore additionally I need a firewall setup to protect
access to those posts from any non-trusted hosts and networks
i.e. I need a firewall setup to allow access to those posts
only from explicitely stated trusted hosts and/or networks.
How can I do the latter?
By the way:
Meanwhile I think the whole basic firewall setup based upon ports
is mostly useless.
I think the basic firewall setup might be better based
"first and foremost" upon trusted hosts and networks.
Reasoning:
For the INT zone it does not make sense because an active firewall
for "INT" makes it effectively "EXT" (see comment #26).
Opening ports in the EXT zone does also make not much sense
because allow any access from any host or network to particular
ports does not provide any protection for this ports.
As far as I see the only reason for a firewall setup based upon ports
is when certain services are listening but access should be allowed
only to some of them (e.g. allow access to the HTTP server
but do not allow access to whatever other running server).
But when no access is allowed to a service, why is its server
process listening at all on the outer network (e.g. why is
the server not only listening on the loopback interface)?
In contrast when I could specify via basic firewall setup
which hosts and networks are trusted (all others are then
untrusted), the question which ports/services are allowed
to be accessed from the trusted hosts and networks
is of secondary importance (by default all ports/services
are allowed to be accessed from trusted hosts and networks).
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.