[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] SuSE Firewall and CUPS (UDP rules)?



I set FW_SERVICES_EXT_UDP="631" and FW_SERVICES_QUICK_UDP="631" (this one just-in-case), the rest default from what the Yast tool left it at, in /etc/sysconfig/SuSEfirewall2, and ran /sbin/rcSuSEfirewall2 restart.

In the messages:

SFW2-DROP-BCASTe IN=eth0 OUT= MAC=<snip> SRC=<snip> DST=<snip> LEN=187 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=631 DPT=631 LEN=167

*faint whining* What am I missing? :(

Thanks :)

b@xxxxxxxxx wrote:

------------------------------------------------------------------------

(from my subscribed address this time)

On Friday 17 September 2004 09:19, Maxim A Belushkin wrote:

No, my question is *much* simpler, sorry :)

The 4 steps of configuring the firewall with Yast:
Step 1: select interface. I have no trusted net, no "internal"
interface. So eth0 is the only one, and it's set to external.
Step 2: Services. Additional services is set to: 631.

  This is what's causing my confusion. It drops UDP packets destined
for port 631. And in fact, in that dialog box it says "TCP services".

  What am I missing in the Yast firewall setup tool? :P I've normally
set iptables rules by hand, but decided to try the Yast setup, and... I
feel I'm missing a lot of things :)

  So my question amounts to: can the Yast tools do it? it's a very
simple rule, seriously! Or do I need to insert it by hand? In which case
I might as well trash all the rules Yast set up in there and put in my
own standard set.


No, the YaST interface is too simple for that.
I usually click through yast to make sure that the Firewall is started, then I edit /etc/sysconfig/SuSEfirewall2 by hand.

It is a very well structured file and certainly loads better than playing with IPTables directly.

All the rules you originally create in YaST will still be there abnd YaST will not autotrash anything you change.

Remember to rcSuSEfirewall2 restart when you are done.

Barry



barrulus wrote:

------------------------------------------------------------------------

On Friday 17 September 2004 09:05, Maxim A Belushkin wrote:

 a print server on the network is bcasting queue names to UDP port
631. SuSE firewall seems to only have exceptions for TCP ports, and not
UDP. Any "clean" workaround for this avoiding digging into the iptables
rules  the firewall creates?

???

You can set up trusted nets with UDP, allow interfaces to listen with
UDP, forward UDP traffic and masquerade UDP traffic?

When you say "exceptions" what do you mean?
Do you want the local CUPS server to be listening on that port to pick up
the broadcasts, or do you want the broadcasts to be forwarded into your
LAN from your DMZ?

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here