Mailinglist Archive: opensuse (3110 mails)

< Previous Next >
Re: [opensuse] saned and firewalls
  • From: Simon Roberts <thorpflyer@xxxxxxxxx>
  • Date: Wed, 31 Dec 2008 16:01:27 -0800 (PST)
  • Message-id: <516630.49859.qm@xxxxxxxxxxxxxxxxxxxxxxxxxxx>


----- Original Message ----
From: Andrew Joakimsen <joakimsen@xxxxxxxxx>
...
Has anyone used the networked form of sane? I notice that it is seriously
firewall unfriendly, opening a data connection on a random port. Since my
local
network is wireless, it does not suit me to run without a firewall on my
machines, so this need for wide-openness really won't work.

It looks like this is currently a fixed part of the behavior of saned right
now, but does anyone have a workaround, or patch to make it use a fixed port
or
anything that would actually work on a firewalled system?


It can not be on "random ports" as you say. Or are you saying the
client does a portscan of the server each time you want to scan? Does
the server then change its listening port after each scanjob? Please
do explain what you mean be "random ports."

OK, not "random" in the security sense, but "random" in the sense of "not
predictable, not controllable by configuration, instead chosen and negotiated
between sender and receiver at runtime"

From man saned:

In addition to the control connection (port 6566) saned also uses a
data connection. The port of this socket is selected by the operating
system and can't be specified by the user currently. This may be a
problem if the connection must go through a firewall (packet filter).
If you must use a packet filter, make sure that all ports > 1024 are
open on the server for connections from the client.

This is the kind of behavior that traditional ftp used to use for its data
connection, of course, ftp has since learned to be firewall friendly (the
"passive" mode), and I was rather hoping someone might have done the same for
saned, but maybe it's not being used in enough "sensitive" environments.

Any thoughts?

Cheers,
Simon


"You can tell whether a man is clever by his answers. You can tell whether a
man is wise by his questions." — Naguib Mahfouz



--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
List Navigation