Bug 138100

Summary: Ability to open ports to local network only.
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Bryce Nesbitt <bryce2>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None    
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Bryce Nesbitt 2005-12-12 18:30:50 UTC 
With YaST, I opened the "samba" port.
YaST appears to have opened samba to all IP addresses:

ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0           udp dpt:138
ACCEPT     udp  --  0.0.0.0/0  0.0.0.0/0           udp dpt:137

Where what I really want is to restrict samba to the local net (e.g. 192.168.1.XXX except for the gateway).
Comment 1 Ludwig Nussel 2005-12-13 13:13:02 UTC 
You have to look at the whole iptables output, the ports are open only in certain zones. I checked the yast2 firewall module, it lets you select the zone in which to open the ports.
Comment 2 Bryce Nesbitt 2005-12-13 15:51:52 UTC 
Maybe it is a documentation problem.  If you mean I should assign those ports to the "Demilitarized Zone", nowhere does it say that this is the local LAN without the gateway.

Maybe I'm stupid, but I read the entire /etc/sysconfig/SuSEfirewall2, and I read all the help pages in Yast, and still the proper settings are clear as mud.

With something like a firewall it is important to check the results of the automatic system also.  Is "iptables -n --list" the wrong tool?
Comment 3 Bryce Nesbitt 2005-12-13 16:22:40 UTC 
I just tried it... it does not work.  I opened samba in the DMZ Zone, and the Internal Zone.  It can't be accesed from the local network:

Dec 13 07:52:35 linux kernel: SFW2-INext-DROP-DEFLT IN=eth0 OUT= MAC= SRC=192.168.1.109 DST=192.168.1.255 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=248 DF PROTO=UDP SPT=138 DPT=138 LEN=216

Only if I open samba in the external zone, to all IP addresses, will it work from the internal network.

This feature does not work as you describe.
Comment 4 Ludwig Nussel 2005-12-13 16:27:37 UTC 
you obviously put eth0 in the external zone. In this case it of course doesn't help if you open the port in the DMZ or internal zone. If eth0 is your LAN put it into the internal zone (FW_DEV_INT).
Comment 5 Bryce Nesbitt 2005-12-13 16:39:10 UTC 
Well of course.  With only one ethernet card, what am I supposed to do?

I still can filter by IP address, and I want to block samba unless it originates from the 192.168.1.XXX subnet.

My network is set up like 99.9% of home broadband users in the USA... with a cable modem, a local network segment, and computers that are endpoints not routers.
Comment 6 Ludwig Nussel 2005-12-13 16:46:21 UTC 
I am shocked. You need to separate internet and LAN if you want to be safe. Unless you have a router which does the masquerading in which case you don't need a firewall on your host. Anyways, what you want can be achieved with FW_SERVICES_ACCEPT_EXT. There is no GUI for that.
Comment 7 Bryce Nesbitt 2005-12-13 17:05:07 UTC 
Setting it up any other way is unrealistic.  Sorry.
That's how the major cable and telephone companies do it in the USA.
Most shocking is that they let customers put windows boxes on such a connection.

----
Besides, what happened to defense in depth?  Even if there is a NAT firewall, why leave a machine unprotected locally?

I suggest that SUSE add a GUI to FW_SERVICES_ACCEPT_EXT, defaulted to the local lan (e.g. 192.168.1.xxx).  Make this an enhancement request.
Comment 8 Thomas Biege 2006-10-13 11:36:00 UTC 
closing.